Barely six months after the Cambridge Analytica-Facebook data theft scandal , the world’s largest social network hit the headlines once again following yet another data breach that affected millions of users.
In late September, Facebook announced that it had discovered a security breach that had compromised nearly 50 million accounts. The figure was subsequently revised to 30 million. Hackers had reportedly exploited flaws in the code for the ‘View As’ feature, which lets users see what their own profile looks like to someone else, to steal “access tokens”. By stealing them, the hackers were able to serially take over people’s accounts.
While Facebook claims to have fixed the bug and reset the logins of all those affected, the episode has done little to restore people’s confidence in Facebook’s seriousness when it comes to protecting their data. It is also unclear how much personal data have been stolen, and how that data may end up being used in ways that could harm Facebook users.
Incidentally, tech commentators have speculated that it was the European Union (EU)’s General Data Protection Regulation (GDPR), which came into force this May, that forced Facebook to go public with the breach so promptly, even before the full extent of the damage could be assessed. The GDPR’s stringent guidelines require companies to make such events known within three days of their discovery.
In general, citizen-consumers have had to choose between two equally unsatisfactory options: either resign themselves to a post-privacy world or be perpetually scrambling to reskill themselves in order to be able to safely navigate the complicated and ever-evolving (mine)field of data privacy and safety.
Following the latest data breach, there were numerous articles educating users on how to secure their Facebook account and data from hackers. But should the onus of securing data be put primarily on the users, with hardly any criminal liability for the platform? After all, this is not a ‘parking at owner’s risk’ scenario, where, after a break-in, one still had some recourse in the form of the local police. In the case of tech behemoths such as Facebook and Google, the power asymmetry vis-à-vis the ordinary user is so astronomical as to render the very notion of redress laughable.
But this could soon change, thanks to the GDPR stick being wielded by the EU. Facebook faces a potential penalty of €20 million or 4% of its global revenue (whichever is higher) if the EU regulator investigating the data breach finds a GDPR violation in connection with the incident. If data security for ordinary users is to become something more than a seminar topic, then an equitable regulatory regime such as the GDPR must become the universal norm, in force beyond the EU jurisdiction as well.
The writer is the Social Affairs Editor of The Hindu
