Reports of Facebook’s struggles come so fast and furiously they’re nearly impossible to digest. It was particularly interesting to watch the news unfold this week, as the social network is trying to recover from a series of what are beginning to feel like never-ending press stumbles. Making sense of this week’s news flurry is exhausting, but join us as we ride the ups and downs aboard the Facebook media roller coaster.
Monday: Facebook Hits the Ground Running
After a weekend in which the company was plagued by reports of a lawsuit from the Department of Housing and Urban Development over discriminatory ad practices and the “accidental” loss of old Facebook posts from CEO Mark Zuckerberg, Facebook pulled a classic move by trying to overshadow the dismal news with—product announcements! In years past, the company introduced fun new tools like photo filters and On This Day. Recently, however, these launches have usually come on the heels of outrage over Facebook’s failings—more like quick fixes than innovation. Facebook rolled into Monday morning with an update it released on Sunday that offers users more information about why they’re seeing a given post. Facebook also shared a new tool to help with content enforcement decisions, announced the removal of spam pages in India and Pakistan, and treated viewers to a conversation about the role of Facebook in journalism between Zuckerberg and Mathis Döpfner, CEO of European publisher Axel Springer, wherein Zuck mulled the idea of paying publishers for news content. Zuckerberg even published an op-ed Saturday calling for European-style General Data Protection Regulation in the U.S.; surprising, right? Not exactly: Experts pointed out that this bait-and-switch seems like an attempt to pivot attention away from regulation focused on breaking up monopolies (which would hurt Facebook’s business model) and put it on consumer privacy regulatory changes instead.
Tuesday: Facebook Asked Users for Their Email Passwords
The Daily Beast reported that Facebook was asking new users to provide not only an email address to log in, but also the password for that email address. Facebook defended itself by saying it doesn’t store these passwords, but also admitted this “isn’t the best way to go about this, so we are going to stop offering it.” This news came shortly after it was revealed that the social network stored user passwords in unencrypted, plain text files that were accessible to thousands of its employees. Facebook inexplicably chose to address the privacy failure in a blog post titled “Keeping Passwords Secure.”
It should go without saying that any network should never ask or need a user’s password for an entirely separate platform. It’s a shocking request even for Facebook, but it’s not the first time the company has employed an eyebrow-raising login policy. Back in October, we looked into Facebook One Click, a feature that allows users who forgot their passwords to click a button and log back in … even if they hadn’t been trying to log in. Security and password experts are not impressed by this tool or by this latest security stumble.
Wednesday: Facebook Exposed Hundreds of Millions of User Records
Security firm UpGuard revealed that more than 540 million Facebook user records were exposed. The user info was collected via third-party Facebook apps and included information such as comments, likes, account names, location check-ins, photos, and more—and it was stored publicly on Amazon’s cloud. This breach is no Cambridge Analytica, but it’s yet another reminder that the social network either can’t control what happens to its users’ data once it’s shared with outside apps, or maybe it just doesn’t care. In fact, when UpGuard discovered the exposed files in early January, it reached out to tell Cultura Colectiva, one of the companies responsible for the error, but didn’t receive a response. At the end of January, UpGuard alerted Amazon, but still nothing happened—until this week. “It was not until the morning of April 3, 2019, after Facebook was contacted by Bloomberg for comment, that the database backup, inside an AWS S3 storage bucket titled ‘cc-datalake,’ was finally secured,” UpGuard explained in a blog post.
The lesson, once again: It’s incredibly easy for Facebook user data to be exposed and apparently far too difficult to resecure it.
Thursday: A Facebook Master Class in Non-Answers
Facebook went on the offensive with a conversation between Zuckerberg and ABC News’ George Stephanopoulos. In the interview, Zuckerberg reiterated the same ideas about content filtering he’s said for years. In response to questions about the video of the New Zealand Christchurch attack that was livestreamed on Facebook, the CEO spoke in rhetorical statements. “It’s not clear to me that we want a private company to be making that kind of a fundamental decision about what is political speech and how should that be regulated,” he said. Censoring or even just delaying it would “break” livestreaming, he explained. This is a very strategic response from Zuckerberg, who makes it sound as if he’s agreeing with his detractors: If everyone is so wary of Facebook, maybe it can’t be trusted with big decisions like what should or shouldn’t be livestreamed. Maybe the public should be the arbiter, not a private company. It’s a textbook case of passing the buck, and it’s another vague philosophical statement instead of a substantive answer from Facebook.
Friday: Facebook Plays Host to Cyber Criminals
Security firm Cisco published a new report from its cybersecurity division, Talos, about Facebook’s role in hosting spammers. Facebook groups, Cisco says, host a variety of illegal activities, including phishing scams and payment card frauds. “Over the past several months, Cisco Talos has tracked several groups on Facebook where shady (at best) and illegal (at worst) activities frequently take place,” the researchers explain. And it’s not as if these groups operated by using some sort of code; they have names like “Spam Professional” and “Spammer & Hacker Professional,” and even advertise that users can buy credit card CVV numbers. “In all, Talos has compiled a list of 74 groups on Facebook whose members promised to carry out an array of questionable cyber dirty deeds, including the selling and trading of stolen bank/credit card information, the theft and sale of account credentials from a variety of sites, and email spamming tools and services. In total, these groups had approximately 385,000 members.” A simple Facebook search yields many results for such groups, and once users join a group like this Facebook’s algorithm will suggest even more to them. It appears that Facebook isn’t taking an active role in curbing this criminal activity, relying instead on users to report it.
Despite this incredible amount of bad news, there was one very important, positive headline for Facebook: The company’s stock went up, with the media takeaway being that “shareholders have become more accustomed to data leaks and privacy issues.” This sort of week used to shake the stock market, but now unfavorable news reports about Facebook have become so common that they’re almost expected, and don’t seem to hurt the company’s bottom line.
