SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Zuckerberg admits “we made mistakes” in Facebook data breach
Fri, 23rd Mar 2018
FYI, this story is more than a year old

Following the bombshell that Facebook's data of around 50 million people had been misused to “change audience behaviour”, Facebook founder Mark Zuckerberg has released a statement – in the form of a Facebook post of course.

Just to refresh your memory, Facebook was left reeling after a whistleblower came forward and revealed to major media outlets that the company he worked at, Cambridge Analytica, had used personal information stolen without authorisation to build a platform that could profile US voters in order to target them with personalised political advertisements.

The data came from Aleksandr Kogan, a professor at the University of Cambridge who constructed an app in 2015 to collect information on Facebook users AND their friends. He then shared this data with Cambridge Analytica who later used it to support Trump's presidential campaign.

Allegedly, Facebook discovered this in 2015 and demanded that the parties involved delete the date – but they didn't. Facebook also banned allowing app developers to gather friend data.

Now, Zuckerberg says they've been working hard to understand exactly what happened and to make sure it doesn't happen again.

“We have a responsibility to protect your data, and if we can't then we don't deserve to serve you,” Zuckerberg says in the post.

“The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there's more to do, and we need to step up and do it.

Zuckerberg says when Facebook learnt last week that Cambridge Analytica may not have deleted the data as they had certified, they immediately banned them from using any of their services.

“Cambridge Analytica claims they have already deleted the data and has agreed to a forensic audit by a firm we hired to confirm this. We're also working with regulators as they investigate what happened,” says Zuckerberg.

“This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.

Zuckerberg says in this case Facebook already took the most important steps a few years ago, but there's more the company needs to do.

“First, we will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity,” says Zuckerberg.

“We will ban any developer from our platform that does not agree to a thorough audit. And if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps. That includes people whose data Kogan misused here as well.

Zuckerberg says in the second step they will restrict developers' data access even further to prevent further abuse.

“For example, we will remove developers' access to your data if you haven't used their app in 3 months. We will reduce the data you give an app when you sign in -- to only your name, profile photo, and email address,” says Zuckerberg.

“We'll require developers to not only get approval but also sign a contract in order to ask anyone for access to their posts or other private data. And we'll have more changes to share in the next few days.

And third, Facebook will endeavour to make sure users understands which apps they've allowed to access their data.

“In the next month, we will show everyone a tool at the top of your News Feed with the apps you've used and an easy way to revoke those apps' permissions to your data. We already have a tool to do this in your privacy settings, and now we will put this tool at the top of your News Feed to make sure everyone sees it,” says Zuckerberg.

“Beyond the steps we had already taken in 2014, I believe these are the next steps we must take to continue to secure our platform. I started Facebook, and at the end of the day I'm responsible for what happens on our platform. I'm serious about doing what it takes to protect our community.

Zuckerberg says while this specific issue with Cambridge Analytica should no longer happen with new apps today, that doesn't change what happened in the past.

“We will learn from this experience to secure our platform further and make our community safer for everyone going forward,” says Zuckerberg.

“I want to thank all of you who continue to believe in our mission and work to build this community together. I know it takes longer to fix all these issues than we'd like, but I promise you we'll work through this and build a better service over the long term.

Facebook is set ‘crack down on platform abuse' with a number of new features, including:

  • Investigate all apps that had access to large amounts of information before they changed the platform in 2014
  • Inform people that have been affected by apps that have misused their data
  • If someone hasn't used an app within the last three months, the app's access to their information will be turned off
  • Data that an app can request without app review will be restricted
  • Encourage people to manage the apps they use
  • Expand Facebook's bug bounty program