This article originally appeared in Threatpost on July 25, 2018
Facebook’s outgoing chief information security officer Alex Stamos has urged the social media company to rethink its approach to data privacy.
The executive, whose exit has been widely reported on for months, wrote an internal note to staff that called for changes in how Facebook approaches data collection and consumer privacy. The memo, titled “A Difficult Week,” was dated March 23 – not long after news first broke of Facebook’s Cambridge Analytica scandal.
“We need to build a user experience that conveys honesty and respect, not one optimized to get people to click yes to giving us more access,” Stamos wrote in the memo, which was obtained and first reported on by Buzzfeed News, Tuesday. “We need to intentionally not collect data where possible, and to keep it only as long as we are using it to serve people. … We need to listen to people (including internally) when they tell us a feature is creepy or point out a negative impact we are having in the world.”
The note was sent following the disclosure in March that third-party Facebook app Cambridge Analytica had harvested data of 87 million unknowing users, and a New York Times report that Stamos would leave the company at the end of the year.
The FTC, Securities and Exchange Commission, FBI and the Department of Justice are currently investigating the social media giant, according to reports.
More recently, Facebook announced Friday it suspended yet another analytics firm due to concerns about the collection and sharing of data. The company is launching an investigationinto whether Boston-based Crimson Hexagon’s collection of public user data was a violation of its policies concerning using data for government surveillance. So far, Facebook said that it has not found evidence that Crimson Hexagon obtained any Facebook information inappropriately.
“The problem the company is facing today are due to tens of thousands of small decisions made over the last decade within an incentive structure that was not predicated on our 2018 threat profile,” Stamos said in his note.
A Facebook spokesperson confirmed that the memo is legitimate, but declined to comment further. Security and privacy experts, meanwhile, praised Stamos’ call to action in prioritizing the consumers and users of Facebook’s platform.
“Alex seems to recognize that there has been a fundamental shift in the power to influence in the social platform age, and it is clearly not good if leaders of these organizations do not recognize that,” Christopher Littlejohns, EMEA manager at Synopsys, told Threatpost. “His call to action to such organisations is to put in place a moral framework and policies that guide their thinking of how to run their companies to ensure that they are not complicit in making things worse.”
The business landscape has swiftly shifted in the last few years around data privacy, especially with the adoption of new privacy acts like the EU’s General Data Protection Regulation (GDPR). Chris Olson, CEO of The Media Trust, told Threatpost that consumer trust is at the forefront of these laws – and data-heavy companies like Facebook need to realize this.
“Consumer trust is earned over time, but it can be lost immediately,” he noted. “Companies will need to police themselves and their third parties to ensure they are not collecting and sharing consumer information without consent. Consumers demand honesty and integrity from businesses, and if they don’t channel their outrage into new laws, they will do so through broadsides online that can go viral.”
Data privacy policies issues continues to plague Facebook. In late June, an ethical hacker said that he found that data for 120 million users was exposed on a quiz app owned by Nametests.com. The hacker noticed the website would fetch his personal information and display it on a web page, nametests[.]com/appconfig_user — after which the data was available for other sites to swipe it, he said. Facebook also came under fire in June by a Norwegian agency that said it was using “unethical” tactics to nudge end users away from data privacy.
Looking forward, Tyler Reguly, manager of software development at Tripwire, told Threatpost that Facebook and other social-media companies should heed the advice of Stamos and prioritize user data privacy – or platform-users may leave.
“This is advice that a lot of companies should listen to and acknowledge,” Reguly said. “People are leaving social media due to engineering decisions and lack of faith in the products; unfortunately not at a rate high enough to encourage social-media companies to change their ways, but, if current trends continue, we may see it happen one day.”