What the recent Facebook exposé can teach security leaders

If you’re feeling overwhelmed with the constant chatter about user privacy, #GDPR, transparency, data minimization, you’re not alone. Especially since your oversight over the constantly changing threat vectors tied to security and the need to stay compliant while reducing your risk profile has never been greater. And yet you realize there’s no turning back to the fact that privacy and transparency and trust with your user community is a reality and not a passing fad.

Let’s talk about the recent Facebook fiasco – not the Cambridge Analytica imbroglio, which was bad enough – and see what we can glean from that.

In the highly connected social media world of today – whether it is Facebook OR Google OR Twitter, the consumers are mostly resigned to the fact that they are constantly being spied on all the time. And to a large degree, consumers turn a blind eye because they are getting something in return – a social following, an avalanche of Happy Birthday messages or a captive audience for their nascent business.

But suddenly something impactful happens and this “assumed” trust starts to break down.

In early 2018, we all learned about the Facebook/Cambridge Analytica data scandal. For the average consumer, this probably did not cause too many alarm bells to go off other than a vague sense of privacy violation that their private data was in the hands of some UK-based data-brokering company.  And with other third-party developers on the Facebook platform as well. But as a consumer, it was probably hard to really know what it truly meant.

Not so for you – as the security and privacy tech head. You knew exactly what this meant.

Because you are now saddled with the privacy mandate or alternatively are working with colleagues like the Chief Privacy Officer, this almost certainly served as a wake-up call.

Why? Because it all starts with data collection. Extensive and intrusive data collection. And that is not a Facebook or a B2C phenomenon. With instrumentation and sensors everywhere, and the need to build insightful customer profiles, B2B vendors are all over the data collection bandwagon. And so are you.

So, the questions to ask yourself should be: why am I collecting this data, what does this do for me from a compliance perspective (#GDPR) and how can I be transparent about this with my customer without hiding behind an undecipherable ToC or EULA?

But suddenly the impact just increased exponentially with the late-breaking New York Times exposé in December, 2018.

And unlike the Cambridge Analytica data-sharing back-room deal that was still hard to fathom to most non-tech users, this one had all your favorite brands wheeling and dealing and manipulating your private information. In a nutshell: Facebook has shared your data with Netflix, Microsoft, Spotify, Amazon, Yahoo…and 150 other companies. What sort of data? Well, for one, Netflix and Spotify had access to your private Facebook messages that they could read, modify and delete!

But what this could teach you – the security professional – about the privacy and ethical choices that you need to be aware of and drive? Three things come to mind:

1. Know why you are collecting data

Clearly, data collection may fall outside the purview of the CISO’s mandate (or even the CIO’s, possibly). Lines of businesses, developers, even customer success may drive this mandate. But you, ultimately, hold all accountability in case the data collected is exposed and makes front-page news. So, start by asking why. It will be an uncomfortable conversation and crossing organizational boundaries, but it is best to start this dialog before something bad happens.

2. Find out how you are collecting the data

Is the end-user – whether it’s another business or the actual end consumer – aware of how their data is being collected? Being transparent and empathetic to the distracted end-user is critical. Getting them to sign a EULA before you activate the subscription or renew their enterprise license is very self-serving. An easy-to-understand webpage or even a periodic email that’s short and to the point could be a good tool. And an easy button to revoke this data collection could vault you to the top of their preferred vendor list.

3. And finally, what data are you collecting?

With the cost of storage plummeting, and AI (which is primarily fueled by data…large swaths of it) being all the rage, the need to collect everything and anything is rampant. So, this question could raise some eyebrows. But it could be very revealing as well. One of the tenets of GDPR is data minimization. But that flies in the face of what AI and lines of businesses demand. You need to step in and be the torch bearer of sanity here.

But there’s another very important angle to this. Let’s look at what Facebook’s response has been to this recent debacle:

Steve Satterfield, Facebook’s director of privacy and public policy, argues that the partnerships have not violated users’ privacy and contracts required the companies that they shared the data with having to abide by Facebook policies.

There are businesses that have suddenly woken up to the fact that they have a treasure trove of customer data that they have collected over years, even decades. Inter-exchange carriers and service providers to name a couple. While many of them are aware that they themselves may not have the smarts or even the business model to make sense of this data, there are other enterprises out there who could. And now, they’re off auctioning this data to the highest bidder.

So, if your organization is either the one doing the auctioning or the buying of this data, you as a datasec pro suddenly have a new area of exposure that you have to deal with.

Yes, we are entering a brave new world as 2019 beckons us. And we need you – the security professional – to take on a much bigger mantle. Our digital lives depend on it.