“It's not our problem.”
That’s a summary of Facebook’s reaction to the passing around of 1.3 million people’s mobile numbers, scraped from its service.
It’s an extraordinary data leak. Pages and pages of mobile numbers, matched perfectly against full names and, in many cases, occupation or location.
The least that we can expect is a new wave of scam texts, WhatsApps.
But for a few thousand people, it could be a lot more serious.
The names and numbers of gardai, sitting judges, prison officers and others in sensitive positions are among the numbers leaked.
As are roles such as management positions in women’s refuges and other places that could be prone to harassing or predatory contact.
All are easily searchable.
Prison guard out of favour with a criminal gang? Now they have his (or her) number. Angry spouse who thinks a shelter is denying him rightful access to his family? The manager’s personal mobile is now available.
And so on. From petty complaints (such as WhatsApp groups passing around a teacher’s mobile number) to more serious threats from stalkers or harassers, this is the first time in a while that a Facebook-related data leak has the real potential for physical as well as digital harm.
To say Facebook’s response has been dismissive is an understatement.
It initially batted off queries about the data leak by saying it was “old data”. Its basic position is that other bad people scraped its site for this information and put it all into a database. Nothing to do with us.
It even stonewalled the Irish Data Protection Commissioner, with the regulator frustrated enough to release a statement saying that Facebook had to be hounded for days to get any real response.
Faced with rising anger and discontent, the social networking company then put out a slightly more fleshed out version of the first response. But again, it said that the real culprits were fraudsters who target good companies doing good things.
“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019,” said Mike Clark, Facebook’s product management director. “This feature was designed to help people easily find their friends to connect with on our services using their contact lists… This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services.”
As for people complaining about the data being circulated, Facebook said that they are “confused”. The feature that enabled the scraping, Facebook says, was basically fine: it was just those bad people who abused it.
Facebook “will continue to aggressively go after malicious actors who misuse our tools wherever possible”, it assured people.
But a couple of basic questions remain outstanding.
Even though at least some of the data was ‘scraped’ before the implementation of the GDPR in May 2018, Facebook repeatedly says it only became aware of the issue in 2019, when it ‘fixed’ the Facebook tool that was being scraped.
Should it have informed users at this point?
More basically, is the issue a breach, or simply (as Facebook says) unscrupulous misuse of a legitimate tool the company was using?
While the Irish Data Protection Commission wasn’t in a position to give a concrete answer to this, other privacy professionals are clear.
“If the data, such as personal mobile numbers, wasn’t in the public domain, it’s a breach,” says Daragh O’Brien, founder of the privacy and regulatory firm Castlebridge. “The fact that someone used a tool to scrape it just means it was badly defined and that Facebook’s threat modelling was wrong. When Facebook became aware of something resulting in the unauthorised disclosure of personal information, it had an obligation under GDPR to notify authorities. It also had a moral obligation to notify users.”
So what happens now?
The Irish regulator is warning of increased spam and security worries.
“Risks arise for users who may be spammed for marketing purposes but equally users need to be vigilant in relation to any services they use that require authentication using a person’s phone number or email address in case third parties are attempting to gain access,” a DPC spokesperson says.
For those wondering whether their mobile number is caught up in the leak, the website haveibeenpwned.com has updated its system to include searches by mobile numbers.
Users can input their numbers using the country code and full mobile number, without the ‘zero’ prefix.
A typical search would be inputted as 353871234567.
The reputable site, run by the respected IT security researcher Troy Hunt, also lets people check whether their email addresses have been part of any large data breach in recent years.
But as to what can be done then, the options are very limited.
Once a data file is leaked and published like this, it reappears again and again. It’s the equivalent of saving a word document and emailing it to 100 people. There’s no way to shut the information in the emailed document down.
As for other security precautions, normally we’re told to change passwords after a security breach. While this is decent general advice (we should be doing it regularly anyway, or using a password manager such as Lastpass or 1Password), it’s a different situation for mobile numbers. We don’t change those every year. Most of us don’t change them in five or 10 years.
Unfortunately, these numbers are now out in the wild for anyone who wants to look up and use.
So if you’ve noticed any uptick in spammy or scammy phone calls lately, or maybe wondered how someone you don’t know – someone you wouldn’t have welcomed contact from – got your mobile number, there’s a fair chance that it’s related to this big Facebook data leak.
As for whether this will lead people to abandon the social network in any significant numbers, it’s unlikely.
As annoying, and potentially dangerous as this data leak is, industry metrics show that social media services only lose users when they’re widely seen as being less relevant or useful than rival services.
While Facebook’s obituary has been written for a decade after every scandal, yet its usage figures remain steady.