If Facebook is unregulated, does it need to protect user data and offer secure web applications?

Security expert defends Facebook claiming that as it is unregulated, it is not required to offer secure web applications.

Writing in a blog posting, Boaz Gelbord, executive director of information security at Wireless Generation and founder of Security Scoreboard, claimed that Facebook is ‘under no obligation to provide any real security controls to its users'.

He said that even though its ‘mission is not entirely at odds with security', ‘Facebook has an interest in providing application security in so far as it does not impede its vision of becoming the web's authoritative social platform'.

He claimed that Facebook is under no obligation to provide anything beefier', as unless companies are in a regulated industry they are under almost no specific obligation to offer secure web applications.

Gelbord said: “Unlike privacy regulations, this statement is true across all major jurisdictions. Laws will limit who you can share data with, and in some cases like children whether information can be collected to begin with. But they impose virtually no requirements on small businesses on how or even whether they need to secure their data.

“This means that anybody can fire up a web application and start collecting, storing and processing data that may or may not be sensitive to its owner. And they can do this while being under almost no legal or business requirement to provide adequate security.”

One user begged to differ, commenting that they did not agree with the statement regarding being in a regulated industry, claiming that the European Union requires that anybody who processes personal data (including through websites) of EU citizens is required to implement appropriate measures to protect that data.

They pointed to article 17 of the EU Data Protection Directive (95/46/EC), which states: “Member States shall provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”

The person who commented said: “EU countries have adopted this directive into their own national Data Protection legislation. So if somebody creates a website to processes personal information in an EU country they need to ‘implement appropriate technical and organisational measures to protect personal data'.

“I certainly agree that the requirements are hopelessly vague - what does ‘appropriate' mean? However any website that processes personal information belonging to EU citizens needs to comply with this Data Protection legislation.”

Gelbord said: “The way I see it, the EU regulations and notices in fact underscore the non-existence of even general technical legal requirements to secure applications. The only thing they seem to preclude is publicly posting personal information in a directly accessible way on a website, which no one would really do in practice anyhow. Almost all applications require some sort of authentication, however weak, for business reasons.

“The fact that in its FAQ, the UK Information Commissioner does not even require SSL for personal information in transit shows just how non-committal this requirement for appropriate measures really is.

Sign up to our newsletters