Facebook ‘failed to protect users’
BRITAIN: The Facebook leak to Cambridge Analytica was ‘‘worse than a data breach’’ because the company failed to safeguard users even after it understood the risks, a whistleblower says.
Sandy Parakilas, 38, worked at Facebook in 2011 and 2012, two years before the data of 50 million users was obtained by a Cambridge University researcher and shared with the British data and consulting firm in violation of Facebook’s terms.
Parakilas told British MPs that he had warned senior executives at the social media giant that poor safeguards could enable ‘‘foreign powers’’ or data brokers to harvest users’ data without their consent.
Speaking by video link, he told members of the digital, culture, media and sport committee that Facebook had not acted on his concerns before the leak.
He said the company’s previous practices, which permitted software developers to access the data of users and their friends, were ‘‘far outside the boundaries of what should have been allowed’’.
He added that the company had failed to properly investigate a number of other reports of data misuse, suggesting that it had turned a blind eye due to the fear of incurring legal liability.
Breaking five days of silence, Facebook CEO Mark Zuckerberg yesterday apologised for a ‘‘major breach of trust’’, admitted mistakes and outlined steps to protect user data.
‘‘I am really sorry that happened,’’ Zuckerberg said in an interview with CNN. Facebook had a ‘‘responsibility’’ to protect its users’ data, and if it failed, ‘‘we don’t deserve to have the oppor- tunity to serve people’’, he said.
In a Facebook post, Zuckerberg said the company would ban developers who did not agree to an audit. An app’s developer would no longer have access to data from people who had not used the app in three months. Data would also be generally limited to user names, profile photos and email addresses, unless the developer signed a contract with Facebook and obtained user approval.
In a separate post, Facebook said it would inform people whose data was misused by apps.
Parakilas has told The Observer that there was no control of data once it left the company’s servers.
He told the select committee that he did not remember ‘‘a single physical audit of a developer’s storage’’ after reports of data misuse.
When Facebook stopped allowing developers to access data on the ‘‘friends’’ of users, it had acted to prevent rival social networks from obtaining their details, Parakilas said.
‘‘Facebook didn’t want its data to go to data brokers, but their primary motive was to motivate the huge ecosystem of apps in the fastest way.
‘‘There were people like me saying it could go to data brokers; I think it was a risk they were willing to take.
‘‘I think it was well understood both internally and externally that there was risk with the way [it] was handling data.’’
Parakilas also criticised Facebook for failing to notify users, sue Cambridge Analytica or call in law enforcement after reports that the British firm used the data to target voters. Instead, it continued to accept Cambridge Analytica’s assurances that it had destroyed the records obtained without consent.
Facebook has denied reports that users were victims of a data ‘‘breach’’, saying the data was obtained by the researcher, Aleksandr Kogan, in line with its own terms and conditions.
‘‘Users had no idea that this had happened. Their data was compromised in the same way as it would have been during a technical breach,’’ Parakilis said.
Massachusetts Institute of Technology researchers warned yesterday that while Facebook has made it harder to gather users’ data since 2014, software developers could still harvest large quantities of data without users’ permission or knowledge. In a blog post, they added that ‘‘such activity can be made difficult to distinguish from ordinary’’ browsing. – The Times, AP