The Recent Facebook Breach Shouldn’t Lead to GDPR Fines

Facebook is reportedly facing a fine of up to $1.6B for last month’s hack of ~50M Facebook accounts (~4M belong to Europeans). My view is that any fine would be a bad idea.

Incentives Matter: Data breach fines should match the actual damage done.

Data breach fines are useful to the extent they incentivize companies to invest in security measures. But they shouldn't incentivize overinvestment, because that would take resources away from other valuable activities (say, content moderation, feature improvement, or investment in new technologies).

A strict liability rule does this. In the context of an Internet company, that rule makes companies liable for the data-security damages they cause if they haven't taken sufficient care designing their systems (i.e., their products aren’t defective) or they haven't implemented reasonable security precautions (like the NIST cybersecurity framework).

By all accounts, Facebook had reasonable security measures in place.

Per the detailed reporting on the hack, nothing Facebook did was intentional, reckless, or unreasonable. Instead, the breach was the result of a series of bugs that, operating in concert, gave hackers access to user data:

The first bug prompted Facebook's video upload tool to mistakenly show up on the "View As" page. The second one caused the uploader to generate an access token—what allows you to remain logged into your Facebook account on a device, without having to sign in every time you visit—that had the same sign-in permissions as the Facebook mobile app. Finally, when the video uploader did appear in "View As" mode, it triggered an access code for whoever the hacker was searching for.

“This is a complex interaction of multiple bugs,” Rosen said, adding that the hackers likely required some level of sophistication. . . .

“It’s easy to say that security testing should have caught this, but these types of security vulnerabilities can be extremely difficult to spot or catch since they rely on having to dynamically test the site itself as it’s running,” says David Kennedy, the CEO of the cybersecurity firm TrustedSec.

In any sufficiently complicated system, there will be vulnerabilities. And in the event of any breach, we will be able to point out a measure that the company could have taken that would have prevented the mistake. But that doesn’t mean Facebook was unreasonable in its product design or security measures.

Facebook has more than ten thousand people (!!) in its security team and has vowed to double it by the end of the year. And that team is one of the most sophisticated security teams in the world. Facebook has a bug bounty program that pays out millions of dollars a year (incentivizing ethical hackers to find bugs just like this). Finally, Facebook isn't making trivial or relatively simple mistakes, like the one that British Airways made. In terms of data security, it appears to be doing everything right.

The fine should be $0.

So the Irish DPC should decline to fine Facebook. This isn't unprecedented or unusual. The FTC investigated and declined to fine Target when it had 70M+ credit cards pwned. That’s because the breach wasn’t the result of carelessness. That breach was the result of a clever attack. And no matter how careful you are, you can get pwned.

[By the way, there is a whole analysis to be done about whether, from a purely legal perspective, the GDPR and WP29 guidance allow for fines in this instance. I am saving that for another day.]

To be clear, my argument isn’t that Facebook should never be fined. The Cambridge Analytica might be (is) another matter entirely.

A large damage award creates an extortion market; an extortion market creates risks to user data.

Not only would a fine serve no purpose other than to skew resources towards data security and away from other beneficial activities, but it could also create a big extortion market.

Here's why. Suppose the Irish DPC issues a $1.6B fine. What happens next? In the very short term, not much. Facebook pays it, the Irish government gets $1.6B richer, and the Irish DPC pats itself on the back for a job well done. But that’s not all. Criminals read the newspapers too. They figure out that hacking just became more valuable. This is their new (well, it's not really new) business model:

1. Hack into a website
2. Make an extortion demand
3. Get paid (or don’t and release the information, making your next threat more credible)
4. Repeat

As I said above, this nefarious business plan isn’t really new. From a Brian Krebs blog post this month (emphasis added):

The Dark Overlord’s [hacker's] method was roughly the same in each attack. Gain access to sensitive data (often by purchasing access through crimeware-as-a-service offerings), and send a long, rambling ransom note to the victim organization demanding tens of thousands of dollars in Bitcoin for the safe return of said data.

Victims were typically told that if they refused to pay, the stolen data would be sold to cybercriminals lurking on Dark Web forums. Worse yet, TDO also promised to make sure the news media knew that victim organizations were more interested in keeping the breach private than in securing the privacy of their customers or patients.

I will be surprised if the fine is $0.

The EU’s deeply cynical view towards large U.S. tech companies means Facebook will likely receive a substantial fine. TechCrunch interviewed the European Union’s data protection supervisor, Giovanni Buttarelli, about the Facebook breach and he appears to have an ax to grind:

He . . . professes himself “not surprised” about Facebook’s latest security debacle — describing the massive new data breach the company revealed on Friday as “business as usual” for the tech giant. And indeed for “all the tech giants” — none of whom he believes are making adequate investments in security.

“In terms of security there are much less investments than expected,” he also says of Facebook specifically. “Lot of investments about profiling people, about creating clusters, but much less in preserving the [security] of communications. GDPR is a driver for a change — even with regard to security.”

Other Thoughts and Questions

• Will a big fine increase the amount companies will be paying out of their bug bounty program? Has the specter of big GDPR-related payouts already done so?
• Is bad publicity a sufficient incentive for the tech companies to adopt commercially appropriate security practices? My guess is yes.
• Timing matters. If this breach had happened at a time when there wasn’t widespread panic about Facebook, we wouldn’t be talking about billion-dollar fines.