[BreachExchange] The Cambridge Analytica Debacle is not a Facebook “Data Breach.” Maybe It Should Be.

Mon Mar 19 21:18:28 EDT 2018

https://techcrunch.com/2018/03/17/the-cambridge-analytica-
debacle-is-not-a-facebook-data-breach-maybe-it-should-be/

On March 16, we learned that Facebook  will be suspending Strategic
Communications Laboratories (SCL) and its offshoot Cambridge Analytica.
According to Facebook, a University of Cambridge professor Aleksandr Kogan
was using Facebook Login in his “research app,” collecting data about its
users, and passing it on to Cambridge Analytica,  a third party. Cambridge
Analytica, in turn, obtained personal information belonging to as many as
50 million Facebook users, through Kogan’s app, and without any express
authorization from Facebook. This personal information was subsequently
used to target voters and sway public opinion, in ways that benefited the
then presidential candidate Trump.

In response to accusations that this constituted a data breach, Paul
Grewal, Deputy General Counsel for Facebook claimed that –

“The claim that this is a data breach is completely false. Aleksandr Kogan
requested and gained access to information from users who chose to sign up
to his app, and everyone involved gave their consent. People knowingly
provided their information, no systems were infiltrated, and no passwords
or sensitive pieces of information were stolen or hacked.”

Technically speaking, this assessment is probably correct. There was no
unauthorized external hacking involved, meaning that Facebook databases
were not breached by an outside malicious actor. At the same time, this
approach misses the point entirely in terms of user privacy and security.
It should not matter for a company like Facebook whether their users’
personal information was forcefully obtained through brute-force, or
whether Facebook’s personnel were manipulated to hand in that information
to malicious and untrustworthy party.

The cliché goes that humans are the weakest link in cybersecurity, and
potentially even the leading cause for the majority of cybersecurity
incidents in recent years. This debacle demonstrates that cliché to its
full extent. But there is a deeper question here – why are our current data
breach notification laws creating this dichotomy between active breaches,
where hackers penetrate a database and obtain valuable data, and passive
breaches, where humans are being tricked into passing that data into
unauthorized hands? After all, the result is the same – users’ private data
is compromised.

Other than empowering State Attorney Generals to investigate and pursue
legal action against violating companies, the primary purpose of data
breach notification laws is to ensure that if personal information
belonging to platform users and service consumers is compromised, then the
target of the breach is under obligation to duly notify any person whose
data has been leaked. But our current data breach notification system is
broken. A good analogy is to say that tn the case of Facebook, these laws
only take into account the cybersecurity “walls” surrounding Facebook’s
databases, because they only recognize the security perimeter above the
surface. What these laws fail to understand, is that there are tunnels
underneath the surface accessing Facebook’s databases, where personal
information is being extracted from almost unrestrictedly. If our current
laws are unable to characterize similar incidents as data breaches, then
they are missing their purpose.

There should be no material difference if the personal information was
obtained through a breach or through manipulating and exploiting Facebook’s
data ecosystem. The result is the same – user personal information in
unauthorized hands. The users should have the right to know, and
potentially pursue legal action against Facebook and other involved
parties. The distinction currently drawn by data breach notification laws
between active and passive breaches should be abandoned, because it
provides an incentive for malicious actors to obtain personal data through
social engineering, rather than through hacking.

Just as we expect from companies to invest in cybersecurity to prevent
future breaches, we should also expect that they ensure that personal
information is shared with thoroughly vetted and trusted parties. The best
way to achieve this goal is through direct regulation – amending any data
breach related laws to accommodate that. Unfortunately, the tech industry
has long resisted such regulation, and created the appearance that its own
self-regulation would solve the problem. This has not been effective, since
tech companies do not have the incentive to follow their own regulations,
and these self-regulations only come after a crises of the Cambridge
Analytica sort have already occurred. This creates a reality where users’
data is vulnerable, and companies do not seem to take any preventative
measures in response.

This is a call to amend our current data breach notification laws to
encompass personal data obtained through social engineering as a recognized
form of data breach. That would not necessarily mean that companies would
be under obligation report every personal data leak, but that they will
have to employ measures to prevent manipulation techniques from gaining
access to personal information, and if such techniques are occasionally
successful, that they notify users and consumers in due course, and that
appropriate legal action is authorized to ensure compliance. It is up to
states to make this happen, because the boilerplate corporate “we care
about your privacy” announcements are not working.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180319/adc63914/attachment.html>