There seems no end in sight to the Facebook privacy saga. Facebook first revealed that up to 87M people may have had their data harvested by Cambridge Analytica, 71M of them Americans.
The political consultancy denies this, TechCrunch reporting that it claims to have licensed data for up to 30M people, and saying that none of this data was used to help the Trump campaign …
Whether the true number is 30M, 87M or somewhere in between, Facebook says that ‘malicious actors’ used search tools on the site to collect data on most of the network’s two billion users. Potentially, that data could be used to help with identity theft attempts.
Facebook until recently allowed you to search for contacts on Facebook by entering their email address or phone number. This would then take you to the user’s public profile, which typically displays a photo and hometown. You can generally then click through to past profile and cover photos, family members on Facebook, reviews posted by the user and public groups to which they belong.
The company says that bad actors started by obtaining email addresses and phone numbers on the so-called Dark Web, then searched Facebook for those details to gather additional data. CEO Mark Zuckerberg said that the scale of this activity was such that almost every user would have had their public profile data scraped in this way.
Everyone has a setting on Facebook, that controls — it’s right in your privacy settings — whether people can look you up by your contact information. Most people have that turned on, and that’s the default, but a lot of people have also turned it off. So it’s not quite everyone, but certainly the potential here would be that over the period of time that this feature has been around, people have been able to scrape public information. The information—that if you have someone’s phone number, you can put that in, and get a link to their profile which pulls their public information. So, I certainly think that it is reasonable to expect that if you had that setting turned on, that at some point during the last several years, someone has probably accessed your public information in this way.
The company said that it did have in place basic protections against this type of activity, like limiting the number of searches from a given IP address, but sophisticated attackers ‘cycled through […] hundreds of thousands of IP addresses.’ It has now blocked such searches altogether.
Facebook also revealed that it can monitor the content of private messages sent using Messenger, but this is only done by human moderators when a message recipient reports abuse. Automatic tools are, however, routinely used to check for illegal photos and malicious links, reports Bloomberg.
“For example, on Messenger, when you send a photo, our automated systems scan it using photo matching technology to detect known child exploitation imagery or when you send a link, we scan it for malware or viruses,” a Facebook Messenger spokeswoman said in a statement. “Facebook designed these automated tools so we can rapidly stop abusive behavior on our platform.”
Zuckerberg said that the #DeleteFacebook campaign so far hadn’t resulted in ‘any meaningful impact,’ but that the company still recognized that it had been guilty of ‘a massive breach of trust.’
Many people use the ‘login via Facebook’ option offered to them by apps and websites, and some of these have now stopped working, likely as a result of security measures made by the social network. Buzzfeed reports that Tinder users were for a time unable to login via Facebook, and were then put into an endless loop preventing them from using an alternative login method. This has since been fixed.
Zuckerberg is due to testify before Congress on April 10-11, as Australia joins the list of countries to open investigations into whether privacy laws were breached.