BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Facebook's Latest Breach Illustrates The Limits Of GDPR

Following
This article is more than 5 years old.

Getty

Another week, another security failure at Facebook. This week’s “bug” allowed the private photos of up to 6.8 million users to be improperly accessible to up to 1,500 different applications built by 876 different developers for nearly two weeks before the company noticed the security lapse and fixed it. Once again the company is merely “sorry this happened” but offering no monetary or other compensation to those users whose trust it violated. As Facebook racks up security failure after security failure, it raises the question of why users should continue to trust it with their data. Moreover, the company’s nearly two month wait to notify data protection authorities after it became aware of the breach, in spite of GDPR’s 72-hour notification requirement, reminds us that GDPR is far more limited than the public understands.

Facebook’s latest breach was a “bug” in its photo API that allowed third party applications to access a user’s private photographs without their permission. The bug was introduced in a software update on September 13 and the company first noticed and fixed the breach on the 25th. Yet, the company did not actually notify the affected users and the public until today, nearly three months later.

When asked why the company waited three months to inform users about the breach, a spokesperson offered that “we have been investigating the issue since it was discovered to try and understand its impact so that we could ensure we are contacting the right developers and people affected by the bug. It then took us some time to build a meaningful way to notify people, and get translations done.”

Asked how the company would respond to criticism that the string of recent breaches suggests it either does not take security seriously or lacks the necessary security practices and experience to protect its users’ data, a spokesperson said they were working on a response, but had not responded by late this afternoon, despite several follow up emails.

Inadvertent security bugs can be introduced at any company, but Facebook seems to have had an unusually large number of particularly severe failures affecting its core authentication and access control systems. A company of Facebook’s size could certainly afford to hire experienced security personnel, so the fact that these breaches keep occurring suggests it lacks the necessary security review workflows for new feature and update deployments.

Given that all of the breaches to date have involved user data, rather than source code or other key company-owned data, it also demonstrates that the company can certainly protect data it views as valuable, suggesting it does not see the intimate private information of its users as important as its own information.

Most importantly, the fact that it took the company several months to determine the extent of the breach and who it might have affected reinforces that the company appears to lack the kind of security auditing workflow that is standard practice in the commercial sector. All companies of Facebook’s sophistication maintain extensive security audit logs that record the movement of data through their systems to the outside world. Compiling a list of images that were accessed during the two weeks of the breach by apps that did not have the correct permissions to see them should have been a simple matter of a single SQL query and a few minutes of compute time to have a complete exhaustive inventory of every affected image, application and user account.

Instead, it apparently took the company more than two months to determine who might have been affected. Asked why it took two months to understand a breach that should have taken a day at most to understand, the company did not respond.

A spokesperson said that “We told the [Irish Data Protection Commissioner] on Nov 22nd after we had determined it was a reportable breach.” In short, Facebook waited nearly two months after it became aware of the breach to actually notify the IDPC (which is its relevant DPC) that a breach had occurred. Yet, GDPR requires that companies notify their relevant DPC within 72 hours of becoming aware of a breach.

Asked about this apparent discrepancy, the spokesperson offered that “We notified the IDPC as soon as we established it was considered a reportable breach under GDPR. We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72 hr timeframe.”

In short, Facebook has interpreted GDPR’s 72-hour notification rule to apply only after a company has decided that a given breach requires reporting, rather than after the company is aware that there is a breach. In this case Facebook took nearly two months to decide that the scope of the breach meant it had no choice but to report it and considers the 72-hour window to have begun only after it made that determination.

This raises the question of whether there are limits to how long a company can take to determine that a breach requires reporting. Could a company theoretically take years to decide that a breach must be reported? If a company can take two months to decide a breach requires reporting, could it just as easily take two years or even five years? In essence, if companies are free to take their time deciding whether to report breaches, they could effectively never report a single breach, simply by arguing that they need decades to make a determination.

There is the further issue that even after notifying the IDPC, Facebook took nearly an entire additional month before it notified the general public.

Asked for comment on the Facebook breach, the IDPC’s Head of Communications Graham Doyle said that “The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018. With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR.”

However, when asked whether in the general case unrelated to the current Facebook breach, if the IDPC enforces any kind of time limit on the amount of time companies have between becoming aware of a breach and when the 72-hour reporting window begins, the IDPC said it could not comment at this time. Asked for comment as to whether there are any European Union-wide standards, a spokesperson for a European Commission confirmed that each individual DPC is responsible for interpreting GDPR.

In many ways the current Facebook breach offers a textbook example of what happens when governments attempt to regulate technology companies. Those companies ensure through their armies of lobbyists and the technical illiteracy of many lawmakers that the final regulations offer enough exemptions and vagaries that they pose little inconvenience to the companies they supposedly regulate.

In fact, in the case of facial recognition, GDPR actually removed many of the privacy protections that had historically prevented Facebook from deploying facial recognition across Europe, offering the company a major win against privacy and data protection.

In the case of GDPR, Facebook’s interpretation of the law is that from the moment it becomes aware of a breach, it has an unlimited amount of time to decide whether the breach should be reported and only after it decides to report the breach does GDPR’s 72-hour mandated reporting window become effective. In the current case Facebook took two full months to decide, but it is unclear whether it could just as easily have taken two years to decide.

To the general public, GDPR has been portrayed as requiring companies to rapidly report data breaches within 72 hours. In reality, at least one major company appears to believe that those rules only apply after it decides to report a breach and that it alone can decide how long to wait before the 72-hour window begins. While the IDPC appears to raise questions about this interpretation, it also stopped short of directly refuting it or offering a maximum time limit for companies to decide whether a breach should be reported and hence when the 72-hour window begins.

Putting this all together, Facebook’s latest breach once again calls into serious question its ability to safeguard the private data of its two billion users. That nearly all of its breaches to date have involved user data, rather than company data shows that it is quite capable of safeguarding data it values, suggesting it does not invest sufficiently in protecting user data. The fact that it took the company nearly two months to research the breach shows it lacks the necessary security audit workflows to rapidly triage breaches, raising even further questions about its security and safety investment. Finally, the fact that Facebook believes it has an unlimited amount of time between becoming aware of a breach and deciding when GDPR’s 72-hour reporting window begins shows the reality of just how limited GDPR is in practice. Only time will tell whether the IDPC decides to add teeth to GDPR’s regulations or whether it capitulates to the demands of the tech companies and gives them free reign to decide whether and where they want GDPR to apply to them.

In the end, GDPR seems destined to fall into the dustbin of all past tech regulation: mere words on paper, rather than real regulation.