Facebookin like a slippery eel. Responding to @DPCIreland the data was "publicly available & scraped prior to changes made to the platform in 2018 and 2019."
May 2018 a 'bug' active for 5 days, "caused up to 14 million Facebook users to have their new posts inadvertently set to public" wired.com/story/facebook…
August 2018 FB's VPN app, Onavo, removed from Apple's app store for harvesting data zdnet.com/article/facebo…
Sept 2018 between 50 million & up to 90 million Facebook users had their profile data exposed to hackers & that "sites you use Facebook to login to could have been accessed as a result of its massive breach" wired.com/story/facebook…
Sept 2019 data on 419 million users exposed online "because the server wasn’t protected with a password, anyone could find and access the database" The data included phone numbers, name, gender, country location techcrunch.com/2019/09/04/fac…
December 2019 data on 309 million Facebook users left exposed "for anyone to access without a password or any other authentication." Data included User IDs, names & phone numbers. "The database was exposed for nearly two weeks before access was removed." comparitech.com/blog/informati…
👆 Facebook claims the data was probably harvested in 2019 before they clamped down on access. But was it? comparitech.com/blog/informati…
April 2021 "533 million Facebook users' phone numbers and personal data have been leaked online" businessinsider.com/stolen-data-of… Is this the 2018/2019 data or both + more recent data
And now Facebook issues a statement of ‘facts’ saying the data was ‘scraped’ prior to September 2019 but a few days ago told the @DPCIreland it ‘seemed’ to be ‘pre-GDPR’ from 2017/18 dataprotection.ie/en/news-media/…
So why didn’t FB tell users and tell EU DPAs @EU_EDPB ?
"One source of the confusion was that Facebook has had any number of breaches and exposures from which this data could have originated." <as per the thread 👆 But I wouldn't call it 'confusion' ... no not that ..
"the recently public trove of 533 million records is an entirely different data set that attackers created by abusing a flaw in a Facebook address book contacts import feature [that FB said it patched in Aug 2019"<& yet no breach reporting
"Facebook says it did not notify users about the 2019 contact importer exploitation precisely because there are so many troves of semipublic user data—taken from Facebook itself and other companies—out in the world." 🙇🏼🙇🏼 wired.com/story/facebook…
THIS: " The one thing that's certain in all this is that more than 500 million Facebook users are less safe online than they otherwise would be—and potentially vulnerable to a new wave of scams and phishing that Facebook could have alerted them to nearly two years ago." >YEP
• • •
Missing some Tweet in this thread? You can try to
force a refresh
In December 2010 I met with representatives of facebook in Palo Alto to discuss the need to adopt a privacy by design approach & proposed app privacy design guidelines.
I met with another representative of FB in 2013 & discussed
3rd party developers & 3rd party access & the need for guidance & an accountability.
So, y'all was aware of the need for PbD cos I had those discussions. Y'all now shouldn't be kinda saying 'those dumb fucks' didn't change settings that we made difficult to understand or that
"hey y'all look, it's not our fault .. it malicious actors ..."
Malicious actors that took advantage of Facebook's failures and approach to privacy ... cos y'all, in 2004 Zuck himself once called users dumb fucks for handing over their data esquire.com/uk/latest-news…