Facebook Has Taken on a Role within National Security

The internet has been consistently blurring the lines of national borders, which may have positive benefits overall, but is a challenge to reconcile with national security and defence. As more military action takes place in the online domain, individual’s data become a resource that is valuable to criminals and international rivals.

The debate of personal information and privacy has been getting increasingly more important as more information is collected about us every day. Facebook and other tech companies are eager to frame this debate as one of personal responsibility and choice. An individual chooses to sign up to a platform, and then has the choice of which information they share and how accurate they wish to make it. 

I do have the choice to make my data real or completely fake. I can even create multiple fake accounts with the intention of harassing, misleading, conning other users. In a way, Facebook does not care. The data that they are after is not just the public data, but the metadata that they can mine and time on the platform that they can profit from. 

Where the debate should be between freedom of expression and national security, the tech companies have repeatedly chosen profit above all else. This leaves local and state institutions to deal with much of the fallout from the tech-platforms’ security faults. 

It often falls to police and to deal with the crimes that are made possible through the platforms -- things like harassment, stalking and fraud. While it becomes the responsibility of the military and intelligence community to handle the cyber attacks, and espionage that are enabled by open social media networks.

The current round of data leaks offer a perfect example of how these platforms can affect national security. 

The Data 

The leak from Facebook contains the data from 533 million users that was posted online and is now widely available. This was followed by similar data being made available from LinkedIn and Clubhouse. The companies were quick to clarify that these were not hacks, that no private information had been accessed, that these were just data scrapes of publicly available data. 

What that means in the case of Facebook, is that instead of getting inside of Facebook’s system, the information was gathered through the contact discovery function. The function allowed the Facebook app to connect to your contacts and discover phone numbers and contacts in order to broaden your online network. It also made it possible for all the forward facing data such as name, emails address and phone number to be collected into one data set. 

A similar exploit was used against the Clubhouse app. The data of 1.3 million users was downloaded not through a technically complicated hack, but by a simple script that scrubbed the data from the API. In the case of Clubhouse, this contained: user ID, name, photo URL, username, Twitter handle, Instagram handle, number of followers, number of people followed by the user, account creation date, profile who invited them. 

The data sets that are available for sale online containing LinkedIn data are advertised as having: LinkedIn IDs, full names, email addresses, phone numbers, genders, links to LinkedIn profiles, links to other social media profiles, professional titles and other work-related data. 

The Security Threat 

These data breaches and the availability of the data online is cause for concern. They make people more vulnerable to phishing and scams, as it becomes easier to make convincing fraud emails. Getting a personalized message that contains details like user name and personal name are difficult to recognize as fake. 

This threat is multiplied the more data breaches happen, because despite constant advice people reuse usernames and passwords across different platforms. As massive troves of information become available it becomes possible to combine datasets like this public facing data with private information hacks containing passwords and banking information. 

The security implications of this are clear. This information is not only useful for criminals interested in identity theft, it can be used for ransomware attacks that cripple hospitals, and transit networks. It can be used by foreign states to gain access to sensitive infrastructure. And it could be used to target and blackmail important individuals. 

It is not hard to imagine this being used even further. If this illegally obtained person data was combined with metadata available to advertisers, it could mean that threat actors could form complete profiles of individuals. In the hands of state sponsored cyber divisions, this data would be invaluable, not only for system access but also influence and coercion. 
 

The Response 

Facebook knew about the vulnerability for years, but chose not to do anything to fix it. Instead they created a plan on how to deal with potential controversy. The plan was basically to not comment on it, and let any potential outrage and media attention die down, and to try to normalize the data leaks. 

LinkedIn made a statement saying that the data was “...publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included…“ 

Clubhouse also made a similarly unapologetic response saying that scraping data was not allowed by the user guidelines, as if having something written in community standards is the same as having effective data protection. 

At this point state government and institutions are basically powerless to do anything except prepare for the outcomes. Effective policy like GDPR is severely lacking to hold companies responsible, but there is now a unique opportunity for individuals to respond. 

Beyond doing the obvious of starting to use unique passwords and two factor identification, there is now a class action that is letting exposed individuals take on Facebook. This may be the best action to take in order to make data breached of this kind no longer financially negligible for large tech companies. If you are interested you can join the suit here
 

Conclusion 

Personal data is a matter of national security, and has direct implications for national sovereignty. The large tech companies have repeatedly chosen profit over user’s security and privacy, which is creating large vulnerabilities. Access to citizens data leads to unsecure infrastructure, economic losses, and opens the door for espionage and influence. 

Currently, most countries are not able to legislate the large tech companies and protect their citizen’s data. Despite this, governments and institutions are still required to deal with the real world implications of these breaches. This means that nations are forced to take a reactionary position for many cyber threats. 

Individuals may have a unique role in this issue of data and national security, as the new class action lawsuit against Facebook shows. If the companies chose to put profit security, than any movement like this, that makes security breaches expensive, will help improve security overall.

About author: Simone Neads

Partners

Tento web používá k analýze návštěvnosti soubory cookie. Používáním tohoto webu s tím souhlasíte. Další informace