This is simply the extent to which we've permitted these Internet giants to collect information about us. It's business as usual.
Edit: To clarify, this is indeed worse than if the data were taken from Facebook without consent. What it means is that not only does Facebook have access to vast troves of personal information, but so does everyone tangentially connected to someone with a Facebook developer account.
> Can we not let this become framed as a "breach"? No
> systems were compromised. Nothing of Facebook's was
> accessed that wasn't supposed to be accessed. This was
> data intentionally exposed by Facebook, just exfiltrated
> and given to an entity whom Facebook hadn't authorized.
As an aside, a HIPAA-style law that protects and enforces portability for this type of personal data might be a good first step to reforming our industry here, which is currently completely unregulated in this regard.
HIPAA data is accessed by researchers, sometimes anonymized, but not in all cases. These are not considered breaches. In addition, as others indicate, FB posts are not, at least at this time, protected data.
So, while illustrative, the analogy is not apt.
We're seeing a divide between the technical and popular interpretations of the term "breach". When an industry drops the ball and responds pedantically, that's a strong sign that further regulation is needed. If only to force a common language.
Facebook insists they were not "breached" because many states require notification in the event of "security breaches of information involving personally identifiable information" . Each body of law defines "breach" differently. Most do not limit it to technical security malfunctions.
We already have plenty of regulation here that Facebook is unambiguously subject to; the question is whether the relevant authorities will actually follow through on that.
For what it's worth, it's been two days, and we're already seeing an FTC investigation and a Congressional investigation, so it's a little premature to conclude that existing regulation is insufficient.
In order to receive data protected under HIPAA by a covered entity, you have to go through an extraordinarily elaborate and complex legal process. In addition to signing an agreement that (in effect) binds you to all of the same restrictions on the data that the original covered entity (e.g. hospital/insurer) was, if you're accessing the data for research purposes, you'll have to go through an institutional review of your intended purpose and methods for the research.
Facebook does none of these, which is why they have been (rightfully) criticized for conducting unbelivably unethical studies without either user consent or institutional approval, even though both of those are typically required by all reputable universities and publishers for research.
Facebook posts are not protected under HIPAA, but they're not entirely unprotected either, and it's totally valid to refer to that breach of responsibility and trust as a breach.
 e.g. https://www.washingtonpost.com/news/morning-mix/wp/2014/07/0...
It's not Russians hacking in, it's not part of some effort to destabilize democracy, etc. That characterization and demonization is indicative of the mindset of those people and that may be even pose more danger than the breach of trust by Facebook.
True! Mostly it was information about users and their social graph collected by people voluntarily. It's distressing that people were not informed, "We're going to use this to target political propaganda at you when you" when they took personality quizzes/etc, but all the data was shared by users. FB's security isn't breached, merely their users' trust.
> it's not part of some effort to destabilize democracy, etc
I'm not sure we all agree on that. ;) The whole point was that one can use the intelligence gleaned from these users' social graphs to target memes/advertising/messaging to specific subgroups whose political responses you are hoping to influence.
I'll avoid the word "hacking" since it's used to mean a lot of different things to different people, but it absolutely could be part of an effort to destabilize or undermine (US) democracy.
What we've seen is definitely a breach of responsibility and a breach of trust. It's also probably a breach of the law, since the data Facebook collects is still subject to some protections (and it's hard to imagine how Facebook could have done all this while adhering to those). And while we don't yet know the motivation or intentions of the people involved in these actions, it could very well be motivated by an effort to destabilize or undermine US democracy. I don't see why you think those are mutually exclusive.
Do we know what data was harvested? Cause if its data that's supposed to be private then yeah, that's some murky business. If its public info, or info that can be accessed if you give an app permission to log-in, then is that really a "breach"?
I mean, it's terrible and CA was definitely misusing it, but if I install an app and it asks for permission to use my location and my contacts, and I grant them, is that a break of trust and a breach of the law on the Apple/Google front? What should Apple/Google be doing to protect my privacy?
Legit questions here; I do hope something is figured out and less people fall into this kind of trap. I've heard of Android games whose purpose actually is to harvest a ton of personal info. Apple seems to veto its apps better, and maybe that's the solution-- Facebook should veto 3rd parties better (Google should too, before something like this hits the fan).
What data was being protected? The data was created when the user chose to engage with the facebook apps. CA pays facebook to put something in front of users faces and then CA gets back information on user engagement. How is that different than any other kind of advertising on the web?
We can argue that there needs to be more transparency on facebook but a breach? That's torturing the word.
Personally-identifiable information . Many states require notification in the event this data is found to have been accessed improperly. The definition of a "breach" is not limited to technical malfunctions.
We might say that you can't sign away the secrecy of your PII, so user consent is irrelevant. Then we had better get on YCombinator, Stack Overflow, Medium, etc. for allowing prominent community members to use their real names on their posts. Someone could  use them train statistical models to who-knows-what purpose, after all.
Whether you believe them is another matter.
> This is similar to a HIPAA "breach" where the word doesn't imply that a security system was compromised, but that protected data was accessed by folks who shouldn't have had it.
Protected data, in the context of HIPAA, would refer to Personal Health Information (PHI)
One of the big weaknesses of HIPAA is that the privacy requirements technically apply to the data custodians, not the data. That allows for some loopholes through which private information can fall out of HIPAA protection, and also creates some unnecessary hassles for health care providers.
Ontario's PHIPA is one example of a better model for patient privacy.
Facebook handed over the data. They need to understand that they don't have control over it once it leaves Facebook. Is a violation of ToS a data breach? Do we really want to conflate those things?
That Facebook would rather not call that a breach so much as "business as usual" is all the more reason legislators may be inclined to define "breach" the way that voters do.
The point I'm trying to make is that there's a difference between an isolated attack (e.g. Equifax) and what Facebook has going on here. To the person who reads about a "data breach at Facebook", it does sound like this was an abberant event that happened suddenly — rather than systemically, by a machine built on doing this every day.
Cambridge Analytica's actions may illuminate how far this can go, but we should treat it as the norm — and regulate accordingly.
The distinction may be very subtle, but it's important to know that following the 25th of May, businesses can no longer claim to be "in the process" of implementing it -- they have already had two years to prepare.
Data breach is a compound noun with a very specific meaning in information security. It means that the data was protected, and a malicious entity defeated the protections.
Breach of contract, breach of trust, physical breaching of the hull of a ship, etc. are all different usages of the word breach, but it's not a data breach unless someone accessed a protected system without or exceeding authorization as defined by the CFAA.
It's not, at all. The FB API was designed to give out this information before it was changed. That means the friend data was not need-to-know like healthcare data.
An academic who has done some great work on this is Evgeny Morozov. Highly recommend his books, articles and lectures.
The massive industry that has been built around advertising and personal data trading needs to be regulated.
I specifically want to avoid the Equifax comparison because it looms large in people's minds as an example of an intrusion and forceful removal of data, which is not what occurred with Facebook and Cambridge Analytica. We should have better laws around protecting sensitive data from intruders, too, but they won't be the same laws prohibiting companies from selling data they've collected on us. Conflating these problems will not help us solve them.
Was this a breach in trust to Facebook users? I think undoubtedly yes.
And was there a breach of a the Terms of Service by companies taking all this data and using it for non-academic purposes? Yes there was.
So the type of breach seems to be a worthwhile distinction to make.
What's interesting about this is the fact that the same data is shared with many third-parties, with proper "consent", and users not understanding what's really happening. Calling this a "breach" has the slight unintended side-effect in the public by promoting the idea that this company received a different dataset than other partners, which is not the case.
There's a legal concept of 'waiver' meaning that even if something is prohibited in a contract, but the parties don't enforce that part, then that part is later not enforceable. Facebook was fully aware of this behavior, chose not to enforce the ToS, and therefore it waived that clause. Therefore no breach.
How naive is the average person? The purpose of facebook is to gather this information, hence why its offered as a "free service".
Frankly, I don't understand why the stock is going down, facebook is fulfilling its core mission: Get private information on millions of people and package that information for sale to its clients. If anything CA situation should show how FB is fulfilling its core mission.
The fact that the public is now waking up to this is not a breach, its simply casting a light on what has always existed.
The public waking up to this breach and the costs being exposed are probably a huge part of why the stock is dropping. Facebook's continued profitability and success is dependent on its users not understanding how their data is being used. And now "everyone" knows, so the secret is out and hopefully Facebook can't get away with this going forward.
Metaphorically, somebody had a gun, and someone else took that gun and used it to rob a bank. Equifax left the gun sitting visible in an unlocked car, and people are angry about the predictable results. Facebook was running a "borrow my gun" program for strangers, but had a clause saying "no using my gun for crimes, no lending my gun to any third parties". One of those strangers lent the gun to the robber, and Facebook is saying this isn't their problem because they said not to do that.
So yes, they're both bad outcomes. But "breach" usually means "this was stolen without our knowledge", and that's a very misleading impression to create here.
The only difference is that instead of the baddies having to sneak in carefully at night to nick stuff, Facebook said 'welcome, come on in, help yourself – here's a sack'.
The end result – millions of people having their personal data used against them without their knowledge or consent - is the same.
This is far worse than if the data were taken from them unwillingly, because it vastly increases the number of entities with unfettered access to it.
It’s time to update the definition. “Breach” means you lost my shit. I thought I gave it you in confidence and then you lost it. Facebook arguing “this isn’t technically a breach” comes across as their yet again talking down to users to slip problems under the rug.
This isn't like the Equifax breach. It's not a result of Facebook's security practices. It's a result of Facebook's entire business model.
This can be a 'breach' by many of these definitions.
You're basically saying, "Words only mean the things that I want them to mean, and if you try to use them a different way than I approve, then I will use this meme to try to shut you down."
Words fluctuate in meaning all the time. This may very well be the beginning of a new definition for breach, i.e., a social data breach, for example.
But we don't even have to go so far as to claim that this is a new meaning for breach. Any of these old definitions contains sufficient meaningfulness to make "Facebook loses control of data to unauthorized breach" perfectly intelligble.
Sure, but the point being made by the "it's not a breach" people is that Facebook didn't lose control of data to an unauthorized breach. They gave up data according to their own documented and expected procedures to people who were supposed to have it. "Facebook voluntarily and purposefully gives away data in an authorized breach" is not so intelligible.
The fact that "Facebook loses control of data to unauthorized breach" would be a sensible, understandable sentence isn't really relevant when nothing of the kind has happened. Who'd be using that sentence?
Did Facebook have control over its (my? your?) data at Cambridge Analytica or not? I thought the extra 50 to 250 million profiles scraped were unauthorized access?
I could be entirely mistaken.
checkyoursudo, I don't want to shut anybody down. I get your point.
And I am sure that in a world of haveibeenpwned.com and Equifax you get mine.
Let's focus on the real issue here. Facebook has data that:
- Can harm everyone
- Is not protecting it well enough
Facebook's responsibilities and Cambridge Analytica's responsibilities towards data protection have been breached.
There's no other useful word for that. It might not be a hack and it might not be a security vulnerability, but it is surely a breach.
> A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
Most of the breaches I'm familiar with are accidental - people putting their research on thumb drives and losing them, etc etc.
Whether the fox gets into the chicken shed, or you let the chicken out of the safety of the shed, it's a breach of the chicken's security.
This appears to have been systemic and profitable for them because companies would turn around and pay them for highly targeted ads. They ignored it because of greed.
Let's say it like it is: facebook betrays users expectations giving their data to other businesses.
Same for hacking: some people invaded system such and such and took private information.
It doesn't matter if it was a breach, a floodgate, a window, what matters is what happened, and what happened is that player X did Y. Let's just state that first and foremost.
Once in a while I reread http://www.derailingfordummies.com and review the definition of “horizontal aggression”. Sometimes it saves me from engaging with people who are derailing the conversation. Accidentally or willfully.
As I wrote previously, don't you think that it can be a breach in the same sense of a breach by phishing? After all, both of the cases are about people giving their "secrets" for one reason but the info being used for something else.
I mean, in the case of traditional phishing the user is tricked to provide the password by impersonating a banking site, getting their funds stolen and in the case in question, the users are tricked to provide personal information by being promised some kind of personality analysis but their data is used for political propaganda that they didn't asked for resulting in life-changing consequences du to politics.
It wasn’t a mistake. It was by design.
Anyway, the idea here is that CA breached Facebook users personal data by methods quite similar to phishing and FB look the other way. Not necessarily by design but maybe by a desire to exploit the platform as much as possible so that did not get in the way of people who were doing interesting things.
Look at all the examples of a data breach in this wiki. The CA/Facebook incident looks nothing like them.
CA either paid facebook to collected data through apps or scraped data from public profiles. Maybe the CA/facebook incident will change what we consider "breach" to mean but right now "unauthorized collection of public data to create a political profile of users" is not a data breach.
Sounds like exactly what happened with CA and FB. People came for friends and fun personality tests, their information got into the hands of a propaganda machine. Definitely a breach.
As for the examples, do you want me to edit the Wikipedia article and add the CA/FB incident?
And as for your glib comment on editing the wiki article, you should read more carefully what I said. My argument was that the numerous examples of a breach in that wiki do not fit the CA/FB incident. Adding the incident to the list would do nothing to dispute that point.
The comments on this thread aren't generally dealing with the question of the applicability of that definition so brining that up doesn't help you.
I guess you're really trying to get at is that you disagree with that definition. That's fine. But it's a very weak argument to appeal to an authority and then disregard the authority where it contradicts your position.
Maybe you need to edit the Wikipedia article ;)
BTW, not sure if this is the part you don't like, but the distinction between intentional and unintentional is tricky. For one, we'd have to pin down whose intentions we're talking about (the people controlling the data store that has been breached, or the people's whose private information has been taken). Then, peer into the minds of people we don't know or, worse, try to determine intention for a corporate entity. If intent is part of the definition of a breach then it would demand a lot of assumptions to be applied (or some kind of long, expensive process like an investigation and trial).
In the end, the impact on the people's whose private information was taken is the same: their private information has been taken, en mass, without their permission, by someone they don't know, for purposes they don't know.
Did the sensitive data end up someplace it shouldn't? Yes? Then your data security was breached. The end.
But hey let's argue over the technical definition of breach rather than how evil facebook are and how much power they have - both of which are vastly more interesting to consider. I'd like to see some support of the not very, not much school of thought.
The problem is that Facebook just made its partners pinky swear to only use the data for research, which is obviously not an adequate data security measure.
Just because it wasn't a hack does not mean it wasn't a breach. To wit - a breach of data governance, breach of trust, breach of moral responsibility.