Analysing Facebook data breach and its far-reaching implications

With growing adoption of social media, security of users’ data is becoming a major area of concern for all stakeholders. The recent security breach in Facebook that compromised the personal data of 50 million users show how vulnerable these platforms are to hack attacks. In this latest case, attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. 

Now media reports state that Facebook’s chat messenger has been compromised and messages are being sent to people on the users’ friend list asking for money. 

This comes at a time when Facebook is still reeling under the massive data breach from its former vendor Cambridge Analytica. 

Facebook is by no means the only organisation to be hit by data breaches of this nature; however, the implications are far-reaching as it is the largest social network – 2 billion monthly users as of 2018 and over 1 billion active daily users (constituting 28 per cent of the world’s population). 

According to media reports, this incident could cost Facebook as much as €1.63 billion in European countries that come under the purview of the General Data Protection Regulation (GDPR). Whether or not this comes to pass, this incident might give an impetus to other countries to adopt similar laws. 

Such regulations are a big win when it concerns the security of the user, but could negatively impact the growing technology sector in our country. Currently, India is in the midst of instituting a Data Protection Bill to protect the financial data of users involved in e-commerce transactions. 

According to the Internet and Mobile Association of India (IAMAI), the first challenge that arises from the proposed Bill is the challenge of collecting and processing such vast amounts of data. Facebook is facing a similar problem as monitoring the data of 2 billion users is no easy task. 

Adgully spoke to a cross section of digital experts to gauge the implications of such data breach. 

Concerns regarding security 

Rishi Sen

According to Rishi Sen, Chief of Staff, The 120 Media Collective, there is a limit to what an organisation can do to prevent such attacks. He added, “One really couldn’t be completely sure. Organisations get hacked all the time. Shape Security, a cyber-security firm, reported that almost 90 per cent login attempts made on online retailers’ websites are hackers using stolen data.” 

At the same time, he stressed, “It is absolutely crucial that Facebook sets stronger security processes in place to avoid such situations, but then again, going by Shape Security’s research, so should everyone else.” 

Shradha Agarwal, COO, Grapes Digital, stipulated that the responsibility lay with Facebook to prevent such a breach. She observed, “On the one side Facebook says that it is building AI tools to keep a watch on leaks, closing APIs, banning media accounts to avoid this, and on the other side we read about scandals and articles of Facebook sales guys going to various unofficial parties where they could upsell Facebook for marketing. This makes me feel that the effort or news in media is a brim of dust. They are safeguarding their interests and not the users.” 

According to Agarwal, the best safeguard that works in India is imposing penalty every time a user’s data is compromised. “Facebook should pay a huge penalty to the government of the country,” she maintained. 

Nimesh Shah, Head Maven, Windchimes, reconciles the issue, saying, “Being the most popular social media platform also entails that it is targeted the most. It won’t be fair to say that Facebook has been negligent, but sure they always will have to do more to ensure safeguards and date protection, given the popularity they enjoy. They will always have to maintain the balance between commercial interests, which more often than not lead to breaches, vis-à-vis platform for users to enjoy.” 

Impact on user behaviour 

For Rishi Sen, data privacy had always probably been a vague concept for casual social media users until the whole Cambridge Analytica fiasco. 

“While social media usage might not get drastically affected, the number of users who use their social media credentials to sign up on other platforms that are transactional in nature might decrease,” he opined. 

Shradha Agarwal

Shradha Agarwal, who distinguished between a regular user and an evolved user, remarked, “Today, evolved users have completely moved out of Facebook, all they have there is an active profile that they visit to consume content, but average number of posts per person have reduced drastically. They are just using it as a medium to announce some important news to their friends and family, owing to the reach FB has. But their day to day stories have moved to other platforms like Instagram, Snapchat, etc. To summarise, while Facebook still goes ga-ga about active users, defined by logins, average stories per person has gone down.” 

In Nimesh Shah’s opinion, the recent set of controversies on Facebook has had two impacts. “One, it has slowed down the onboarding of newer users to the platform and second, it has reduced the wholehearted adoption of the platform by the existing users. The fervour with which users shared their personal moments and events has been replaced by more of official and informational set of content.” 

How can users protect themselves? 

“Unless someone was directly affected, I would still stick to investing a few more minutes to sign-up manually, without using your Facebook or any other platform’s login,” advised Rishi Sen. 

Shradha Agarwal felt that what was lacking was additional options to choose from. She pointed out, “Like I mentioned, users have stopped using Facebook as actively as they were doing earlier to share their stories. I don’t think the day is far when we will have a new social platform, maybe an Indian-origin platform, like China has and we all move to that. This would not be impossible, because users have been very flexible and had moved easily from Orkut to Facebook, from Facebook to Instagram. They have been also very exploring in nature with platforms like Pinterest, Snapchat, etc.” 

Nimesh Shah noted that users have become cautious with regard to social media, and added, “The recent breaches have impacted Indian users as much as people globally, and that is definitely causing users to be more alert and think before putting up their personal posts.” 

Role of the government 

According to Rishi Sen, “The government could institute restrictions on the information we put online. If the law controls what kind of information can be mined on these platforms, then yes, it might help. Currently, the data available for an individual online is quite substantial. If the level of data mined is controlled, that might make such situations is a bit safer.” 

Shradha Agarwal strongly believes that social networks should be held personally accountable. Reiterating what she had said earlier, Agarwal maintained, “The first Law that India should have is penalization, where for any such leak, Facebook should pay us. Secondly, we should have a regular monthly report from them on what APIs are being used and by whom. Also, a report on overall spends earned from Indian companies would help us keep a tab.” 

While stating that the government had a limited role to play in the matter, Nimesh Shah opined, “I don’t think data localisation will help at all when it comes to data leaks. What is required is the constant update of cyber security and everything that comes with that. Data localisation will make them more accountable to the Indian laws and thereby, the government.”

The way forward 

Sen of The 120 Media Collective believes that with GDPR and other national laws being implemented across the globe, it’s not too far before social media networks land up paying large compensations should such situations keep on happening. 

Grapes Digital’s Agarwal remarked, “The usage of social media will only increase. Today, platforms have two types of data – Public and Private. Facebook clearly owned the private domain, unlike Twitter, which was public. So, as users we know which platform is more vulnerable and we as users will be cautious before we post anything. But you can’t continue to stay a private platform on the one hand and leak data on the other.”

Nimesh Shah

Windchimes’ Shah pointed out that there were several steps that these platforms could take in the right direction. “Social media platforms will have to deploy better techniques to differentiate original content from forwarded ones. Further, they will have to use technology to weed out fake messages and get those deleted before those spread out. Thirdly, keep a tab on the accounts from where majority of these fake messages originate and constantly delete those profiles.” 

He had a rather radical suggestion to offer – allowing users to voluntarily link their profile with Aadhaar and all those people who do that should get a verification mark stating ‘Verified By Aadhaar’, which would make their content more authentic than those coming from other accounts. “The assumption is that the people who choose to link their Aadhaar with it will be more careful about what they post and forward,” Shah reasoned. 

Meanwhile, when Adgully reached out to Facebook for their comments in this entire issue, they referred to two releases dated September 28, 2018 and October 2, 2018. 

In the September 28 release, the social media giant admitted that their engineering team had discovered a security issue affecting almost 50 million accounts. They explained that the attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens, which they could then use to take over people’s accounts. 

Facebook reset the access tokens of the almost 50 million accounts that were known to be affected to protect their security, and as a precautionary step, also reset the access token of another 40 million accounts that had been subject to a “View As” look-up in the last year. “As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login,” the release stated. 

The October 2 release provided an update on the security attack and mentioned the steps that Facebook was taking to strengthen the security aspects. They ended on an apology note, stating, “We’re sorry that this attack happened — and we’ll continue to update people as we find out more.”