Last night, a member of British parliament released hundreds of pages of internal Facebook e-mails. The documents shine a light on Facebook’s aggressive growth strategy and its willingness to sacrifice its user’s privacy over business decisions.
As a security researcher, I am deeply saddened yet not surprised by the recent revelations. Over the past few years, I have informed Facebook on multiple occasions about potential privacy violations or misuse. I have listed some of these encounters in this article — draw your own conclusions.
In 2016, I noticed all links shared privately on the Facebook platform were publicly available to developers. These links sometimes contained personal information, keys, attachments, links to private photos or documents (such as private Google Drive documents). From the developer’s perspective, the attack looked like this:
I immediately contacted Facebook’s security team, who said this was ‘publicly documented and intentional behavior’:
I could not believe what I was reading and wrote a blogpost with my concerns. Within hours, my blogpost got covered by the media and all of a sudden, Facebook silently fixed the issue because they allegedly misunderstood my initial report.
Early 2017, I found a way to get access to my fellow Belgian’s phone numbers through Facebook. Back in those days, you could ‘easily connect’ to contacts on Facebook by importing up to 20,000 phone numbers. Facebook would then match the phone numbers to user accounts and return a list of Facebook users you could send a friend request. Because Belgian phone numbers are relatively small in length, it would only take 30 to 60 minutes to go through all phone numbers and find the private phone number linked to a Facebook profile.
Facebook argued that, if you did not want your private phone number to be exposed, you had to disable the obscure who can look me up setting, which was on by default. I wrote a blogpost about this behavior and was approached by seemingly malicious actors multiple times trying to exploit it. Facebook eventually decided to remove this feature after Cambridge Analytica happened — nearly 14 months after I informed them about the possible abuse. Apparently, Facebook thought their ‘connect by phone number’ growth strategy was more important than the privacy issues it raised.
3. 2017 — Abusing the Graph Search using StalkScan.com
Back in 2013, Facebook launched the Graph Search: a creepy search functionality with dozens of filters nobody asked for. The Graph Search caused increasing privacy concerns and Facebook responded by adjusting some search filters and removing the graphical interface. Most parts of the search were secretly still there, so I created StalkScan.com to show people their data was still getting exposed — it was just harder to find. Facebook always argued that privacy settings remain unchanged, and while this is true, nobody would expect all your public likes, comments or photo’s you’ve been tagged in to be easily accessible.
Earlier this year, I discovered that one of the most popular Facebook Quiz apps had potentially been leaking data of its 120M+ users for years, often including private posts and pictures.
I reported this incident to Facebook’s Data Abuse program, which they had set up after Cambridge Analytica happened. Two months later, I noticed that the issue had finally been resolved, but received little to no communication from Facebook’s side. After I told Facebook I was going to write a blogpost about the issue, I was rewarded a $4,000 bounty, which I donated to the Freedom of the Press Association. During the two months it took to resolve this issue, the leaky app was never suspended from the platform. The Quiz app later claimed that they had found ‘no evidence of abuse by malicious actors’. That doesn’t mean it didn’t happen.
There comes a moment where PR cover-ups and apologies won’t help Mark Zuckerberg anymore and I think we’ve reached this point.
Facebook sacrificed its users’ privacy as part of their growth strategy.
Facebook has used questionable business tactics to destroy their competition choosing exactly which strategic partner would get access to the platform and which not.
Facebook is not fitted to solely rule over its virtual kingdom of 2.7B inhabitants.
It turns out we know nothing about the company that knows everything about us. This has to change, now.