Recently-leaked Document Reveals Serious Data Privacy Issues Still Exist at Facebook
by Reese Kimmons, MS ISA
It doesn’t appear that much has changed over the past few years with regard to Facebook’s ability or willingness to do what’s necessary to protect its subscribers’ personal data.
A recently-leaked internal document revealed that it could take years for Facebook engineers to even learn all the ways the data collected is being used, not to mention how it should be secured.
In 2018, Mark Zuckerberg, Facebook co-founder and the CEO and controlling shareholder of Facebook’s parent company Meta, made some commitments to his social media subscribers regarding privacy and the protection of their personal information.
The contents of the leaked document raise questions about whether steps have been taken to honor those commitments.
Facebook has a history of failure with data privacy
When it comes to protecting users’ personal information, Facebook has a less than stellar history.
You may recall the Cambridge Analytica scandal that made big news several years ago. In 2013, a company called Global Science Research developed a seemingly harmless quiz app that posed a series of questions designed to collect personal data and build psychological profiles on the quiz takers.
This app was used to construct profiles on an estimated 87 million Facebook subscribers. The data collected was then utilized by Cambridge Analytica for political purposes relating to elections in both the U.S. and U.K.
When the scandal came to light, U.S. federal agencies including the Federal Bureau of Investigation, the Securities and Exchange Commission, and the Federal Trade Commission launched investigations into the misuse of Facebook subscribers’ personal data.
In the end, Facebook agreed to pay a fine of $5 BILLION. Cambridge Analytica shut down its operations.
Zuckerberg’s post-scandal commitments
In 2018, Mark Zuckerberg finally broke his public silence regarding the Cambridge Analytica scandal by posting the following message in Facebook:
“We have a responsibility to protect your data, and if we can’t we don’t deserve to serve you. I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again.”
Zuckerberg also pledged that he would stop allowing application developers to access Facebook’s user data and would reduce the amount of personal information being provided to third parties. He further committed to an audit of all apps that had access to user data prior to 2014.
So, based on Zuckerberg’s commitments and the amount of time that has passed since he made them, one could logically conclude that Facebook has gained more knowledge relative to what user data is being collected, who has access to it, and how it’s being used.
One might also hope that they’ve put this knowledge to use to better secure the personal information of Facebook subscribers.
Facebook’s attitude to personal data (from leaked documents)
A number of nations around the world are enacting legislation designed to protect the sensitive personal data collected by sites like Facebook.
Upon learning about development of this new legislation and some of the details thereof, Facebook engineers responded by drafting a 15-page document. This document has now been leaked by concerned whistleblowers.
In it, they admit that the social media platform will be unable to comply with the new regulations if and when they take effect.
In the document’s executive summary, the authors stated,
“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’”
The engineers go on to state that, “this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation.”
This is worth restating. Facebook’s own engineers admit they can’t control or explain how their systems use the data they collect and store, thus they can’t comply with regulations included in the new privacy legislation.
The leaked document also states that Facebook personnel will need considerable time, “to gain control over how our systems ingest, process and egest data.”
So how long do the engineers estimate that they’ll need to address these issues? They wrote that it, “will require additional multi-year investments.”
It’s already been about four years since Zuckerberg made his commitments to Facebook users in the wake of the Cambridge Analytica investigation. It’s simply not good enough.
Will new privacy regulations affect Facebook?
If, as seems inevitable at this point, Facebook is unable to comply with the new privacy laws when they become effective, the nations enacting those statutes could block their residents’ access to the social media platform.
Facebook die-hards will, however, still be able to get to the site by using a VPN application to make it appear as though they are located in countries that still allow access.
Are you now ready to delete your Facebook account?
You can delete your Facebook account by doing the following:
- Click the down arrow in the upper right of your main profile window
- Click Settings & Privacy, then Settings
- Click Your Facebook in the left column, then click the View option for Deactivation and Deletion
- Click Delete Account, then Continue
- Click Delete Account again and enter your password and click Continue to begin the deletion process
Note that, if you log back into your Facebook account within the 30 days following submission of your deletion request, your request will be canceled and you’ll have to go through the entire process again.
If you want to download a copy of all your data before you delete your Facebook account, you can follow FB’s directions here.
I question whether deleting your account will, in fact, remove your data from Facebook’s servers and stop them from using it.
If, as the leaked document states, they can’t adequately control or explain what their systems do with your information, how can they know every location where it’s stored and ensure that it gets removed?
We have prepared a more in-depth article on how to delete (or deactivate) your Facebook account here.
Social media sites and other data grabbers have been very successful at developing their technologies faster than governments can enact legislation to limit their use when it adversely impacts consumers and their privacy.
And, unfortunately, we seem to have short memories when it comes to incidents like the Cambridge Analytica scandal and the commitments made after it came to light.
Some have simply given up and stopped trying to protect their personal information.
Bear in mind that, whenever you share your personal data online, you essentially lose control over what happens to it.
To assist you in deleting your personal data and removing yourself from social networks and other platforms, we have prepared the following guides:
- How to delete your Instagram account
- How to delete a Reddit account
- How to delete a Tumblr account
- How to delete a Telegram account
- How to delete a Twitter account
- How to delete your Snapchat account
- How to delete your Google Search History
- Alternative messaging apps to consider, other than WhatsApp
- Best private search engines
- Making Chrome Incognito mode truly private
Even if a site has strict security and privacy policies and enforces them, you usually have no way of knowing whether that site has implemented sufficient security controls to protect your information from hackers.
Be careful about what you share. If a site like a social media platform asks for personally identifiable information (PII) such as your date of birth or home address, simply lie whenever possible.
Don’t take online quizzes as they are often designed to extract information and build a personal profile that will then be shared out.
This is true regardless of how harmless the questions in the quiz may appear to be. Remember, the Cambridge Analytica scandal began with a quiz app and negatively impacted an estimated 87 million people.
And apparently, if it’s Facebook, they might not even know how they’re doing it.
If you’d like to read the 15-page leaked Facebook document in its entirety, you’ll find it posted at DocumentCloud.org. You can also download a copy there and send it to your Facebook-using family and friends along with a link to this article.
About the Author:
Reese Kimmons is an experienced IT executive with an AAS in Applications Programming, a BS in IT Management and an MS in Information Security and Assurance. During his time in the IT industry, Reese has earned certifications in ethical hacking, forensics investigations, ISO/GIAC, and Cisco networking.