Sunday, 13 May 2018

Forbes/Kalev Leetaru: What the Alleged Facebook Stalker Teaches Us About Our Online Privacy


Forbes
Member preview
Go to the profile of Forbes
Forbes
Home Page For The World’s Business Leaders.
May 4
What the Alleged Facebook Stalker Teaches Us About Our Online Privacy
Photo: Gilles Mingasson/Getty Images

By Kalev Leetaru

Earlier this week the story broke that an employee of Facebook’s security team may have used his privileged access to Facebook user data to stalk women online and he was apparently not the first. The company immediately fired the individual when the incident was brought to its attention over Twitter and issued a statement that it does not tolerate misuse of the wide ranging access its employees enjoy to the private and highly sensitive data of two billion people. Yet, the incident reminds us just how little control we have over the data we hand over to the private companies in whose walled gardens we live out our online lives.

Most of the specific details regarding the incident remain under wraps and the company has not confirmed whether the individual used his elevated access as a security engineer to access women’s private Facebook posts and messages, but it did not deny the possibility. When reached for comment, a company spokesperson offered only that “we have strict policy controls and technical restrictions so employees only access the data they need to do their jobs — for example to fix bugs, manage customer support issues or respond to valid legal requests. Employees who abuse these controls will be fired,” which certainly seems to suggest the company believes there is at least the potential that private data was misused.

In my own work with data-rich companies both in Silicon Valley and across the world, attitudes towards data protection have varied dramatically. Some operated exclusively on a trust system, where privileged users were granted unrestricted access to all user data with only a rarely checked audit log acting as a check on prohibited behavior. Other companies prized user privacy as sacrosanct, with the technical safeguards to match. One company required that access to user data receive two different approvals and a review of why other alternatives that did not use private data were insufficient. Once granted, access was provided only to the specific pieces of information needed and only for the duration required, with access ceasing immediately thereafter. Some companies restricted access to a designated set of machines that lacked USB ports or external network connectivity and were located in special secured rooms in which all electronic devices from cellphones to digital watches were banned. Some went as far as to have different divisions monitoring each other, with one division watching the audit logs of another to monitor for odd behavior and rotating responsibilities to avoid collusion.

As a leading online platform based in Silicon Valley, one would assume that Facebook adheres to all of the usual cybersecurity best practices when it comes to its technical infrastructure. Though, like most other companies, the online personas of its employees offer exquisite detail into its operations, from the LinkedIn profiles of its current and former employees to the Twitter, Facebook and other social media accounts of its employees, offering quite detailed looks at the infrastructure decisions and organizational structures of its key divisions and even realtime insights into struggles it is encountering and glimpses into future directions it is heading. Simply watching the public Twitter and Instagram accounts of key employees to see the photos they post as they travel between Facebook outposts and the timing and duration of those visits and which other employees’ trips they coincide with can yield an incredibly detailed portrait of the company’s internal operations. The occasional selfie taken by employees at their desks, in conference rooms and other areas can yield snippets of code, project code names and even release schedules, while online rants to friends can yield numerous clues about unannounced new projects.

Such is life in 2018 and is by no means Facebook-specific. Indeed, even US Government employees in extremely sensitive roles from aides to top policymakers to military and intelligence personnel, inadvertently live stream a firehose of extremely valuable and immediately actionable intelligence every day without realizing it. Of course, such leaks are hard for companies to address as their workforces become ever more accustomed to living reality television lives in which every activity is selfie time and there is no such thing as a secret. Meanwhile their fitness trackers and cellphones live stream a steady tracking signal of their whereabouts, while their browsing history offers incredible insights into their latest interests.

Putting aside the flood of inadvertent leaks, the question really becomes how companies view the extremely intimate customer data they hold and which their customers believe is private and shielded from human eyes.

Last April when leaked reports emerged documenting Facebook’s efforts to perform emotional mining on young children in Australia, the company’s response was that the study amounted to unauthorized research by essentially employees gone rogue that the company had not approved and that it would “undertake disciplinary and other processes as appropriate.” Yet, in its official media statement, the company adopted far more subdued language, referring to the situation as merely a minor “oversight.”

When a company becomes aware of employees misusing private user data in a way that strictly violates its written policies, it has a choice to make. It can immediately fire the employees involved, profusely apologize and conduct a top down review of its technical safeguards to ensure such a situation never occurs again. Or, like Facebook in this case, it can dismiss the situation as just a simple “oversight” not to be overly concerned about.

This approach to user safety and privacy, that breaches of written policies regarding the use of private user data are merely “oversights” is extremely problematic and creates a corporate climate that normalizes the misuse of data as a non-serious issue, rather than treating it as a severe violation worthy of termination.

When asked in the current case why Facebook’s automated monitoring systems and security auditing procedures did not identify the alleged unauthorized accesses earlier, a company spokesperson offered only the comment above that employee access is restricted to job-related roles and that those who misuse data will be terminated. Asked again why its systems did not flag this individual’s behavior as suspicious, the company declined to comment further, though its worth noting that it did not dispute that data may have been misused.

Putting this all together, companies that wish to take customer data misuse seriously need to treat breaches not as minor “oversights” but as serious situations that demand the same level of action as they give to media leaks. As it stands today, an employee who mentions a forthcoming feature to a reporter before it is officially announced will likely be fired on the spot and companies expend immense resources surveilling and assessing their employees to root out leakers. When it comes to misuse of customer data, however, the reaction is often far more muted, with such breaches viewed as inconsequential minor issues not worthy of substantial attention. Indeed, it appears many such breaches aren’t ever publicly acknowledged. In the end, perhaps the biggest lesson here is that companies must lead by example and foster a culture of treating private data misuse as seriously as they treat media leaks.

    PrivacyFacebookTechnologyDataCybersecurity

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.
Go to the profile of Forbes
Forbes

Home Page For The World’s Business Leaders.
Forbes
Forbes

Home Page For The World’s Business Leaders
More on Privacy from Forbes
Why Can’t Facebook’s Facial Recognition Stop Impersonation Accounts?
Go to the profile of Forbes
Forbes
More on Privacy from Forbes
Amid Facebook Scandal, Firefox Shields Users From Data Sharing
Go to the profile of Forbes
Forbes
More on Privacy from Forbes
Transparency: How Facebook Can Recover From the Cambridge Analytica Crisis
Go to the profile of Forbes
Forbes
Responses
Post a Comment