Facebook wants you to believe that the scraping of 533 million people’s personal data from its platform, and the dumping of that data online by nefarious people, is something to be “normalised.”
A blundering Facebook public relations operative managed to send a journalist a copy an internal document detailing the antisocial network's strategy for containing the leaking of 533 million accounts – and what the memo contained was infuriating though unsurprising.
Belgian tech journalist Pieterjan van Leemputten asked the Mark Zuckerberg-owned company some questions about the theft and dumping online of account data earlier this month.
Miscreants had helped themselves to 70GB of names, phone numbers, dates of birth, email addresses, and more from people's Facebook profiles, thanks to a security weakness in the platform. Having stolen the data in 2019, crims bought and sold it among themselves before one shared it via a Tor-hidden site in early April, inviting anyone to come and help themselves to it all.
Yet when van Leemputten asked Facebook’s mouthpieces to respond, what he got in return was quite unexpected. As he told The Register: “Facebook accidentally sent me an internal email where they literally state that they will frame the recent 533 million data leak as a ‘broad industry issue’ and that they want to normalize this.”
Flabber suitably ghasted, van Leemputten wrote it up (in Dutch). The key part of the email he received stated:
Longer term, though, we expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalize the fact this activity happens regularly. To do this, the team is proposing a follow-up post in the next several weeks that talks more broadly about our anti-scraping work and provides more transparency around the amount of work we’re doing in this area.
The Belgian journalist also pointed out that Facebook’s claims that the data-leaking vulnerability only existed during 2019 may have been untrue: two years before that date, a bug hunter called Inti de Ceukelaire wrote about uncovering private phone numbers uploaded to Facebook – and also wrote that Facebook’s security team dismissed his findings, saying “it doesn’t expose any additional user information which wasn’t already public.”
Facebook says dump of 533m accounts is old news. But my date of birth, name, etc haven't changed in years, ZuckREAD MORE
We asked Facebook if it wanted to comment on their blunder, and a spokesperson said: "It shouldn’t surprise anyone that our internal documents reflect what we’ve said publicly.
"As LinkedIn and Clubhouse have shown, data scraping is an industry-wide challenge which we are committed to tackling and educating users about. We understand people's concerns, which is why we continue to strengthen our systems to make scraping from Facebook without our permission more difficult and go after the people behind it."
According to the email, Facebook execs want their website to be seen as something that sits above little people like governments and regulators. Pointing out that press coverage of Facebook’s mealy-mouthed non-apology earlier this month for the scraped data being stolen and then posted online summed up the web giant's position as “evasive” and “a deflection of blame,” the email’s sender wrote:
These pieces are often driven by quotes from data experts or regulators, keen on criticizing the company’s response as insufficient of [sic] framing the company's assertion that the information was already public as misleading.
Facebook’s next statement about “data portability,” aka “the thing that triggered the Cambridge Analytica farce,” is scheduled for April 22. So said the email, anyway. ®