There has been quite an argument over the past few days as to whether the obtaining by the political consulting company, Cambridge Analytica, of personal data from more than 50 million Facebook users constituted a “data breach.”
Facebook and various of its executives seem to object to the use of the term “data breach” to describe what happened; Facebook Vice President Andrew Bosworth even stated on Twitter that “This was unequivocally not a data breach. People chose to share their data with third party apps and if those third party apps did not follow the data agreements with us/users it is a violation. no systems were infiltrated, no passwords or information were stolen or hacked.”
I disagree. There was clearly a data breach.
It is true that, as Bosworth pointed out, “no systems were infiltrated” – but all that means is that there were no systems breached by unauthorized parties; the fact that no systems were breached is irrelevant to the discussion as to whether data remained secure or was breached. In fact, a data breach is normally understood to include any situation in which data that is supposed to be protected is accessed by an unauthorized party (from whom the data is supposed to be protected). If Cambridge Analytica was not supposed to have Facebook’s data, and was not supposed to be using it for political purposes, what, in fact, resulted would appear to be a data breach. (That said, I wonder if the term “data leak” is better than “data breach” in nearly all cases in which the latter language is used.)
The claim that “People chose to share their data with third party apps and if those third party apps did not follow the data agreements with us/users it is a violation” but somehow not a data breach is also “a stretch.” People shared their personal information thinking that it was being used for only a psychological survey or by Facebook for targeting advertisements – not that is was going to be sold for use in political campaigns. (As I mentioned previously, it may have been extremely naïve to think this way, but, it seems that the parties involved knew and exploited the fact that people would believe as such.) Is the Facebook-Cambridge scenario really all that different from a classic social engineering attack in when criminals trick people via “CEO Fraud” into emailing to them their organizations’ W2s? The folks sending the W2s also chose to send those items – they just did so under false pretenses. I could cite many other examples – but, ultimately, the fact that an unauthorized party obtained and used 50 million peoples’ data for a purpose that Facebook would never have authorized translates into a data breach.
For those who feel otherwise, consider the hypothetical scenario in which instead of selling the data to Cambridge Analytica, Aleksandr Kogan, who allegedly collected the data via an app that presented a psychological survey, had sold the data to criminals who used it to steal the identities of 50 million people. Would anyone think that such a scenario does not constitute a data breach? While Cambridge Analytica is alleged to have used Facebook’s data for purposes far less sinister, the purposes for which it used the data, and its method of obtaining the data, still appear to be prohibited by Facebook— meaning that Facebook’s data was breached.
In fact, at a high level, the present data breach is not much different than a classic social engineering attack; at a basic level, someone tricked Facebook into giving him its data when the firm should not have done so. The fact that it is impossible for Facebook to fully audit every single API user may mean that a breach of this nature might be understandable and perhaps even expected, but it does not mean that a data breach did not occur.
Of course, various laws may also define data breaches differently than I did above.
Furthermore, one big question that remains unanswered vis-à-vis this data breach and its size is whether any parties collected Facebook data in a fashion similar to the way that Kogan did – and if any of them may have used the data, or are presently using it, for far more nefarious purposes than Cambridge Analytica would ever consider.