Senator Mark Warner (D-VA) has issued a stern reprimand to Facebook over today’s revelation that 50 million users had their access token stolen by a hacker. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users” Warner writes. As I’ve said before – the era of the Wild West in social media is over.”
In July, Warner published an expansive policy paper outlining where he believes regulation is necessary for social media companies. He proposes that companies holding large data sets be regulated as “information fiduciaries” with additional consequences for improper security. He suggests requirements for data portability and interoperability that would allow users to export their personal information and use it elsewhere if they were unsatisfied with their treatment by a social media giant. He also recommends applying similar rules in the US to Europe’s GDPR including a requirement that breaches be disclosed within 72 hours of discovery. Notably, Facebook did disclose this hack within that window.
[Update: FTC Commisioner Rohit Chopra has now tweeted that “I want answers” regarding the Facebook hack, further strengthening the possibility that today’s problem will trigger more calls for regulation.] CEO Mark Zuckerberg wrote today that “While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place.”
The breach saw sophisticated hackers combine three Facebook bugs in its video uploader, user profile, and “view as” privacy feature to generate and steal the access tokens that allow users to stay logged into Facebook between sessions. These could be potentially used to take over user accounts. Facebook says there’s no evidence that hackers accessed users’ private messages or posted on their behalf. However, CEO Mark Zuckerberg confirmed on a call with reporters that before Facebook fixed the issue last night, hackers did try to query the Facebook API for users’ names, hometowns, genders, and possibly more.
Facebook has reset the access tokens of the 50 million users impacted plus another 40 million who’d had their accounts viewed through the “view as” tool this year. That means they’ll have to log back into Facebook but won’t need to change their password.
The bugs stem from code pushed back in July, but Facebook only discovered the issue Tuesday afternoon as the hackers tried to scale up the attack to steal more tokens. Facebook patched the issue last night and this morning announced it was investigating, though it currently doesn’t have enough information to determine the source of the attack. It’s already notifed the FBI, as well as the Irish Data Protection office since the breach has GDPR implications.
On a call with reporters, CEO Mark Zuckerberg repeatedly called the problem “serious”. But beyond recounting the steps Facebook is taking to address this breach, he didn’t have a good answer for why users should still trust Facebook with their data.
Always quick to pounce on privacy issues, Warner has become one of the strongeest Democratic critics of the social network. He’s seemingly inherited the position of tech watchdog from former-Senator Al Franken. He’s weighed in on recent social media bias and election interference, Google’s plan to launch censored search in China, White House cybersecurity plans and more. With technology becoming an ever more important and dangerous part of people’s lives, Warner seems to see an opportunity to both protect his constituents and advance his career by demonstrating his expertise and ferocity.
This hack could be by Warner as strong evidence that social media companies like Facebook are not voluntarily doing enough to protect uses’ security and privacy. If regulation around security, portability, and interoperability is enacted, it could cost Facebook money for compliance, slow dow the pace of engineering innovation at the company, and make it more vulnerable to competitors.
Zuckerberg has countered that regulation could actually protect Facebook from disruption by making it tougher for new social networks to build up the data treasure trove it has. He also believes regulation could slow down US tech companies, thereby giving Chinese alternatives an advatange as they battle for international markets like India and Brazil.
Right now, it’s tough for users to easily switch from Facebook to another social network, which insulates Facebook from its PR problems becoming user growth problems. But if ditching Facebook for a competitor becomes simpler, it might force the company to treat its users better.
The Senator Mark Warner’s full statement can be found below:
STATEMENT OF U.S. SEN. MARK R. WARNER
~ On Facebook hack ~
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, released the following statement on the announcement by Facebook that it discovered a security issue affecting almost 50 million accounts:
“The news that at least 50 million Facebook users had their accounts compromised is deeply concerning. A full investigation should be swiftly conducted and made public so that we can understand more about what happened.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.
“This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before – the era of the Wild West in social media is over.”
To kick start the debate around social media legislation, Sen. Warner in July released a white paper containing a suite of potential policy proposals for the regulation of social media.