Facebook hack: Did Zuckerberg learn anything from Cambridge Analytica case?

An even bigger data breach suggests it didn't.

It’s been barely six months since Mark Zuckerberg appeared before Congress and promised lawmakers and the American public that he and Facebook, the company he founded and leads today, would do better. “This episode has clearly hurt us,” Mr. Zuckerberg said. “We have to do a lot of work about building trust back.”

The episode he was referring to was the revelation in March that Cambridge Analytica, a political consulting firm connected to the Trump campaign, had harvested the sensitive data of as many as 87 million Facebook users without their explicit permission. That scandal rocked Facebook, sending the company’s stock price spiraling. Mr. Zuckerberg himself lost nearly $11 billion.

Since Mr. Zuckerberg’s testimony, lawmakers have done little to nothing to better regulate technology platforms like Facebook and hold them more accountable for suspect practices. But there’s also little evidence that Facebook, and Mr. Zuckerberg, has taken his pledge to Congress as seriously as once hoped either: Facebook announced late last month the biggest data breach in its history, affecting nearly 50 million user accounts. In the same week, the news site Gizmodo published an investigation that found Facebook gave advertisers contact information harvested from the address books on their users’ cellphones.

Equally worrisome from Gizmodo’s report: Facebook is also giving advertisers phone numbers that users have provided solely for security reasons. Security experts generally advise users to add two-factor authentication to their accounts, which sometimes takes the form of providing a phone number to receive text messages containing log-in codes. It’s ironic — two-factor authentication is supposed to better safeguard privacy and security, but these phone numbers are winding up in the hands of advertisers.

While the Cambridge Analytica scandal engulfed Facebook in a firestorm of controversy, this time the company effectively got a free pass from a nation fixated on Brett Kavanaugh and his turbulent Supreme Court confirmation. Still, with consequential midterms less than a month away, this latest string of Facebook privacy failures is a discouraging reminder of how much potential there is for things to go terribly wrong — again —  during those elections. It’s not just about user privacy, it’s a sign of how well Facebook is poised to handle sophisticated foreign disinformation campaigns, and where its priorities lie.

The seriousness of Facebook’s most recent data breach ranks it among one of the most egregious in the history of Silicon Valley. A weakness in Facebook’s code allowed hackers to gain access into other people’s accounts, and potentially control not only the Facebook profiles but any services that those users logged into using Facebook — Instagram, Spotify and Tinder, for example.

The breach originated from three bugs in Facebook’s code. At least one was introduced over a year ago; it’s still not clear when the other two became part of the code. Information security is a difficult problem: A company might do the right thing every time and still be successfully attacked. But one of the reasons Facebook’s breach is so concerning is the company’s footprint in the lives of so many people — 2.2 billion and counting. Facebook has sought to find ways into as many aspects of people's lives as possible, becoming the recipient of a glut of data and the implicit trust of its users. The company has been careless with that trust — and is still being careless.

Speaking before Congress and in other public statements, Mr. Zuckerberg has been upfront about being caught unaware of the influence his company can have in ordinary people’s lives, whether that influence is in determining election outcomes or sparking real-life violence in places like Sri Lanka and Libya. And perhaps nobody fully understands that power — academics and experts are still piecing together the puzzle of how advertising systems honed on personal information can enable foreign propaganda campaigns, and to what extent this phenomenon affects democratic elections. It may be a long time before it all becomes clear. (In the meantime, falsehoods about Judge Kavanaugh’s accuser Christine Blasey Ford are going viral on Facebook). In response to such concerns, Facebook has set up a “war room” in its headquarters to monitor potential foreign influence campaigns during elections.

But the latest disclosures are far from reassuring. In late September, the war room was still under construction. With less than a month to go before the American midterms, is Facebook really ready for its next big test?

The New York Times Service