Facebook has admitted that data of nearly all its 2 billion users was possibly scraped and accessed by malicious actors. Facebook’s revelation comes after it said that data from nearly 87 million profiles were accessed by Cambridge Analytica, and not 50 million as it was reported. Facebook CEO Mark Zuckerberg in a statement to the press has admitted that the company has not done enough to protect user data.
In the statement shared on the company’s newsroom, Facebook CEO Mark Zuckerberg told the press, “It’s clear now that we didn’t do enough. We didn’t focus enough on preventing abuse and thinking through how people could use these tools to do harm as well. That goes for fake news, foreign interference in elections, hate speech, in addition to developers and data privacy.” Zuckerberg added that the company did not have a broad enough idea of their responsibility towards users and “that was a huge mistake.”
“It was my mistake,” he added.
He also admitted that Facebook is going to take some big steps to protect users, especially in countries where elections are coming up. Facebook has around 15,000 people working on security and content review, and by the end of 2018, it plans to add more than 20,000 to this force. Zuckerberg admitted this is an important year. “This is going to be a big year of elections ahead, with the US midterms and presidential elections in India, Brazil, Mexico, Pakistan, Hungary and others — so this is going to be a major focus for us,” he said.
The Facebook CEO was also asked about how the company came at the number of 87 million users being impacted by Cambridge Analytica. Zuckerberg said, “We wanted to take a broad view that is a conservative estimate. I am quite confident that given our analysis that it is not more than 87 million. It very well could be less, but we wanted to put out the maximum we felt that it could be as that analysis says.”
In a detailed post by Facebook’s Chief Technology Officer Mike Schroepfer, it was revealed that the account recovery and search tools which use email and phone number from the profile could have been used to scrape information about of nearly all of the social network’s users. “However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery,” says the post.
When asked how did the company figure this out and why did they not inform the public immediately, Zuckerberg explained that when it comes to who can look up by contact information is a feature turned on by default by most users. He added, “Most people have that turned on, and that’s the default, but a lot of people have also turned it off. So it’s not quite everyone, but certainly the potential here would be that over the period of time that this feature has been around, people have been able to scrape public information.” He did not explain why the company did not inform users of the issue.
The Facebook’s CTO’s blogpost on the ‘Search and account recovery’ says, “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.”
Facebook also replied on the charge that it was collecting all call logs and meta data from messages. The company says it will delete all call logs older than one year, and reiterated that it was not collecting the contents of a user’s message. The company also said that in future, “the client will only upload to Facebook servers the information needed to offer this feature and not broader data such as the time of calls.” Also from April 9, Facebook will show users a link at the top of their News Feed so they can see what apps they use and the information shared with those apps.