Hacker News new | past | comments | ask | show | jobs | submit login

Can we not let this become framed as a "breach"? No systems were compromised. Nothing of Facebook's was accessed that wasn't supposed to be accessed. This was data intentionally exposed by Facebook, just exfiltrated and given to an entity whom Facebook hadn't authorized.

This is simply the extent to which we've permitted these Internet giants to collect information about us. It's business as usual.

Edit: To clarify, this is indeed worse than if the data were taken from Facebook without consent. What it means is that not only does Facebook have access to vast troves of personal information, but so does everyone tangentially connected to someone with a Facebook developer account.




  >  Can we not let this become framed as a "breach"? No
  > systems were compromised. Nothing of Facebook's was
  > accessed that wasn't supposed to be accessed. This was
  > data intentionally exposed by Facebook, just exfiltrated
  > and given to an entity whom Facebook hadn't authorized.
This is similar to a HIPAA "breach" where the word doesn't imply that a security system was compromised, but that protected data was accessed by folks who shouldn't have had it. In this context, framing it as a breach is perfectly accurate.

As an aside, a HIPAA-style law that protects and enforces portability for this type of personal data might be a good first step to reforming our industry here, which is currently completely unregulated in this regard.


Listening to politicos, you'd think the systems were actually compromised, and, in the same breath, boogeypeople from Russia are mentioned in order to conflate things in the mind of the audience. This willful conflation is a tactic to drive a narrative.

HIPAA data is accessed by researchers, sometimes anonymized, but not in all cases. These are not considered breaches. In addition, as others indicate, FB posts are not, at least at this time, protected data.

So, while illustrative, the analogy is not apt.


> you'd think the systems were actually compromised

We're seeing a divide between the technical and popular interpretations of the term "breach". When an industry drops the ball and responds pedantically, that's a strong sign that further regulation is needed. If only to force a common language.

Facebook insists they were not "breached" because many states require notification in the event of "security breaches of information involving personally identifiable information" [1]. Each body of law defines "breach" differently. Most do not limit it to technical security malfunctions.

[1] http://www.ncsl.org/research/telecommunications-and-informat...


> When an industry drops the ball and responds pedantically, that's a strong sign that further regulation is needed. If only to force a common language.

We already have plenty of regulation here that Facebook is unambiguously subject to; the question is whether the relevant authorities will actually follow through on that.

For what it's worth, it's been two days, and we're already seeing an FTC investigation and a Congressional investigation, so it's a little premature to conclude that existing regulation is insufficient.


> HIPAA data is accessed by researchers, sometimes anonymized, but not in all cases. These are not considered breaches. In addition, as others indicate, FB posts are not, at least at this time, protected data.

In order to receive data protected under HIPAA by a covered entity, you have to go through an extraordinarily elaborate and complex legal process. In addition to signing an agreement that (in effect) binds you to all of the same restrictions on the data that the original covered entity (e.g. hospital/insurer) was, if you're accessing the data for research purposes, you'll have to go through an institutional review of your intended purpose and methods for the research.

Facebook does none of these, which is why they have been (rightfully) criticized for conducting unbelivably unethical studies[0] without either user consent or institutional approval, even though both of those are typically required by all reputable universities and publishers for research.

Facebook posts are not protected under HIPAA, but they're not entirely unprotected either, and it's totally valid to refer to that breach of responsibility and trust as a breach.

[0] e.g. https://www.washingtonpost.com/news/morning-mix/wp/2014/07/0...


I'll agree with you in characterizing it as a breach of trust. That it is. Operatives in Washington, however, are trying to characterize it as something it is not.

It's not Russians hacking in, it's not part of some effort to destabilize democracy, etc. That characterization and demonization is indicative of the mindset of those people and that may be even pose more danger than the breach of trust by Facebook.


> It's not Russians hacking in

True! Mostly it was information about users and their social graph collected by people voluntarily. It's distressing that people were not informed, "We're going to use this to target political propaganda at you when you" when they took personality quizzes/etc, but all the data was shared by users. FB's security isn't breached, merely their users' trust.

> it's not part of some effort to destabilize democracy, etc

I'm not sure we all agree on that. ;) The whole point was that one can use the intelligence gleaned from these users' social graphs to target memes/advertising/messaging to specific subgroups whose political responses you are hoping to influence.


> It's not Russians hacking in, it's not part of some effort to destabilize democracy, etc.

I'll avoid the word "hacking" since it's used to mean a lot of different things to different people, but it absolutely could be part of an effort to destabilize or undermine (US) democracy.

What we've seen is definitely a breach of responsibility and a breach of trust. It's also probably a breach of the law, since the data Facebook collects is still subject to some protections (and it's hard to imagine how Facebook could have done all this while adhering to those). And while we don't yet know the motivation or intentions of the people involved in these actions, it could very well be motivated by an effort to destabilize or undermine US democracy. I don't see why you think those are mutually exclusive.


It's no secret that 3rd parties can get access to your facebook data though. there's been apps asking for permission to access your facebook data for years. That's the whole point of the facebook developer platform.

Do we know what data was harvested? Cause if its data that's supposed to be private then yeah, that's some murky business. If its public info, or info that can be accessed if you give an app permission to log-in, then is that really a "breach"?

I mean, it's terrible and CA was definitely misusing it, but if I install an app and it asks for permission to use my location and my contacts, and I grant them, is that a break of trust and a breach of the law on the Apple/Google front? What should Apple/Google be doing to protect my privacy?

Legit questions here; I do hope something is figured out and less people fall into this kind of trap. I've heard of Android games whose purpose actually is to harvest a ton of personal info. Apple seems to veto its apps better, and maybe that's the solution-- Facebook should veto 3rd parties better (Google should too, before something like this hits the fan).


>protected data

What data was being protected? The data was created when the user chose to engage with the facebook apps. CA pays facebook to put something in front of users faces and then CA gets back information on user engagement. How is that different than any other kind of advertising on the web?

We can argue that there needs to be more transparency on facebook but a breach? That's torturing the word.


> What data was being protected?

Personally-identifiable information [1]. Many states require notification in the event this data is found to have been accessed improperly. The definition of a "breach" is not limited to technical malfunctions.

[1] http://www.ncsl.org/research/telecommunications-and-informat...


Personally-identifiable information that users chose to share with the world as part of public profiles.

We might say that you can't sign away the secrecy of your PII, so user consent is irrelevant. Then we had better get on YCombinator, Stack Overflow, Medium, etc. for allowing prominent community members to use their real names on their posts. Someone could [0] use them train statistical models to who-knows-what purpose, after all.

[0] https://www.kaggle.com/hacker-news/hacker-news-corpus


CA state that the data was collected by a third party as "academic research" and they didn't know that when it was given to them - so they violated the terms of service in good faith.

Whether you believe them is another matter.


"protected data" was part of the HIPAA analogy.

> This is similar to a HIPAA "breach" where the word doesn't imply that a security system was compromised, but that protected data was accessed by folks who shouldn't have had it.

Protected data, in the context of HIPAA, would refer to Personal Health Information (PHI)


Why would the HIPAA standard of a breach apply here? Scraping public data to create a political profile is on par with getting access to private health data?


Let's please do better than HIPAA. It was the first such law that I know of, and there are a lot of kinks to it. Many subsequent laws were able to learn from its mistakes.

One of the big weaknesses of HIPAA is that the privacy requirements technically apply to the data custodians, not the data. That allows for some loopholes through which private information can fall out of HIPAA protection, and also creates some unnecessary hassles for health care providers.

Ontario's PHIPA is one example of a better model for patient privacy.


>> ...but that protected data was accessed by folks who shouldn't have had it.

Facebook handed over the data. They need to understand that they don't have control over it once it leaves Facebook. Is a violation of ToS a data breach? Do we really want to conflate those things?


I understand why Facebook doesn't want to call it a breach. But it seems equally reasonable to me that users see it as one. From the user perspective, private data is suddenly in the hands of unknown, suspicious actors who may use it against them.

That Facebook would rather not call that a breach so much as "business as usual" is all the more reason legislators may be inclined to define "breach" the way that voters do.


My intention was to contrast the mundane connotation of "business as usual" with the visceral negative reaction most of us seem to have with our data being used this way.

The point I'm trying to make is that there's a difference between an isolated attack (e.g. Equifax) and what Facebook has going on here. To the person who reads about a "data breach at Facebook", it does sound like this was an abberant event that happened suddenly — rather than systemically, by a machine built on doing this every day.

Cambridge Analytica's actions may illuminate how far this can go, but we should treat it as the norm — and regulate accordingly.


Facebook DO want to frame it as a breach. Because then it's a f*-up, not expected behaviour.


A much better example would be GDPR, which comes into force EU-wide in about two months.


Actually, the regulation itself already is in force, and has been since the day it was ratified. There's just a moratorium on enforcement in the first two years of this EU directive, so that business (and society) has time to adjust to the new reality.

The distinction may be very subtle, but it's important to know that following the 25th of May, businesses can no longer claim to be "in the process" of implementing it -- they have already had two years to prepare.


American businesses did not need to prepare until Safe Harbor fell through much more recently.


Safe Harbour was overturned in October 2015 (so half a year before the GDPR was ratified), according to https://en.wikipedia.org/wiki/International_Safe_Harbor_Priv...


> This is similar to a HIPAA "breach" where the word doesn't imply that a security system was compromised, but that protected data was accessed by folks who shouldn't have had it. In this context, framing it as a breach is perfectly accurate.

Data breach is a compound noun with a very specific meaning in information security. It means that the data was protected, and a malicious entity defeated the protections.

Breach of contract, breach of trust, physical breaching of the hull of a ship, etc. are all different usages of the word breach, but it's not a data breach unless someone accessed a protected system without or exceeding authorization as defined by the CFAA.


>This is similar to a HIPAA "breach"

It's not, at all. The FB API was designed to give out this information before it was changed. That means the friend data was not need-to-know like healthcare data.


The real point is that companies like facebook and equifax have such large caches of personal data and have no legal obligation to protect it. This is a point most people outside of tech don't understand. You might not even be a user of facebook but these companies still have data on you that is highly personal and invasive.

An academic who has done some great work on this is Evgeny Morozov. Highly recommend his books, articles and lectures.


The point of my comment is that we should not compare Facebook to Equifax. The latter may have been lax in protecting that data, but the millions of records exposed last year were taken without their consent. Facebook is literally inviting anyone who can sign up for a developer account to harvest their — sorry, our — data at scale.


Right and I'm saying that the broader point is it's legal for these companies, Facebook and Equifax being two of the biggest, to have massive caches of highly invasive personal data and have 0 legal obligation to protect it (they can do anything they want with it). How invasive is it for a company like weatherbug to be selling your location data to the highest bidder simply because you want to check the weather on your phone?

The massive industry that has been built around advertising and personal data trading needs to be regulated.


I agree with you with regard to WeatherBug, but Equifax already cannot just sell your credit data to the highest bidder. Whether there should be more restrictions on how that data can be used is up for debate, but for the most part you can't get a credit report on someone without their explicit consent.

I specifically want to avoid the Equifax comparison because it looms large in people's minds as an example of an intrusion and forceful removal of data, which is not what occurred with Facebook and Cambridge Analytica. We should have better laws around protecting sensitive data from intruders, too, but they won't be the same laws prohibiting companies from selling data they've collected on us. Conflating these problems will not help us solve them.


Was this a security breach in the sense that the company with the data got “hacked”? No.

Was this a breach in trust to Facebook users? I think undoubtedly yes.

And was there a breach of a the Terms of Service by companies taking all this data and using it for non-academic purposes? Yes there was.

So the type of breach seems to be a worthwhile distinction to make.


> Was this a breach in trust to Facebook users? I think undoubtedly yes.

What's interesting about this is the fact that the same data is shared with many third-parties, with proper "consent", and users not understanding what's really happening. Calling this a "breach" has the slight unintended side-effect in the public by promoting the idea that this company received a different dataset than other partners, which is not the case.


> And was there a breach of a the Terms of Service by companies taking all this data and using it for non-academic purposes? Yes there was.

There's a legal concept of 'waiver' meaning that even if something is prohibited in a contract, but the parties don't enforce that part, then that part is later not enforceable. Facebook was fully aware of this behavior, chose not to enforce the ToS, and therefore it waived that clause. Therefore no breach.


>Was this a breach in trust to Facebook users? I think undoubtedly yes.

How naive is the average person? The purpose of facebook is to gather this information, hence why its offered as a "free service".

Frankly, I don't understand why the stock is going down, facebook is fulfilling its core mission: Get private information on millions of people and package that information for sale to its clients. If anything CA situation should show how FB is fulfilling its core mission.

The fact that the public is now waking up to this is not a breach, its simply casting a light on what has always existed.


The average person is incredibly naive with regards to what the cost of a "free service" like Facebook is. It's not until you start looking at people who are in related fields that you start seeing people who truly understand the costs.

The public waking up to this breach and the costs being exposed are probably a huge part of why the stock is dropping. Facebook's continued profitability and success is dependent on its users not understanding how their data is being used. And now "everyone" knows, so the secret is out and hopefully Facebook can't get away with this going forward.


All this lawyering over the definition of 'breach' is failing to see the forest for the trees. It is a breach of trust, even if not a breach of technical security controls.


I think there's a meaningful, non-definition difference - and in some ways it makes Facebook look worse.

Metaphorically, somebody had a gun, and someone else took that gun and used it to rob a bank. Equifax left the gun sitting visible in an unlocked car, and people are angry about the predictable results. Facebook was running a "borrow my gun" program for strangers, but had a clause saying "no using my gun for crimes, no lending my gun to any third parties". One of those strangers lent the gun to the robber, and Facebook is saying this isn't their problem because they said not to do that.

So yes, they're both bad outcomes. But "breach" usually means "this was stolen without our knowledge", and that's a very misleading impression to create here.


Sounds like a breach to me.

The only difference is that instead of the baddies having to sneak in carefully at night to nick stuff, Facebook said 'welcome, come on in, help yourself – here's a sack'.

The end result – millions of people having their personal data used against them without their knowledge or consent - is the same.


To me, calling it a breach is Facebook's attempt at passing the buck. Getting breached alleviates some responsibility for what happened. Maybe not in reality, but in how it's portrayed in the media and how it's understood by laymen it absolutely does.


Two things can result in the same outcome without being the same thing.


"Breach" specifically implies that defenses were penetrated. But as you said, Facebook is not trying to protect our data.

This is far worse than if the data were taken from them unwillingly, because it vastly increases the number of entities with unfettered access to it.


> ”Breach" specifically implies that defenses were penetrated

It’s time to update the definition. “Breach” means you lost my shit. I thought I gave it you in confidence and then you lost it. Facebook arguing “this isn’t technically a breach” comes across as their yet again talking down to users to slip problems under the rug.


Sure, but we still need some term to disambiguate between "a company didn't protect my data against intruders" and "a company sold my data, then didn't like what the buyer did with it".

This isn't like the Equifax breach. It's not a result of Facebook's security practices. It's a result of Facebook's entire business model.


No, this is not a breach. Words still mean things.


"Words still mean things" is not an argument.

This can be a 'breach' by many of these definitions.[0][1][2]

You're basically saying, "Words only mean the things that I want them to mean, and if you try to use them a different way than I approve, then I will use this meme to try to shut you down."

Words fluctuate in meaning all the time. This may very well be the beginning of a new definition for breach, i.e., a social data breach, for example.

But we don't even have to go so far as to claim that this is a new meaning for breach. Any of these old definitions contains sufficient meaningfulness to make "Facebook loses control of data to unauthorized breach" perfectly intelligble.

[0] https://en.oxforddictionaries.com/definition/breach [1] https://www.merriam-webster.com/dictionary/breach [2] http://www.dictionary.com/browse/breach


> Any of these old definitions contains sufficient meaningfulness to make "Facebook loses control of data to unauthorized breach" perfectly intelligble.

Sure, but the point being made by the "it's not a breach" people is that Facebook didn't lose control of data to an unauthorized breach. They gave up data according to their own documented and expected procedures to people who were supposed to have it. "Facebook voluntarily and purposefully gives away data in an authorized breach" is not so intelligible.

The fact that "Facebook loses control of data to unauthorized breach" would be a sensible, understandable sentence isn't really relevant when nothing of the kind has happened. Who'd be using that sentence?


I guess then I'm confused about the narrative of the story so far.

Did Facebook have control over its (my? your?) data at Cambridge Analytica or not? I thought the extra 50 to 250 million profiles scraped were unauthorized access?

I could be entirely mistaken.


I had the impression that they just had 50 and they lied about "every american" on the stage. Might be very wrong though.


> "Words only mean the things that I want them to mean, and if you try to use them a different way than I approve, then I will use this meme to try to shut you down."

checkyoursudo, I don't want to shut anybody down. I get your point. And I am sure that in a world of haveibeenpwned.com and Equifax you get mine.

Let's focus on the real issue here. Facebook has data that: - Can harm everyone - Is not protecting it well enough


I do get your point. 100%


It's an alleged legal breach of Data Protection principles. That language is used historically by the ICO in the UK to describe exactly this type of situation.

Facebook's responsibilities and Cambridge Analytica's responsibilities towards data protection have been breached.

There's no other useful word for that. It might not be a hack and it might not be a security vulnerability, but it is surely a breach.


Yes, in the words of the ICO:

> A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

https://ico.org.uk/for-organisations/guide-to-the-general-da...

Most of the breaches I'm familiar with are accidental - people putting their research on thumb drives and losing them, etc etc.

Whether the fox gets into the chicken shed, or you let the chicken out of the safety of the shed, it's a breach of the chicken's security.


For Facebook, an actual data breach would be better. They could button things up and make some statements and move on.

This appears to have been systemic and profitable for them because companies would turn around and pay them for highly targeted ads. They ignored it because of greed.


Yep. If/when the 50M profiles become public, Facebook will be bending over backwards to rebrand this as a breach. However, on the (Twitter) record, their CISO has already said emphatically this was not a breach. He's been demoted.


It's the problem with that kind of speech, it's impersonal and dehumanizing.

Let's say it like it is: facebook betrays users expectations giving their data to other businesses.

Same for hacking: some people invaded system such and such and took private information.

It doesn't matter if it was a breach, a floodgate, a window, what matters is what happened, and what happened is that player X did Y. Let's just state that first and foremost.


It’s important for the public discourse that someone point this sort of stuff out occasionally. Even if this was not even the most egregious example I’ve seen this week.

Once in a while I reread http://www.derailingfordummies.com and review the definition of “horizontal aggression”. Sometimes it saves me from engaging with people who are derailing the conversation. Accidentally or willfully.


It's definately a breach, just not breach into Facebook's technical infrastructure.

As I wrote previously, don't you think that it can be a breach in the same sense of a breach by phishing? After all, both of the cases are about people giving their "secrets" for one reason but the info being used for something else. I mean, in the case of traditional phishing the user is tricked to provide the password by impersonating a banking site, getting their funds stolen and in the case in question, the users are tricked to provide personal information by being promised some kind of personality analysis but their data is used for political propaganda that they didn't asked for resulting in life-changing consequences du to politics.


When you call it a breach it sounds like they made a mistake.

It wasn’t a mistake. It was by design.


Breach doesn't imply a mistake.

Anyway, the idea here is that CA breached Facebook users personal data by methods quite similar to phishing and FB look the other way. Not necessarily by design but maybe by a desire to exploit the platform as much as possible so that did not get in the way of people who were doing interesting things.


We all know what a data breach is, calling this a data breach is playing fast and loose with the term.

https://en.wikipedia.org/wiki/Data_breach

Look at all the examples of a data breach in this wiki. The CA/Facebook incident looks nothing like them.

CA either paid facebook to collected data through apps or scraped data from public profiles. Maybe the CA/facebook incident will change what we consider "breach" to mean but right now "unauthorized collection of public data to create a political profile of users" is not a data breach.


The first sentence from your link: "A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment."

Sounds like exactly what happened with CA and FB. People came for friends and fun personality tests, their information got into the hands of a propaganda machine. Definitely a breach.

As for the examples, do you want me to edit the Wikipedia article and add the CA/FB incident?


Based on many of the comments in this thread I don't see how you could say it "sounds like exactly what happened with CA and FB." Debatable maybe. Clear cut, obviously not.

And as for your glib comment on editing the wiki article, you should read more carefully what I said. My argument was that the numerous examples of a breach in that wiki do not fit the CA/FB incident. Adding the incident to the list would do nothing to dispute that point.


The definition from the Wikipedia article certainly does match this incident.

The comments on this thread aren't generally dealing with the question of the applicability of that definition so brining that up doesn't help you.

I guess you're really trying to get at is that you disagree with that definition. That's fine. But it's a very weak argument to appeal to an authority and then disregard the authority where it contradicts your position.

Maybe you need to edit the Wikipedia article ;)

BTW, not sure if this is the part you don't like, but the distinction between intentional and unintentional is tricky. For one, we'd have to pin down whose intentions we're talking about (the people controlling the data store that has been breached, or the people's whose private information has been taken). Then, peer into the minds of people we don't know or, worse, try to determine intention for a corporate entity. If intent is part of the definition of a breach then it would demand a lot of assumptions to be applied (or some kind of long, expensive process like an investigation and trial).

In the end, the impact on the people's whose private information was taken is the same: their private information has been taken, en mass, without their permission, by someone they don't know, for purposes they don't know.


No more or less a breach than any social engineering attack. No more or less than Chelsea Manning for that matter. "Our servers weren't compromised" is totally irrelevant.

Did the sensitive data end up someplace it shouldn't? Yes? Then your data security was breached. The end.

But hey let's argue over the technical definition of breach rather than how evil facebook are and how much power they have - both of which are vastly more interesting to consider. I'd like to see some support of the not very, not much school of thought.


You don't even need a developer account. You could just scrape Facebook which is probably what CA did in the first place. They used the app to identify US users and from there on just scrape the pages using a headless browser and multiple proxies.


Unless I’m doing something wrong, a developer account makes this sort of thing harder: you can’t just access anyone’s data, you have to convince them to authorize your app first. . . Which is probably why there’s all these “find which star wars character you are!” quizzes that make the rounds on FB.


It's a little easier than getting everyone to sign up, back at the time this app was circulating if you gave it access to your data the app would also gain access to all of your friends' data. That's why a relatively small number of installs allowed it to hoover up huge amounts of data. So even if you were militant about not granting access, but your grandma clicked a button... Whoops!


Even "exfiltrated" is not really accurate since it was freely handed over.

The problem is that Facebook just made its partners pinky swear to only use the data for research, which is obviously not an adequate data security measure.


>'Can we not let this become framed as a "breach"?'

Just because it wasn't a hack does not mean it wasn't a breach. To wit - a breach of data governance, breach of trust, breach of moral responsibility.


Whatever it is, it's the same thing that a breach is. So either call it a breach or invent a new word for it. In any event, calling it a breach results in treating it with the degree of seriousness it deserves so I don't see a reason to not use that word.


I hope you are saying that this is worse than a simple breach, not that it is a non-issue.


Good call. Edited to clarify.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: