For over a decade, Facebook has invaded people’s lives and changed completely the way people communicate, network and share information. It’s the world’s most popular social networking website, which allows millions of users every minute to post comments, share content (like photographs and video), post interesting information (like news and articles), as well as chat, live with friends and colleagues. These functionalities are gradually expanding: for example, during the last couple of years, Facebook makes it possible to order food and to conduct other types of e-commerce transactions.
Recent Facebook statistics are simply breathtaking: There are over 2 billion monthly active users on Facebook, including 1 billion daily active users. The scale of these numbers becomes evident when compared to other platforms of the social networking ecosystem e.g., Instagram has 700 million monthly active users, while Twitter has more than 330 million monthly active users. Moreover, it can be safely said that Facebook is the community of the younger generation as 88% of the population of people using the platform are aged 18-29 years. Combined with Facebook’s stock value evolution, these stats show that the platform has a very bright future.
Nevertheless, a serious data protection incident was revealed earlier this year, which questioned Facebook’s credibility and raised concerns about the impact and implications of its future growth. In particular, as part of the notorious Cambridge Analytica scandal, raw data from many millions of Facebook profiles was leaked to a political consulting firm and this data was (ab)used as part of the political campaign. This data breach incident is not the first and the sole one on the Internet as they have been several similar incidents on other popular platforms like Yahoo, Uber, and Instagram. However, due to the size of the Facebook platform and the volume of data involved, it has attracted great attention by the media and public.
Cambridge Analytica Case Explained: The Facts
The Cambridge Analytica case involved the exposure of Facebook data to a researcher who was a member of the team which was in charge of political campaign. The exposure was partly based on the development of a quiz-like Facebook app, which was able to collect data from all people (i.e. Facebook profiles) who took the quiz. However, the leak happened when the app was also able to collect data from the Facebook profile of the friends of quiz takers, which increased the amount of data that were collected and later processed. Speaking in numbers, it is estimated that the quiz was taken by approximately 2,70,000 users, while the profiles that leaked ended up being nearly 87 million(!). Note that access to these additional profiles was made possible due to a security hole in Facebook’s API. While Facebook prohibited any sales or commercial exploitation of the data acquired through this API method, Cambridge Analytica went on exploiting these data.
Facebook’s Involvement and Reaction
As in most cases of security, privacy, and data protection issues, the ethical analysis is pretty complex: Multiple stakeholders are involved with different roles and actions, which violated laws and ethical rules in various ways. However, despite the unlawful and unethical activity of Cambridge Analytica, the case revealed problems and vulnerabilities of Facebook as well. This was clearly acknowledged by Facebook founder and CEO Mark Zuckenberg, who accepted Facebook’s responsibility and mentioned that the company has been doing a thorough root-cause analysis to find out what had happened. He also asserted that Facebook was intensively working to close any security and privacy holes, as a means of ensuring that similar incidents won’t happen in the future.
Despite immediate and positive reaction by the company, the Cambridge Analytica case revealed internal and external weaknesses of the social networking giant:
- Internally, a conflict between the goals of security teams, legal/privacy teams, and sales teams was revealed. These teams have to pursue conflicting goals and eventually end-up arguing instead of collaborating. Finding the right balance across all the different interests remains a challenge.
- Externally, it became evident that when arbitrarily large volumes of data are collected within the private cloud of an IT giant, it’s highly likely that users’ privacy is compromised, as data breaches and other security incidents cannot be ruled out. The centralized management of large volume of data creates security and privacy vulnerabilities that are quite difficult to remedy.
While Facebook is working on the above-mentioned issues, it has recently i.e. during September 2018, faced one more attack on its computer network, which has resulted in the exposure of the personal information of nearly 50 million users. This is considered the largest direct security breach in the company’s history. It was based on the exploitation of a security vulnerability in Facebook’s code by attackers that gained access to user accounts and in some cases, they took control of them. This major security incident came on top of the Cambridge Analytica scandal to remind the community that their Facebook data are not secure.
Overall, following these cases, there is an on-going debate about whether users can trust Facebook to store and manage their personal data. This debate highlights the important role of Facebook developers and apps which could be able to exploit holes in the security system of the platform that could lead to data breaches. It has also given rise to an immense debate about the measures needed to avoid similar episodes.
Measures to Avoid Similar Incidents
As part of this brainstorming, the following protection and preventive measures can be listed:
- Review Facebook Apps: Facebook Apps must be reviewed about a potentially suspicious activity. This should be done especially for data-intensive applications that access very large amounts of data. Suspicious apps must be removed.
- Automatic Turn-off of Apps: Apps that have not be used for a specified period of time (e.g., 2-3 months) could be automatically removed in order to increase the protection of the user.
- Facilitate Reports about Apps and Developers: Facebook provides the means for reporting suspicious apps and developers, notably apps that access large amounts of data on the social networking platform and use them in strange ways.
- Frequent Changes to Facebook Logins in the case of Apps: Changes to the users’ credentials that are used for accessing apps, including their differentiation from standards Facebook credentials provides a basis for better control to users’ information by the apps. Moreover, tools and techniques that control which information is accessible by the apps can also safeguard users’ privacy.
- Alerting users about security incidents: Whenever a potential security breach is identified, a notification or an alert shall be sent to users as a protection measure.
- Reducing the amount of personal data that are exposed in the platform: Users should be trained to minimize the amount of personal information that they expose in the platform. This might also mean deactivating some functionalities and services such as location-based services.
These measures refer to what the platform and its users can do to protect themselves from future breaches. However, there is also a discussion about new social networking platforms, which could decentralize data storage and processing in order to avoid large volumes of data to be controlled by a single administrative entity. In this direction, some researchers are experimenting with blockchain-based networks that decentralized data ownership and enable end-users to retain control of their personal data in all cases. While such models can be promising, they are still at the research stage. Therefore, users must practice caution while using social media platforms until stable and secure security methodologies are implemented.