Internet & Communications Law Blog Essay

Data Breach Through Social Engineering

The recent uproar involving Cambridge Analytica’s unauthorized access to, and dubious use of, personal data belonging to 50 million Facebook users in attempts to support the presidential candidacy of Donald Trump raised a series of important questions. The access to that personal information was enabled by an app developed by University of Cambridge neuroscience lecturer Aleksandr Kogan, which used Facebook Login. This granted access to personal information of its users and their Facebook friends, which was subsequently passed on to Cambridge Analytica.

This post will focus on the data breach question – whether unauthorized access to personal information, in the absence of hacking, qualifies as a “data breach” for the purposes of state data breach notification laws, and potentially Federal Trade Commission (FTC) data security enforcement.

Was Facebook ‘Breached’?

This question arises largely in response to a debate that has taken place in the aftermath of the revelation of this debacle. While the initial reporting of the New York Times, the Guardian labeled this as a data breach, Facebook’s vice president and deputy general counsel vehemently responded that “[t]he claim that this is a data breach is completely false,” explaining that the data was passed on to Cambridge Analytica by a third-party app, to which the users consented. Another response from Facebook highlighted that “no passwords or information were stolen or hacked.”

This was unequivocally not a data breach. People chose to share their data with third party apps and if those third party apps did not follow the data agreements with us/users it is a violation. no systems were infiltrated, no passwords or information were stolen or hacked.

— Boz (@boztank) March 17, 2018

Motherboard, reacting directly to this debate, argued that this should not be labeled as a data breach, claiming that this term would confuse and mislead their readers. It supports this assertion by pointing out that “No one hacked into Facebook’s servers exploiting a bug… No one tricked Facebook users into giving away their passwords and then stole their data.” While there was no hack involved, the Cambridge Analytica debacle is a form of social engineering – a method information operation used to trick human beings into giving away sensitive information, without exploiting the computer system or network in question.  Although not directly targeting Facebook, it did so through a proxy – the app that was Kogan developed – which was used as a data pipeline between Facebook and Cambridge Analytica.

What Is a Data Breach?

The primary question that arises from this debate is whether active hacking is required in order for an incident to qualify as a data breach. This post argues that a data breach does not necessarily require a hack to take place.

This is not the first time in which a company inadvertently leaked personal information to malicious actors. In 2005, consumer data broker company ChoicePoint was a target of a data breach, which compromised the personal information of more than 163,000 consumers, resulting in as many as 800 identity theft cases. What was unique about this data breach was that no hacking took place. Instead, ChoicePoint sold personal information belonging to its consumers without properly vetting subscribers. As a result, the FTC filed a complaint against ChoicePoint, alleging that ChoicePoint “did not have reasonable procedures to screen prospective subscribers.” In 2006, these charges were settled, and ChoicePoint was required to implement new procedures to ensure that only legitimate businesses obtain access to consumer personal information collected by ChoicePoint.

In ChoicePoint’s case, there was no unauthorized external hacking involved. This is similar to Cambridge Analytica’s unauthorized access to 50 million users’ profile information on Facebook, which did not involve any sort of penetration into Facebook’s databases. Nonetheless, this could qualify as a data breach.

The California data breach notification law (California Civ. Code s. 1798.82(a)), which empowers its Attorney General to investigate and pursue legal action against businesses in violation of its provisions, as well as requiring mandatory notifications to consumers, defines “breach of the security of the system” as “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” This approach, putting the emphasis on the access to data, rather than a system, supports the assertion that hacking is not a prerequisite of a data breach. Many states have adopted an identical approach in their respective data breach notification laws, and it therefore comes as no surprise that Massachusetts will start its own investigation into the matter.

Similarly, U.S. Computer Emergency Readiness Team (US-CERT) defines data breach as the “unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.” Again, the key is to focus on the data compromised, rather than whether a cybersecurity incident took place or not.

The Way Forward

As I argued on TechCrunch, we should be rethinking our conception of what constitutes a data breach, and subsequently, what sort of activities we wish to delegitimize through our legal system. The statutes can and should be read broadly to include socially engineered breaches; where the law is not sufficiently clear about this, it should be amended. Once we acknowledge that a data breach could take place in the form of manipulation, we could provide better protection for user privacy and security. This would in turn incentivize tech companies to monitor third-parties with whom they share user personal data, and make it harder for malicious actors to take hold of that data.

Facebook has actually adopted an internal mechanism – Login Review – requiring “developers to justify the data they’re looking to collect and how they’re going to use it.” But this is too little, and too late, since large swaths of personal information have already been misused, and potentially not only by Cambridge Analytica. It is impossible at this point to track what personal information was misused by other apps, which suggests that we should be thinking about these data breaches in preventative terms, rather than reacting when the harm has been already done. And we have no assurance that Facebook or other platforms will take the necessary forward-looking measures to stop this from happening again. The solution, therefore, is governmental regulatory intervention, requiring these mandatory monitoring policies before such misuse takes place.

Facebook’s insistence that this is not a data breach misses the point and should concern all of us. As many claim, this is far worse, because it is not an exceptional security incident which disrupts the day-to-day activity of a business, but rather a business-as-usual approach, where users are not the consumers but rather the product.

It is up to tech companies who handle personal information to vet third-party developers to ensure that personal information does not end up in unauthorized hands, and if it does – to inform its users. The role of law and regulation is to provide victims with a legal cause of action and mandatory preventative measures for companies in possession of sensitive personal information. Until then, we are likely to see more misuse of personal data in the future.

The author would like to thank Andrea Matwyshyn, Daniel Solove, and Paul Ohm for their helpful comments.