Last week, Facebook disclosed an unprecedented data breach. You could be forgiven for forgetting — Facebook disclosed the news on Friday, right as the Senate was preparing to vote on controversial Supreme Court nominee Brett Kavanaugh. But you might also not remember because Facebook is doing its damnedest to not tell you about it.
To recap: A series of vulnerabilities related to the site’s “View as …” feature, which lets you preview how your profile appears to someone else, allowed hackers to steal access tokens that would then give them control of other users’ accounts. They could then repeat the process using those ill-gotten tokens. All in all, Facebook discovered that 50 million users had been exposed. Facebook reset the tokens, logging those users out everywhere, in web browsers and apps. As a precaution, another 40 million who had used the feature since the vulnerability was introduced were also logged out. All in all, 90 million people, roughly 5 percent of Facebook’s user base, were possibly affected by the problem.
Facebook is still determining whether the access credentials were used improperly, so there’s not really a good sense of the consequence of this breach yet, but needless to say, it’s not good. The vulnerability was created in July of 2017, more than a year ago. Gigantic tech companies rarely suffer this kind of security exploit, and by its own account, Facebook discovered, patched, and publicly disclosed the problem in less than a week.
But unless you were closely following tech news last week (and let’s assume a lot of people weren’t), you might not know about this unprecedented situation. That’s because Facebook has, as far as I can tell, only done two things: talk to the press and put a vague message at the top of affected users’ feeds. No emails, no contacting users outside of the Facebook ecosystem. In order to find out that your account was compromised, you need to log back into the compromised account.
This is fundamentally different from the Cambridge Analytica scandal, which demonstrated that Facebook’s lax policies had enabled third parties (that users had approved) to obtain user data, and then those parties later sold that data to others without users’ knowledge. That situation was Facebook mostly working as intended — a problem of policy more than one of technology. The new issue is a problem of technology.
On a follow-up call last Friday to discuss the more technical aspects of the breach, Facebook VP of product management Guy Rosen explained that the News Feed alert was the best way to notify these millions of users “at scale.” In layman’s terms, according to Rosen, it was technologically easier to put a note at the top of the News Feed instead of sending out 90 million emails. I’m not an engineer, so I can’t really weigh in on that particular assertion, but I would say that the alert on its own was not an adequate notification.
The alert, titled “An Important Security Update,” reads, “[Name], your privacy and security are important to us, we want to let you know about a recent action we’ve taken to secure your account.” There is no iconography other than the Facebook logo. It does nothing to signal that Facebook has been the victim of a large-scale cybersecurity attack. Instead, it’s couched in the type of bland, clinical language used to recommend security audits and reminders to change your password. It conveys no wrongdoing on Facebook’s part, or even a hint of concern for users. It took more than a day after the news broke for me to receive my alert.
On top of the notice being intentionally boring and relatively inconspicuous, you could also only click it once. When I clicked on “Learn more,” the box immediately vanished from my News Feed. I guess it was a onetime use. That means there is no permanent record of Facebook directly informing users of the most significant security breach in company history. Judging by Facebook’s past behavior of trying to skirt responsibility, I would guess that this is by design. While the root of the new vulnerability is different from Cambridge Analytica, Facebook’s response has been similar: Spin the issue and cloud Facebook’s role in the data breach, trying to attract as little attention and culpability as possible.
Back in April, Mark Zuckerberg admitted to the Senate that not notifying the government or users affected by Cambridge Analytica when the issue was discovered in 2015 was a mistake. He said that “in retrospect, I think we clearly viewed it as a mistake that we didn’t inform people and we did that based on false information that we thought that the case was closed and that the data had been deleted … Knowing what we know now, we should have handled a lot of things here differently.” He also told the Senate that Facebook has a duty to inform users if the service was ever hacked.
It’s debatable what constitutes handling things “differently” now. Facebook notified government authorities of the recent breach (in compliance with new European regulations), but is only notifying users once over a single communication channel. Maybe it’s better than nothing, but it’s not what I’d call comprehensive or proactive. Facebook has your email address, it probably has your phone number, it can send you a push notification, and maybe it has your home address, too. The company could use phrasing that explicitly says that there was a breach, and not just allude to vague security measures. Instead, it just put a little box in your News Feed, indistinguishable from anything else. Old habits seem to die hard for Mark Zuckerberg.
