Risk

10/19/2010
12:20 PM
50%
50%

Congressmen Poke Facebook Over Privacy Breaches

Reps. Markey, Barton demand answers on what the social network knew about unauthorized disclosure of user ID numbers and what it plans to do about it.

Best Mobile Apps For Busy Professionals
(click image for larger view)
Best Mobile Apps For Busy Professionals
In response to the recent revelations of another privacy breach at Facebook, Congress is again asking questions of the social media giant.

U.S. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) on Monday sent Facebook founder Mark Zuckerberg a letter pressing the company to release more details about the way in which applications handle user information. The two congressmen were prompted to act after results of Wall Street Journal investigation discovered privacy breaches affected tens of millions of users, even those who adjusted their settings to the strictest settings possible.

All 10 of the most popular apps on Facebook shared Facebook members' user ID numbers (UIDs) with outside companies, and three of the top 10 Facebook apps, such as Farmville, shared information about users' friends, too. In a post to its developer blog on Sunday, Facebook downplayed the privacy impact, even as it promised to take steps to prevent reoccurrences.

But the two politicians want more. Barton is a ranking member of the Committee on Energy and Policy, and Markey is chairman of the Energy and Environment Subcommittee.

"Given the number of current users, the rate at which that number grows worldwide, and the age range of Facebook users, combined with the amount and nature of information these users place in Facebook's trust, this series of breaches of consumer privacy is a cause for concern," the legislators wrote. "As I am sure you are aware, the Committee on Energy and Commerce is the primary House panel for oversight of consumer privacy. As I am sure you are also aware, comprehensive privacy legislation is currently pending before the Committee."

Markey and Barton asked Facebook to respond to 18 questions by Oct. 27. The congressmen's questions include the number of users impacted by the privacy breaches; the specific nature of the data transmitted from the third-party applications; when Facebook knew of the breaches; whether or not Facebook notified users of the breaches; which Facebook terms were violated; the number of third-party applications in violation; the procedures and guidelines Facebook has in place to detect and prevent this type of breach; whether similar breaches have occurred in the past; whether Facebook receives remuneration of any kind as a result of data-sharing with ad or tracking companies; whether Facebook will proactively seek the deletion of users' personal information from Internet and ad companies' databases; the extent to which minors' information was breached; the extent to which medical and financial data was breached, and any policy or procedural changes Facebook plans to ensure users have better control over their data and over their use of third-party apps, according to the letter.

Facebook responded over the weekend by blocking access to one game developer, Lolapps, but restored access shortly thereafter.

"Press reports have exaggerated the implications of sharing a UID," wrote Facebook engineer Mike Vernal. "Knowledge of a UID does not enable anyone to access private user information without explicit user consent. Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8142
PUBLISHED: 2018-05-21
A security feature bypass exists when Windows incorrectly validates kernel driver signatures, aka "Windows Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1035.
CVE-2018-11311
PUBLISHED: 2018-05-20
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
CVE-2018-11319
PUBLISHED: 2018-05-20
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to ...
CVE-2018-11242
PUBLISHED: 2018-05-20
An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
CVE-2018-11315
PUBLISHED: 2018-05-20
The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a ho...