2 October 2018

How Serious Is the New Facebook Breach?

By Evan Osnos

At Facebook headquarters, in Menlo Park, California, no tour is complete without the story of the big sign at the front gate: when Mark Zuckerberg, the founder and C.E.O., moved his company to the site, in 2011, he did not remove the sign of the former tenant, Sun Microsystems. In the nineties, Sun had been a giant so dominant that it considered buying Apple, but Sun later sank into a long fadeout, and it was acquired by Oracle, in 2009. Zuckerberg turned Sun’s sign around and fastened Facebook’s name to the other side—a reminder to himself and his employees that success is fragile.


On Friday, Facebook disclosed the largest security breach in its fourteen-year history, in which an unknown hacker, or hackers, acquired the power to log in to almost fifty million accounts. Unlike previous data leaks, such as the Cambridge Analytica scandal, in March, this is the first known instance in Facebook’s history of hackers stealing millions of “access tokens,” the keys that allow them to take over an account, including information that users bar from the public. As a result, hackers were also able to gain control of accounts on many other sites, such as Spotify, because users often log into them with Facebook credentials. The attackers exploited a gap in the code around a feature known as “View As,” which lets people see how their profile appears to others. In addition to the tens of millions of accounts that were compromised, Facebook also forced another forty million users to log back into the service, because they used the “View As” feature recently and might have been compromised.

Much about the attack, which the company discovered on September 25th, remains a mystery. Though the company said the breach did not include credit-card data, it has yet to determine who was targeted, the full impact, the motive, and whether the data in the accounts was misused. “We also don’t know who’s behind these attacks or where they’re based,” Guy Rosen, Facebook’s vice-president of product management, wrote in a post.

The hack is the latest episode in nearly two years of controversy, including the spread of “fake news” and Russian propaganda during the 2016 election, and the platform’s role as a catalyst of violence in Myanmar, Sri Lanka, and other countries. In August, when I interviewed Zuckerberg for a Profile, he acknowledged that the company has become particularly vulnerable to criticism because “we shouldn’t be making the same mistake multiple times.” Even before the announcement of the record breach, the company was under investigation by the Federal Trade Commission, the F.B.I., and other agencies for its role in the Cambridge Analytica scandal, in which a political consultancy gained private data on eighty-seven million Facebook users.

The latest hack is likely to heighten calls for regulation and complaints that Facebook is a monopoly. Senator Mark Warner, a Democrat of Virginia, who has led the push for tougher oversight, called for a “full investigation.” In a statement, he called the hack “a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.” In a tweet, Rohit Chopra, an F.T.C. commissioner, issued a terse message to the company: “I want answers.”

Beyond the calls for regulation, Facebook’s larger, more confounding task may be stemming a loss of public confidence. In a January poll by Honest Data, a polling-analysis firm, twenty-seven per cent of those surveyed said Facebook is having a “negative impact on society,” worse than McDonald’s and Walmart. In Europe, the tide has turned against Facebook more sharply. In April, after Zuckerberg testified in Congress, The Economist mocked his defenses (“the dorm-room excuse is wearing thin”), and warned that Facebook’s “endless guff about ‘community’ counts for little when it has repeatedly and flagrantly disregarded its users’ rights to control their own data.”

Not long after Zuckerberg’s testimony, Facebook launched the largest ad campaign in its history, including prime-time-television spots with gentle piano music, home-video clips, and a narrator who said, “We had to deal with spam, clickbait, fake news, and data misuse. That’s going to change.” But the ads fell flat. Fast Company wrote, “The company punted on the opportunity to take any real responsibility for its actions.” In July, a British parliamentary committee examining Russian fake news accused Facebook of dodging questions “to the point of obstruction.” Damian Collins, the panel’s chairman, said people are “realizing they themselves are the product, not just the user of a free service.”

As public frustration has grown, the mood inside Facebook has been, on the whole, sanguine. Executives and rank-and-file employees often say they understand the complaints but also believe that the company is unfairly scapegoated by those (especially journalists) who are troubled by technology or by the outcome of the 2016 election. Executives are confident that they are taking the steps that will solve the company’s problems, as they have over its fourteen-year history. But a Facebook breach today means more than a Facebook breach five or ten years ago, not only because the company has grown so dramatically but also because of the cumulative effect. Isolated problems that might be dismissed as inevitable acquire greater meaning and consequence in the context of a pattern of missteps.

In the days and weeks ahead, Facebook will be judged only partly on its technical response, and its inevitable pledges and initiatives; more important, it will be judged on its actual steps to manage the collection and protection of user data. Zuckerberg, who chose to keep the Sun Microsystems sign on campus, knows that no company can afford to assume its primacy will endure. In the early nineteen-eighties, Atari appeared to be such an indomitable force that the makers of “Blade Runner,” the 1982 dystopian drama, covered their imaginary future landscape with Atari signs. (The company later faded alongside Yahoo, AOL, Sun, and other erstwhile giants.)

In a post, on Friday, about the hack, Zuckerberg adopted a careful line between confidence and concern: “While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk,” he wrote, “the reality is we need to continue developing new tools to prevent this from happening in the first place.”

No comments: