This blog post examines the Facebook and Cambridge Analytica Data Breach news, asks what might change at Facebook and discusses whether users or organisations are responsible. It also examines whether data portability or security is the priority and sets out some basic questions web application vendors need to ask of their data security policies.
When it was revealed that a company connected to President Trump's 2016 campaign, Cambridge Analytica (CA), had been able to access data from 50 million Facebook accounts, and that Facebook had suspended their (and SCL's) accounts, you may have noticed one of three things, depending on your normal habitat:
It's difficult to wrap your brain around the numbers, yet if Facebook was a country, its population statistics would lag behind only China and India. This is no small matter.
Zuckerberg revealed in the CNN interview that they had over 15,000 people working on security, though he warned security was not something that could be solved 100%. And, he was at some pains to point out that, while users can take advantage of targeted advertisements that are based on coveted demographics, Facebook does not actually sell that data – a common enough accusation levelled at many organisations with a similarly gargantuan user base.
Zuckerberg outlined the remediation activities that would now be put in place:
So far, so good – if staggeringly scant in detail, given the epic size of his security team.For all such organisations, not just Facebook, we would like to see:
Flipping things right around, let's think like a consumer for a second. How many times a week do you willingly hand over data to someone?
The web security industry is singing from the same hymn sheet at least on this point. Consumers simply cannot have the entire weight of their own data security resting on their shoulders. It is up to application developers and vendors to ensure that what they develop, is, in the first instance, Security by Design (a concept outlined in the EU's new GDPR regulations), takes account of Personal Data, and provides regular updates.
Data portability is the concept that while data may be collected by one organization for one purpose, it may later be used by the same (or another) organization, for a related, or entirely different, purpose – something we rely on every day. This accepted practice is standard within law enforcement and emergency services, for example, where, in certain extreme circumstances and within defined parameters, organisations can contact the authorities to help them pinpoint and investigate someone who may have expressed violent intentions on a web forum. Yet, on the other hand, while laws abound around data use and security, individuals and organizations, can and do, flout those parameters and regulations with alacrity.Ask any one of our Security Researchers this question, and the answer on which takes precedence is going to be: Data Security, no doubt.Yet if we all want the freedom offered by our smartphone apps and organizations want the convenience of sharing data to offer other services to their partner's consumers, we have to be willing to understand that our data is shared – many times with permission we granted years ago and not just in emergency situations.And, as technology companies, perhaps we need to become much more adept at recognising when an opportunity we present to partners (access to reams of personal data) might just be too good to pass up. The GDPR regulations that all organizations handling data belonging to EU citizens must adhere to, require not only that organizations identify and manage their own and customers' data securely, but that they investigate in detail how their partners, and those with whom they share data, and ensure that they comply with the same regulations. Did Facebook conduct due diligence in this case?Further, do we, as organisations, have written policies, clear procedures and regular training for staff, contractors, developers and partners, to ensure that everyone who has access to personal and other data knows how it must be handle and follows those procedures? Do we have further procedures for discovering when this is not the case?
As web applications increase in complexity, vendors have to consider the technical specifications, a robust and functional, yet appealing, UI and code that is free of bugs. One of those specifications often concerns user permissions – who has access to the web application and to what level. When it exposes the web application, its users and data, this can often lead to logical vulnerabilities. One of the most easily recognised types concerns access control. And, the reason that automated scanning tools are unable to detect these vulnerabilities is simply that, while logic and decision making is involved, this is more of a business decision that is made by someone familiar with practices in the the industry and organization in particular, as well as with the web application.Next month, the EU regulations will require all organizations that handle data belonging to EU citizens adhere to fairly straightforward rules concerning who has access to the Personal Data we acquire from individuals and manage on their behalf. Organisations need to be able to answer the most simple of questions:
Mark Zuckerberg announced that he was willing to testify in any U.S. government inquiry into the reported breach. He has also stated that he was not opposed to regulation of his social media company and has recognised that Facebook needed to be more publicly accountable. Many might add that such organisations should know the details of what partners and developers are doing on your behalf. In light of this latest breach, along with the infamous Equifax, Apache and Grammarly incidents, let's hope none of us are in the unenviable position of all organisations involved – realising what damage such an epic breach can do to our brand, not to state the unknown, individual consequences of the breach of all types of personal data.