“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.” Mark Zuckerberg wrote that in a Facebook post on March 21, at the height of the furor over Cambridge Analytica’s use of ill-gotten personal information from Facebook users to help in its work for political campaigns, possibly including Donald Trump’s.
On Friday, Facebook announced a massive security breach—probably the most significant in its history. Taking advantage of three separate bugs in tandem, hackers gained full control of at least 50 million users’ Facebook accounts. That meant that, in theory, the users could do just about anything on those accounts: post status updates for you, download your photos, send messages to your friends, download your friends’ nonpublic photos, and much more. Facebook confirmed later on Friday that the breach would have also given hackers access to users’ accounts on third-party apps and websites for which they used their Facebook credentials to log in.
Facebook executives said in a call with reporters Friday afternoon that the company had learned of the attack on Tuesday, notified law enforcement on Wednesday, and had fixed the bugs by Thursday night. But Facebook doesn’t know yet who the hackers were, what they were after, or what they planned to do with any information they might have stolen.
We should learn more in the coming days and weeks about the extent of the breach and the nature of the damage. No doubt the company is investigating it urgently and sincerely. Unlike some other companies that have been the subjects of huge data breaches in recent years, Facebook has always had a reputation for taking infosec seriously. That it hasn’t suffered more breaches like this before now (that we know of), given what an attractive target it presents to hackers, is a tribute to its efforts.
But this attack was so sophisticated that Facebook’s vice president of product, Guy Rosen, said “we may never know” who perpetrated it. That’s a stunning admission of helplessness from one of the richest and most powerful companies in the world. And while it’s impressive that the hackers managed to find and exploit three previously unpublicized security holes, it’s also worrying that Facebook had so many bugs to exploit. (The key that opened the door was a bug introduced in July 2017 via a feature that encouraged users to upload “Happy Birthday” videos.)
Oh, and why was it Rosen taking questions, and not Facebook’s chief security officer? Because Facebook’s widely respected chief security officer, Alex Stamos, announced during the Cambridge Analytica scandal that he was stepping down—and Facebook opted not to replace him.
There was something else that Facebook couldn’t say on Friday: why its users should still trust it.
CEO Mark Zuckerberg was asked versions of that question twice, first by the New York Times’ Mike Isaac and later by Recode’s Kurt Wagner. He evaded it both times.
“This is a really serious security issue, and we’re taking it really seriously,” Zuckerberg replied to Isaac, who had brought up the CEO’s March statement about Facebook not deserving users’ trust if it couldn’t protect their data. Zuckerberg proceeded to ramble a bit about the need to “keep on investing heavily in security” and “be more proactive about protecting our community.” Then he turned to the next reporter.
A few minutes later, Wagner asked point-blank, “Why should users continue to trust you with their personal information?”
Again, Zuckerberg had nothing. “This is a serious issue and we’re very focused on addressing it, which is why we patched the vulnerability and kind of taken additional security measures,” he said. Perhaps sensing that wasn’t enough, he hesitated, then dredged up a familiar talking point about how “security is an arms race, and we’re continuing to improve our defenses.” Facebook has “a lot of talented people working on this and, I think, doing good work,” he added, unconvincingly. “This is going to be an ongoing effort, and we’re going to need to keep focusing on this over time.”
It was the desultory, defeated defense of a man who has broken a promise, made an even more outlandish promise in order to extricate himself from trouble, and then broken that promise too. At this point, there just isn’t much else for Zuckerberg to say.
Security may be an arms race, and Facebook may be fighting it the best it can without compromising its relentless pursuit of personal data to fuel its targeting-advertising business. But in a jarring sign of its true priorities, a Gizmodo report this week revealed that Facebook took phone numbers that users had provided for security purposes and used them for its advertising business.
What Zuckerberg couldn’t offer on Friday was a compelling case for why users should still feel safe storing big chunks of their personal information behind Facebook’s defenses. Because Facebook’s business model relies on collecting and storing sensitive data about more than 2 billion people around the world, it will always be a target. And it’s clear now that Facebook’s barricades are not impregnable. Which shouldn’t be surprising for a company that built its offices on a road it called “Hacker Way” and that long harbored the unofficial motto “Move fast and break things.”
As Zuckerberg fumbled for talking points, the real answer to the reporters’ questions hung unspoken, yet unmistakable: Users probably shouldn’t trust Facebook with their personal data. And, in a perfect world, Facebook probably wouldn’t deserve to keep serving them.
Of course, hundreds of millions of people will keep using Facebook anyway because the social network has become so dominant, and so embedded in modern life, that they don’t have a lot of other options. (Recall that two of the other largest social utilities, WhatsApp and Instagram, are both owned by Facebook—and Facebook has been tightening its control over them.) And Facebook will keep serving those users, because it is still a giant business, and there are piles of money still to be made.