
Why (almost) everything about Cambridge Analytica Facebook ‘hacking’ is wrong - ThomPete
https://medium.com/@CKava/why-almost-everything-reported-about-the-cambridge-analytica-facebook-hacking-controversy-is-db7f8af2d042
======
kahnjw
This seems like a strawman argument. The original reporting from the guardian
didn’t call this a hack. Also, the most egregious actions taken by Facebook
are similar to actions taken by other companies after large user data
compromises (Uber, Equifax). Facebook/Zuckerberg made a decision not to inform
users that their data was compromised by an application they, or their friends
had used. That is negligence. That is why people should be upset with
Facebook. That is why I have stopped using it. This has little to do with
Facebook getting hacked, and much more to do with a lack of social
responsibility on facebooks part.

~~~
bhk
The data was not compromised by an app. Facebook allowed the app to have
access to the data.

Guardian and others unfortunately used the term "data breach". My
understanding of the term agrees with the first definition I found in the
internet: "A data breach is an incident wherein information is stolen or taken
from a system without the knowledge or authorization of the system’s owner".
[Trend Micro]

That was not the case here.

Calling this a "breach" or "hack" makes Facebook look less culpable.

~~~
dragonwriter
> Guardian and others unfortunately used the term "data breach".

In places where a data breach is a legal defined thing with specific
consequences (notification requirements, etc.), the common definition seems to
be unauthorized access to information (encrypted data without a reasonable
means to decrypt it is usually excluded) without permission under the
applicable law and/or policies. This incident is exactly a breach in that
sense.

> Calling this a "breach" or "hack" makes Facebook look less culpable.

Calling it a “breach” does not, because a breach is not generally a thing for
which the custodian of data is not responsible.

~~~
bhk
Can you cite a source for your definition of breach? If you are including
cases where the holder of the data voluntarily shares data, I think that is
outside of most people's understanding. The app and its developer were
authorized, by Facebook, to access the data.

Also, I'm not sure what "applicable laws and/or policies" you are assuming
were violated.

Regarding "breach" and culpability: It's the difference between "Facebook did
not successfully defend against bad guys, allowing them to do get your data"
and "Facebook gave bad guys your data". They may be culpable in both
scenarios, but clearly the latter is worse.

~~~
dragonwriter
> Can you cite a source for your definition of breach?

As a stated, its a synthesis of the common features of various domain-specific
breach notification laws and regulations. A few _examples_ would be the FTC
[0] and HHS [1] rules for health information breaches under the HITECH Act,
and California's governmental breach notification law [2]; in all of those,
and many other similar laws and regulations, breach is defined by someone
getting unauthorized access (or, in some cases, making unauthorized use or
disclosure even with only authorized access) to personal information, whether
or not the custodian directly, or indirectly (e.g., by providing it to an
authorized party who subsequently acted badly with it) made it available to
the party who acquired or used it without authorization.

> Also, I'm not sure what "applicable laws and/or policies" you are assuming
> were violated.

In the case of the Facebook breach, it's Facebooks own policies, which is what
users have consented to with regard to use of their data.

[0] 16 CFR § 318.2(a): “ _Breach of security_ means, with respect to unsecured
PHR identifiable health information of an individual in a personal health
record, acquisition of such information without the authorization of the
individual. Unauthorized acquisition will be presumed to include unauthorized
access to unsecured PHR identifiable health information unless the vendor of
personal health records, PHR related entity, or third party service provider
that experienced the breach has reliable evidence showing that there has not
been, or could not reasonably have been, unauthorized acquisition of such
information.”

[1] 45 CFR § 164.402: “ _Breach_ means the acquisition, access, use, or
disclosure of protected health information in a manner not permitted under
subpart E of this part which compromises the security or privacy of the
protected health information.”

[2] Civil Code § 1798.29, requiring agency to provide breach notification “to
any resident of California (1) whose unencrypted personal information was, or
is reasonably believed to have been, acquired by an unauthorized person, or,
(2) whose encrypted personal information was, or is reasonably believed to
have been, acquired by an unauthorized person and the encryption key or
security credential was, or is reasonably believed to have been, acquired by
an unauthorized person and the agency that owns or licenses the encrypted
information has a reasonable belief that the encryption key or security
credential could render that personal information readable or useable.”

