Messaging is at the heart of Facebook’s new business strategy. In fact, Mark Zuckerberg ambitiously stated he is focused on creating a “a privacy-focused messaging and social networking platform.” In practical terms this means pulling WhatsApp, Instagram and Messenger together and offering end-to-end encryption because privacy, according to Zuckerberg’s recent statement on the company’s future strategy, is key.
Facebook’s Unencrypted Passwords
Unfortunately, evidence that Facebook can provide that kind of privacy is in short supply. Late last week for example, citing a Facebook source, KrebsOnSecurity said that hundreds of millions of Facebook users had their account passwords stored in plain text and were searchable by thousands of Facebook employees — in some cases going back to 2012.
Facebook didn’t deny it. Right after the Krebs report was released, the company acknowledged that this had, in fact, happened. Pedro Canahuati, VP engineering, security and privacy at Facebook, wrote in a statement, “As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems. This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.”
The statement added — as if this would make it any better — that these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.
This is just the latest in a long series of “mistakes” that belies Zuckerberg’s claims about the importance of security to the company. In respect of the passwords, for example, it is standard to encrypt them through hashing, a cryptographic process that ensures even the owners of the service being offering cannot decrypt the passwords.
Related Article: Facebook: A Case Study in Ethics
Zuckerberg Acknowledges Problems
So what did Zuckerberg say about privacy? Well, he seems to get that Facebook is having problems with its public. “We don't currently have a strong reputation for building privacy protective services, and we've historically focused on tools for more open sharing,” he wrote.
In the future, though, privacy will be guaranteed by developing product-wide encryption. In this respect, he wrote, “I believe working towards implementing end-to-end encryption for all private communications is the right thing to do…in a world of increasing cybersecurity threats and heavy-handed government intervention in many countries, people want us to take the extra step to secure their most private data. That seems right to me, as long as we take the time to build the appropriate safety systems that stop bad actors as much as we possibly can within the limits of an encrypted service.”
Too Little, Too Late?
However, many don’t believe this provides guarantees of privacy. PreVeil, an encryption company, released a statement that argued Zuckerberg didn’t go far enough. The statement reads, “PreVeil firmly believes Facebook did not go far enough with its move. The major problem with Mr. Zuckerberg's blog is that it treats end-to-end encryption as if it needs more time before it is fully baked and can be implemented at his company. The reality is that people don't want to wait for the privacy Facebook describes. They want it today. The enterprise truly needs this level of security to protect its IP and private exchanges.”
Encryption is also only one part of the equation. David Reischer, CEO of LegalAdvice.com, an online service that offers legal advice to people and companies, said that despite recent promises by Zuckerberg to transform Facebook into a private encryption service that takes privacy more seriously, there seems to be very little meaningful efforts at present to protect consumers’ legitimate expectation and right to privacy, the recent password debacle being a case in question. But it goes back much further than recent weeks and companies like LegalAdvice have stopped using Facebook for advertising purposes. “The Cambridge Analytica scandal immediately affected our decision to discontinue use their Facebook advertising program for our business. One year later, our decision seems well founded as Facebook under Mark Zuckerberg leadership has done nothing to assuage any fears that the company has much regard for customer privacy,” Reischer said.
He added that the breach of trust by Facebook for selling customer data in the Cambridge Analytica scandal could have been ameliorated with a stronger response to protect consumer's legitimate expectations of privacy on their platform. The default privacy settings could have been modified to allow consumers more control over protecting their data. “The Facebook 'Terms of Service' could have been modified to allow for explicit agreement and meaningful consent of privacy terms by a user when registering. The Facebook platform could have more easily allowed a user to permanently delete their content and Facebook account if a user had such a desire. None of these measures were implemented,” he said.
Related Article: Think Social Media is Technology? You May Want to Think Again
Privacy Is Not Part of Facebook’s Business Model
The problem according to Gil Isbister, founder of Blis, a mobile location technology company, is that “Facebook has failed to integrate privacy into their business model, and it doesn’t seem like they’ll get there anytime soon. There is a challenge for them when it comes to building consumer trust, as consumers are expressing concerns that tech companies are misusing their data and Facebook has been consistently under heat for it.”
The responsibility is on brands like Facebook to go beyond GDPR regulatory compliance and implement internal, transparent standards that will show consumers that their data is secure and used only with explicit consent.
Their problem highlights the crux of the current transparency issue: Facebook and other companies have been collecting and using consumer data as part of their business model, but they kept consumers in the dark. In 2019, most people have come to understand the value of their data and want a fair exchange. Companies should not be willing to exchange consumer trust for profit, in fact by gaining consumers trust they should expect profits to follow. They need to start over communicating — beyond what they are legally obligated to do — to make sure this tech-lash doesn’t come to them and to ensure the headlines go away.
“This data exchange shouldn’t be buried in terms and conditions that consumers will not look at, they should be front and center. That would make it an honest exchange, which most consumers are happy with,” Isbister added.
This all brings us back to last week’s password issue. This latest lapse at Facebook has left user passwords accessible to 20,000 employees on an internal server, once again highlighting the disconnect between what large enterprises should be doing with their security and what is actually happening. “Enterprises like Facebook hold a ton of data for hundreds of millions of users,” Sherban Naum, senior vice president for corporate strategy and technology at Bromium, said. “Thankfully this wasn’t a breach, but once again raises concerns about how user data is being secured. This is simple server administration. They left an internal facing server with password data on it without protection and available to Facebook employees, putting them at risk of a major insider threat, with password data a lucrative source for cybercriminals willing to pay for that information.”
Events like this are contradictory to the basics of IT security best practices, which Facebook, with its resources and technical expertise, should be more than capable of achieving. However, what appears to be lacking is the will to change and it remains to be seen whether the future Zuckerberg outlined will ever actually emerge.