Facebook is said to be shopping for a security company

The social network giant Facebook is speculated to be close to acquiring a cybersecurity company to shore up its of data protection capability.

In the wake of a massive security breach, when 29 million users’ data were compromised, Facebook is desperately scrambling for a quick and effective solution. As it emerges, one way of doing so, in addition to working with the FBI, is shopping. The Information reported that according to four separate sources, Facebook has approached several unidentified cybersecurity companies for acquisition. One source told the online technology publication that a deal with one of the target companies could be reached before the end of the year.

A professional security solution sourced from outside could help refresh Facebook’s internal measures that might have overlooked vulnerabilities. The leak in late September, which initially was thought to have affected up to 50 million users, resulted from a coding loophole in the “View As” feature, which was attacked by an unknown party disguised as a 3rd-party marketing company. Facebook later clarified that about 30 million users actually had their access tokens stolen, but the attackers failed to gather information on 1 million of them.

On top of the technical expertise to be acquired, a high-profile purchase of a security company would also improve the perception that Facebook is serious about safeguarding user data. The company’s reputation has been repeatedly battered since the Cambridge Analytica scandal, prompting it to go more aggressive with its PR strategy. After recruiting a high calibre ex-politician to its team, adding a professional security solution to its toolkit would do no harm.

 

Brexit data contravention lands Facebook a £500,000 fine

The Information Commissioner’s Office (ICO), UK’s data protection regulator, intends to fine Facebook half a million pounds for its failure to safeguard user data in the run-up to the country’s referendum to leave the EU in 2016.

After more than a year’s investigation, the ICO’s progress report published today (11 July) determined that Facebook breached Data Protection Act 1998 by lacking transparency “and security issues relating to the harvesting of data”. Facebook is due to present its case in front of the ICO later this month.

We asked Facebook for a comment and got this from Erin Egan, its Chief Privacy Officer: “As we have said before, we should have done more to investigate claims about Cambridge Analytica and take action in 2015. We have been working closely with the ICO in their investigation of Cambridge Analytica, just as we have with authorities in the US and other countries. We’re reviewing the report and will respond to the ICO soon.”

In addition to penalising Facebook with the highest possible sum in its jurisdiction, ICO has also undertaken actions against a string of parties suspected of having involved in irregularities during the campaign:

  • Enforcement Notice to cooperate with investigation was sent to SCL Elections, affiliated with Cambridge Analyica, and steps are being take to bring criminal charges against SCL Elections for its failure to implement the Enforcement Notice;
  • Warning letters were sent to 11 political parties on their ways of buying and using voter data. Audits are planned for later this year;
  • Enforcement Notice was sent to the Canadian data analytics firm AggregateIQ (AIQ) demanding it to stop possessing UK voters’ data, in cooperation with the Canadian authorities;
  • Investigation into both the Leave and Remain campaigns are ongoing;
  • An audit on Cambridge University’s policy and process will be conducted. A recommendation to Universities UK was issued demanding the education institutions to be more vigilant on the usage of personal data gathered for academic research purposes vs. academics’ private commercial interest.

In a certain sense, Facebook was fortunate with timing. Had the new GDPR been in place before the referendum, the ICO would have the authority to handout a ticket of up to €20 million (£17 million).

Zuckerberg threatened with summons next time he enters UK

Damian Collins, Chair of the Digital, Culture, Media and Sport select committee, has given Facebook CEO Mark Zuckerberg two choices; testify voluntarily or we’ll issue a formal summons next time you enter British jurisdiction.

The letter follows evidence given by Facebook CTO Mike Schroepfer to the select committee last week, which has been deemed unsatisfactory by the lawmakers. Attached to the letter was also a list of 39 questions Schroepfer was unable to answer, as the select committee attempts to get to the bottom of the Cambridge Analytica scandal.

“Following reports he [Zuckerberg] will be giving evidence to the European Parliament in May, we would like Mr Zuckerberg to come to London during his European trip,” the letter reads. “We would like the session here to take place by 24 May.

“It is worth noting that, while Mr Zuckerberg does not normally come under the jurisdiction of the UK Parliament, he will do so next time he enters the country. We hope that he will respond positively to our request, but if not the Committee will resolve to issue a formal summons for him to appear when he is next in the UK.”

Zuckerberg now has until May 11 to respond, and to show that he is not directly snubbing the UK government. Collins and his cronies might have had their egos dented when Zuckerberg sent one of his deputies to answer their questions, but the flexing of legislative muscles is almost surely going to gain the attention of the Facebook CEO. Zuckerberg might be almost allergic to face-to-face discussions, however ignoring this letter could escalate into somewhat of a PR disaster for the social media giant.

In terms of the unanswered questions, you do have to feel sorry for Schroepfer. The MPs have condemned the executive for not having the answers, but as Schroepfer mentioned several times during the briefing, he came prepared to answer questions specifically on the Cambridge Analytica scandal. This was what was requested of him. He was also very honest with the Committee; when he was not certain he said he would get back to them.

On several occasions, Collins asked Schroepfer to guess at an answer when he did not know, to which Schroepfer refused. What Collins was going to achieve through asking for a guess is beyond us. It seemed the MP was attempting to lure the executive into making inaccurate statements. Schroepfer did well to resist and acted completely appropriately, even if the MPs didn’t, almost mocking him on occasion. It was more of an immature chest-beating exercise to belittle a US executive than a useful inquiry.

There were several questions which Schroepfer should have been able to answer, those which were focused on the scandal, but some were not. And it wasn’t like Collins was asking for information which is easily available. For example, Schroepfer is unlikely to know what percentage of websites on the internet users are tracked by Facebook. Collins is talking about every website on the internet; it isn’t absurd for Schroepfer not to know the answer this question. You can have a look at the full letter and questions below.

Zuckerberg should respond positively to this letter otherwise there is a risk of the situation escalating. It might prove to be a humbling and embarrassing experience for the CEO, as we imagine the MPs will have their sights set on patronising and demeaning him as much as possible as punishment for the earlier snub, but damage limitation is never a simple task.

 

FTC set to get in Facebook’s face, and its books

The US Federal Trade Commission has announced it is formally investigating Facebook’s privacy practices, which is unlikely to end well.

This was pretty inevitable given the spectacular amount of press surrounding the Cambridge Analytica stories. While it can be reasonably argued that it’s pretty naïve to be all shocked when you find out a social media company has been exploiting the personal data you willingly give it for profit, this scandal seems to have broken the dam on pent-up concerns about data privacy.

Again, that was bound to happen sooner or later. The rules on personal data have been made up on the fly because we’ve only had social media for a decade or two. It’s quite possible that Facebook has done nothing wrong in the legal sense but the world is now asking whether or not it should have been allowed to play so fast and loose with our digital identities regardless.

“The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers,” said Tom Pahl, Acting Director of the FTC’s Bureau of Consumer Protection. “Foremost among these tools is enforcement action against companies that fail to honour their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers in violation of the FTC Act.

“Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.”

The implication there is that Facebook made some specific vows to the FTC that it may have violated. Even if it hasn’t, this kind of non-public investigation (and surely there will be leaks) will allow the FTC to dig around as much as it wants. Since the origin of this story was the relatively benign matter of exploiting a loophole and then selling that data on, it seems improbable that further such transgressions won’t be uncovered.

This news alone has spanked the Facebook share price down another few percent, just as it’s trying to recover from its latest PR challenge. Over the weekend there was widespread reporting that Facebook has been gathering the details of Android users’ contacts details, including phone numbers and text messages. A BBC journalist was taken aback to find his entire contact list among the files presented to him when he downloaded all the data Facebook has on him.

Facebook felt moved to defend itself on this specific count, insisting it has not been logging people’s call and text history without their permission. Apparently that is an opt-in feature for people using Messenger or Facebook Lite on Android, that you can opt out of whenever you want. Facebook also insisted it doesn’t collect the content of calls or texts and doesn’t sell any of this stuff on. Incidentally your correspondent doesn’t seem to have opted into this feature.

The fact that Facebook is having to defend an opt-in feature that has been in place since 2015 shows how much this story has changed the rules of the game. People have become hyper-aware of how freely they agreed to surrender information to Facebook and are retrospectively indignant. Unless Facebook successfully addresses this sentiment its share price will probably continue to fall.

Facebook kicked out of Cambridge Analytica offices by UK government agency

Facebook seems to have missed its opportunity to get a handle on the Cambridge Analytica situation, having been told to stay out of its offices by the UK ICO.

Digital forensics firm Stroz Friedberg was hired by Facebook yesterday ‘to conduct a comprehensive audit of Cambridge Analytica,’ according to a Facebook announcement. Apparently CA was happy to give FB full access to its servers and systems but the UK Information Commissioners Office, which is ‘sponsored by the governmental department for Digital, Culture, Media and Sport, apparently had other ideas.

“On 7 March, my office issued a Demand for Access to records and data in the hands of Cambridge Analytica,” said Information Commissioner Elizabeth Denham. “Cambridge Analytica has not responded by the deadline provided; therefore, we are seeking a warrant to obtain information and access to systems and evidence related to our investigation.

“On 19 March, Facebook announced that it will stand down its search of Cambridge Analytica’s premises at our request. Such a search would potentially compromise a regulatory investigation.”

It’s not known how long FB, via its proxies, had access to CA’s files and how much investigating it managed to do, but being kicked out by the ICO is presumably a major inconvenience. One of FB’s major priorities must be to demonstrate that it did everything possible to ensure the data reportedly passed on by Kogan to CA was destroyed, and therefore minimise its liability for the subsequent outcry. Christopher Wylie, the main source for the scoops, has made it clear that he has no intention of helping FB out on this.

For the time being the main fork of the story seems to be focusing on how shocking it is that politicians will do anything they can to win elections. UK’s Channel 4 seems to be part of the choreography designed to extract maximum mileage from this angle and secured a hidden camera scoop of CA execs boasting about all the underhand tactics they can help out with. You can see the full video report below.

Plenty of other commentators have reflected on how utterly unsurprising it is, both that FB seeks to monetise the data it is given by us as effectively as possible, and that politicians might seek to use that data to influence the electorate in their favour. But for the time being outcry is the order of the day and we can expect all manner of opportunists to exploit the opportunity to kick FB and CA while they’re down.

Meanwhile the other narrative fork concerning data privacy, is fermenting nicely in the background. FB’s VP of AR/VR has issued a public Q&A apparently designed to address some of the questions arising from the story. One of the points he makes is that it’s no longer possible to extract data about friends of people who have signed up to have their data harvested.

The NYT is reporting that FB’s Chief Information Security Officer – Alex Stamos – is leaving the company due to disagreements about how to handle this sort of thing, and FB’s shares fell 7% yesterday. There seems little doubt that this affair is going to lead to a lot more scrutiny of the social media business model and it will be interesting to see what kind of long-term remedies remain standing once the dust has settled.