Facebook is the data protection canary in the Fortune 500 coal mine
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.” — Mark Zuckerberg, CEO, Facebook
[Update: after years of R&D on the world’s first moving target defense data protection platform with federal agencies and Fortune 100 R&D labs, we are productizing & commercializing CryptoMove’s moving target data protection platform as Tholos Key Vault, a product for managing keys and secrets. You can check out our private beta here.]
In the last week, a data protection controversy erased $80+ billion in Facebook’s market cap and engulfed global public discourse. What happened?
According to reports, a Facebook app developer improperly acquired a trove of 50 million Facebook users’ data. This developer then provided the data to Cambridge Analytica, which used it for political purposes.
It started with an app called “thisisyourdigitallife,” installed by 270,000 Facebook users. Based on how Facebook’s API worked, this access enabled gathering data from 50 million additional users — friends of the first 270,000. Notably, there was no technical breach of Facebook’s security technology systems, just a violation of Facebook’s platform terms of use contract.
What’s the lesson for the Fortune 500?
Facebook’s week of hell provides a valuable lesson for mainstream Global 2000 companies undergoing digital transformations. Every Fortune 500 corporation dreams of having an infrastructure like the bespoke platforms built by Facebook, Google, Microsoft and Amazon.
Enterprise software startups like CryptoMove hear it all the time. Corporate innovation groups tour Silicon Valley hoping to learn how to revolutionize their data infrastructures. How to Facebookify a legacy IT operation. Such digital transformations are a multi-billion dollar market.
Across industries including finance, health care, insurance, retail, and entertainment, corporations are looking for ways to gain insight and monetize their customers’ data. Ask any CIO: the largest projects in most CIOs’ portfolios right now focus on investments in machine learning, AI, and enabling data access to developers and third parties via APIs.
So what’s the data protection plan? Via contract. Terms of use. Auditing. Do it like Facebook. Use their best practices. Oops…
In the uproar over #deletefacebook, lost is the fact that every major corporation in the world has been modeling its data initiatives over the last several years according to standards set by the tech giants. The same standards that failed to stop improper data exfiltration of millions of users. Now we can see the dangers to customers, to partners, and of course, to the bottom line.
What next? We need a new paradigm for data protection.
If Facebook can stumble so massively — to the tune of 50 million users and nearly $100 billion in market cap — how can the rest of the Fortune 500 hope to get this right? The very blueprint CIO’s have been following apparently leads off a cliff.
Facebook has an army of fantastic privacy lawyers, product counsel embedded with its dev teams, and a history of lessons from privacy investigations guiding its hand. It wasn’t enough. And it’s not just Facebook. Other tech giants — the innovation tour attractions— are also under fire.
On Facebook, we share our most private life events and moments with friends and family. What about the data owned by our banks? Our hospitals? Insurance companies? Telecom? Retailers?
Security & privacy — data protection — has to stop coming last.
Data protection is every person’s job. Every tool, every piece of infrastructure, every project must incorporate data protection as a first-order priority. Today, that isn’t happening. Fortune 500 security and legal teams are lucky to even have an inventory or classification scheme for sensitive data across the enterprise. Security teams are fortunate if the business or application owners read or review their recommendations on security guidelines. Anything that slows a project down or inserts friction into the user experience — forget about it. Technical controls? Rarely considered and often disregarded. Note: security leaders and practitioners are very aware of these issues. But often they are disempowered.
Add in third-party data access and the situation becomes a complete mess.
At CryptoMove, in our daily meetings with top security leaders worldwide, we sometimes see more empowerment (and budget) to address these issues in Europe than in the United States. GDPR is one example. Even the language used around data in Europe is different. In America there is a discussion of data security and separately of data privacy. In Europe — it’s simply called data protection. Perhaps this disconnect explains why Facebook’s initial reaction to the news story was that it wasn’t technically a “data breach.”
Where does this leave us in terms of data protection innovation?
CryptoMove’s Fortune 500 customers are constantly surprising us with innovations on our platform towards this goal. Moving target data protection can help protect data in, and from, untrusted third party environments. Bring your own key [BYOK] data protection technology is a step in the right direction. Securing keys — and data — in novel ways such as fragmentation and continuous movement and mutation can change the game. From a technology perspective, the ability to securely revoke access or delete data opens up new possibilities. Tracking data, wherever it ends up in distributed and decentralized systems, is vital. (By the way, if these sound like problems worth solving, please contact us. We’re hiring.)
Facebook shows that API terms of use and contracts obviously cannot protect data alone. We need technology and innovation in data protection. Data stewards must maintain control of their customers’ data when it is in third party hands. Fortune 500 companies need to completely rethink their current strategies around cloud data, APIs, and AI/ML. The blueprints that CIOs, CISOs, and CTOs have followed to date — written from the Facebook playbook — obviously need serious scrutiny.
What’s the new paradigm? Nobody has all the answers. But we can all agree that something has to change.
