[BreachExchange] Congress Scrutinizes Facebook Health Data Privacy Complaint

[Destry Winant]

https://www.databreachtoday.com/congress-scrutinizes-facebook-health-data-privacy-complaint-a-12038

In the latest privacy controversy involving Facebook, a Congressional
committee is demanding the social media giant provide answers
concerning a complaint filed with the Federal Trade Commission
alleging misleading practices involving consumers' personal health
information.

That complaint also called attention to an incident when a security
researcher was able to download the names and other personal
information of over 10,000 cancer patients who were participating in a
Facebook health group.

In a letter sent Tuesday to Facebook CEO Mark Zuckerberg, House Energy
and Commerce Committee Chair Frank Pallone, D-N.J., and Consumer
Protection and Commerce Subcommittee Chair Jan Schakowsky, D-Ill.,
demanded a staff meeting no later than March 1 to discuss with
Facebook issues raised by the recent FTC complaint, "so we can better
understand Facebook's practices with respect to so-called closed and
anonymous groups."

"Despite the indications that the groups were private and anonymous,
people and companies who should not have been admitted to these groups
gained access to them and to lists of group members."
—Energy and Commerce Committee

The complaint at the center of the latest Congressional inquiry into
Facebook was filed in December but made public this week. It alleges
that Facebook has been misleading its users regarding the private or
anonymous nature of "closed" Facebook groups.

The complaint, filed by security researcher Fred Trotter and members
of a Facebook health group, alleges that the company misleads users
about how their personal health data is being shared, used and curated
in Facebook Groups and that Facebook's practices are unfair.

It also argues that the Facebook Groups platform "should be regulated
as a personal health record" under FTC rules.

Series of Allegations

The complaint lists a series of allegations against Facebook
concerning its privacy and business practices.

According to a timeline included in the complaint, a member of a
Facebook health group in March 2018 discovered that she had the
ability to download the membership list of "closed" or "public"
Facebook groups using a Chrome web browser extension called
grouply.io.

The Facebook member reached out to security researcher Fred Trotter to
discuss her concerns. In April 2018, using grouply.io, Trotter
downloaded the names for the entire membership list - which included
over 10,000 names - of a Facebook group.

"All members of this group are positive for the BRCA cancer mutation,"
the complaint notes. "Most of the names on the downloaded list include
email addresses, city of residences and employers of the women who
participate in the Facebook closed group."

On May 29, 2018, in accordance with Facebook's responsible disclosure
policy, Trotter and other patient community members submitted a report
to Facebook about the vulnerability allowing the download of personal
information from the Facebook site. They dubbed the vulnerability
Strict Inclusion Closed Reverse Lookup Attack, or SicGRL, calling the
problem, "a life-threatening vulnerability in the Facebook privacy
architecture," the complaint notes.

Personal Health Record?

The report to Facebook claimed that Facebook's group product counted
as a personal health record under FTC rules, "and explicitly reminded
Facebook that the breach notification rules and deadlines apply," the
FTC complaint notes.

By June 12, 2018, "the 10 business day deadline for reporting the PHR
breach to the FTC passed," the complaint notes. On June 20, 2018,
Facebook responded to the SicGRL report submission, indicating that
its security team would not "commit to fixing the problem and did not
acknowledge the issue as a privacy or security vulnerability."

No member of the redacted Facebook group received a notice that
Trotter downloaded their real names and the fact that they are BRCA
positive, the complaint to FTC states.

On June 29, 2018, members of the Facebook group discovered that
Facebook group membership is no longer "world readable," the complaint
notes. "This change means that although SicGRL is still a problem, it
is no longer trivial to exploit at scale," according to the complaint.

Because the vulnerability could no longer easily lead to "a
mass-casualty event," Trotter and a member began discussing the
problem with the news media in late June 2018, the complaint notes.
And then in July 2018, Facebook publicly denied that a privacy breach
had occurred, the complaint adds.

In addition to the alleged breach, the complaint also claims that
Facebook is not transparent about how users are targeted for
advertising and for invitations to join certain medical support
groups, and how their health data could be accessed by others once
they join those groups.

A Significant Hurdle

Privacy attorney David Holtzman, vice president of compliance at
security consultancy Cynergistek, says the complaint raises surprising
allegations that Facebook is operating a PHR.

"From a consumer's perspective, it seemed like a good idea to have a
portal that allows for entry of identifiable information to be shared
with a select group of other consumers," he notes. What those
consumers did not expect, however, was that Facebook would allow the
data to be disclosed to third parties or assembled into a broader,
expansive personal profile of the consumer, he adds.

"The consumers face a significant hurdle in making the connection that
the Facebook Groups product meets the definition of a PHR," he argues.
"If the FTC finds these products are a PHR, then it is more likely
that Facebook had an obligation to assess if the data had been
compromised, and to carry out breach notification [under FTC's Health
Breach Notification Rule] if it knew or should have known a breach had
occurred."

The separate HIPAA Breach Notification Rule would not apply to
Facebook because it is not a covered entity or a business associate to
a covered entity, he notes.

Unauthorized Disclosures

In the letter to Zuckerberg, the Congressional committee writes that
the FTC complaint notes "that health information of certain Facebook
users may have been exposed, leading to countless unauthorized
disclosures of personal health information, harassment and a risk of
discrimination."

According to the complaint filed with the FTC, "Facebook's algorithms
used personal information it collected from Facebook users to suggest
and even solicit members of online support groups for a variety of
medical conditions," the committee writes. "These groups were called
closed groups and often had the word 'anonymous' in their name,
suggesting that information shared within the group and even
membership in the group would be private."

The complaint states that users of these groups "shared deeply
personal health information, such as information about substance use
disorders, about the challenges of parenting transgender children, HIV
status, and past history of sexual assault," the committee letter
says.

"Despite the indications that the groups were private and anonymous,
people and companies who should not have been admitted to these groups
gained access to them and to lists of group members," the committee
letter states.

"People used the member lists and other information from these groups
to target and harass members of the groups. Insurance companies may
have used information from these private groups to make decisions
about insurance offerings for group members."

Lack of Transparency

The consumer complaint raises a number of concerns about Facebook's
privacy policies and practices, the committee's letter adds.

"Facebook's systems lack transparency as to how they are able to
gather personal information and synthesize that information into
suggestions of relevant medical condition support groups. Labeling
these groups as closed or anonymous potentially misled Facebook users
into joining these groups and revealing more personal information than
they otherwise would have," the letter notes.

In addition, the letter states, "Facebook may have failed to properly
notify group members that their personal health information may have
been accessed by health insurance companies and online bullies, among
others."

Facebook and the Energy and Commerce Committee did not immediately
respond to Information Security Media Group's requests for comment on
the allegations.

The FTC confirmed to ISMG that it received the complaint but declined
to comment.

Other Battles

Meanwhile, Facebook reportedly is continuing to negotiate a massive
proposed settlement with the FTC over other privacy failures (see:
Report: Facebook Faces Multibillion Dollar US Privacy Fine).

FTC staff have discussed a fine of up to $5 billion against Facebook,
The Wall Street Journal reports.

Facebook's practices are also facing harsh criticism from regulators
in other countries.

For instance, a final report issued by the U.K. Parliament's Digital,
Culture, Media and Sport Committee on Monday accuses Facebook of
actively attempting to block efforts to understand how its targeted
advertising ecosystem functions, acting as if it has a monopoly on
personal information and generally behaving "like 'digital gangsters'
in the online world, considering themselves to be ahead of and beyond
the law." (See: Facebook Smackdown: U.K Seeks Digital Gangster
Regulation).

In addition, Germany's competition authority has said that it wants to
see "an internal divestiture of Facebook's data," so that users have
meaningful input into how the social media company uses their personal
information (see: German Antitrust Office Restricts Facebook Data
Processing).