The question of whether Facebook will face any regulatory approval on the latest massive historical platform privacy fails to come to light. But for the tech giant, the deadline for the incident is a strange feeling.
While it initially suggested playing out a disclosure of a data breach published by Business Insider over the weekend, with information such as people’s birthdates and phone numbers “outdated”, the tech giant finally revealed in a blog post late last night that the question The data was actually scraped from its platform by malicious actors “2019” and “before September 2019”.
New details about the timing of the incident raise the issue of compliance with Europe’s General Data Protection Regulation (GDPR) – which came into application in May 2018.
Data controllers under EU regulation can face fines of up to 2% of their global annual turnover for failures to notify breaches and up to 4% of annual turnover for more serious compliance violations.
The European Framework seems important as Facebook blamed itself against historical privacy issues in the US when it settled with the FTC for $ 5BN in July 2019 – although that still means several months (June to September 2019) Is a period that may fall outside that colony.
Yesterday, in its own statement in response to Breach’s revelations, Facebook’s chief data observer in the European Union stated that the provenance of the newly published dataset was not entirely clear, writing that “The original 2018 (pre-GDPR) dataset appears to be included ”- a previously reported breech incident in 2018 was reported by Facebook to be related to a vulnerability in its phone lookup functionality which it said was from June 2017 to April. Has occurred between 2018 – also writing Newly published datasets are also “concatenated with additional records, which may be of later period”.
Facebook followed the Irish Data Protection Commission’s (DPC) statement confirming that suspicion – acknowledging that data had been extracted from its platform in September of that year in 2019.
Another new detail revealed in Facebook’s blog post yesterday was that users’ data was scrapped not entirely through the aforementioned phone lookup vulnerability – but by another method: a contact importer tool vulnerability.
The route allowed unknown “malicious actors” to use software to mimic Facebook’s app and upload large sets of phone numbers, so that people could match Facebook users.
In this way a spammer (for example), can upload a database of potential phone numbers and link them to other data such as not only the name, but date of birth, email address, location – to fish with you all better.
In its PR response to the breech, Facebook quickly claimed that it had fixed the vulnerability in August 2019. But, again, this time actively keeps the event in the GDPR period.
As a reminder, Europe’s data protection framework has a data breech notification regime, which requires data controllers to notify a relevant supervisory authority if they believe that the loss of personal data can affect users’ rights and There is a possibility of posing a risk to freedom – and to do so without delay (ideally within 72 hours of finding out about it).
Still made facebook No disclosure of this incident to DPC. Indeed, the regulator yesterday made it clear that it would have to Full activity Get information from facebook In view of BI’s report. This is in contrast to how EU MPs acted as a regulator.
Meanwhile, data breaches are broadly defined under GDPR. This means personal data is lost or stolen and / or accessed by unauthorized third parties. This may be related to intentional or accidental action or inaction by the data controller that exposes personal data.
Legal risks associated with breech explain why Facebook avoided describing this latest data security failure, in which more than half of users’ personal information was posted on the online platform as a ‘breech’ for free download.
And, in fact, why it has been sought to diminish the importance of leaked information – dubbing people’s personal information “old data”. (Even some people change their mobile numbers, email addresses, full names and biographical information etc. on a regular basis, and no one (legally) gets a new birth date…)
Instead, its blog post refers to the scrap of data; And being scraping is “a common strategy that often relies on automated software to pick up public information from the Internet that can be distributed in online forums” – explicitly stating that personal information is available on its contact importer tool Was leaked through somehow public.
Facebook is pushing its own suggestion here that crores of users have published sensitive items like their mobile phone number on their Facebook profile And Default settings on their accounts – whereby this personal information is available for ‘privately scraping / no longer private / open by data protection law’.
This is clearly absurd as an argument because it is vicious for the rights and privacy of the people. There is also an argument that the EU’s data protection regulators should quickly and surely reject or allow Facebook (AB) to acquire very fundamental rights to use its market power , Which is the sole purpose of regulators to defend and maintain.
Even though some Facebook users affected by this breech have their information exposed via the contact importer tool, as they have not changed Facebook’s privacy-hostile omissions that still raise important questions of GPDR compliance – because of regulation Data controllers are also required to adequately protect personal data and design and enforce confidentiality by default.
Facebook has allowed millions of accounts to keep their information independently protected by spammers (or whoever), not like good security or default privacy.
In short, it is the Cambridge Analytica scam.
Facebook is trying to continue with being terrible at privacy and data protection because it has been so terrible at it in the past – and probably feels confident keeping this strategy in mind as it is relatively relentless to the endless parade of data Scams have suffered fewer regulatory approvals. (A one-time $ 5BN FTC penalty for a company exceeds $ 85BN + in annual revenue, this is just another business expense.)
We asked Facebook why it failed to notify the DPC about this 2019 breech back in 2019, when it came to know that people’s information is once again being maliciously removed from its platform – or, indeed , Why did it not bother to tell self-affected Facebook users? But the company declined to comment beyond what was said yesterday.
It then reported that it would not comment on its communication with regulators.
Under GDPR, if a breach poses a high risk to users’ rights and freedoms, a data controller is required to notify affected individuals – with the rationale being that quick notice of the threat exposes people to their risks. Can help you take steps to protect yourself. Data is being breached, such as fraud and ID theft.
Yesterday Facebook also said that it does not have plans to notify users.
Perhaps the company’s trademark ‘Thumbs Up’ symbol would be more appropriate which would be picked up on everyone as Middle Finger.