The timing of reports that Facebook has been asking users to provide their passwords as a means of verification could not come at a worse time (see further down this story). This huge privacy error comes as Facebook CEO Mark Zuckerberg has called on governments and regulators to introduce new laws and regulations to prevent the spread of harmful content online and to preserve election integrity, privacy, and data portability. Critics question Facebook's own privacy credentials and suggest it is seeking to set the online regulation agenda in a way that does not limt its own data-gathering activities.
If it wasn't already under enough scrutiny, its has been reported this week that Facebook had a requirement for some new signups to the social network to provide their email passwords for the purposes of verification. ZD-Net quotes a Facebook spokesperson subsequently saying: "We understand the password verification option isn't the best way to go about this, so we are going to stop offering it."
In an email to SC Media UK, George Cerbone, principal solution architect at One Identity, agreed, commenting: "There is no reason, ever, under any circumstances, that a third party should be asking for your password. This is about the worst thing you can do from a security perspective. We train users that a third party is asking for your password, they are up to no good and you should immediately stop using that service. Which might be good advice here."
Also in agreement is Richard Walters, CTO of CensorNet, saying: "Facebook has broken the number one cardinal rule when it comes to authentication – asking people to provide complete login information for a separate service as a form of verification. It’s another black mark against the social media giant which continues to exemplify bad practice again and again. Savvy users would have avoided this option at all costs – especially considering Facebook’s spotty track record. What’s particularly worrying is a vast number of users many well not be tech savvy. This most vulnerable set of users are likely to have blindly followed the site’s instructions without question, and may find it harder to spot when they are being targeted for cyber-crime.
"For anyone who has used this service, it’s probably wise to revisit the ‘Need help?’ section and choose a more secure verification method, that doesn’t put their credentials at risk of unnecessary exposure. Then reset their passwords to nullify that data if it did ever get into the hands of criminals. Facebook says it is stopping this practice, but it’s another surprisingly big blunder, especially when there are so many robust and secure ways for companies to carry out user verification."
The news followed an earlier article published by The Washington Post, where Zuckerberg stated that even though Facebook has taken various steps in the past to prevent the dissemination of harmful content on its platforms, people can use a large number of online sharing services to spread such content with each service having its own unique policies and processes.
Therefore, there is a need for a standardised approach that will involve regulators setting standards governing the distribution of harmful content and measuring companies against those standards. This will ensure that the fight against harmful content will take place across all online sharing services and platforms.
Zuckerberg added that similarly, governments should also enact laws to protect the integrity of elections as there is a need for common standards to determine what ads are political in nature, whether ads are sponsored by political actors, and whether political campaigns are using data and targeting to enhance their reach. The onus of identifying whether an ad is political or not cannot be placed on individual online platforms.
He also called for governments around the world to enact GDPR-like legislations and ensure the creation of a common global framework which will "ensure that the Internet does not get fractured, entrepreneurs can build products that serve everyone, and everyone gets the same protections".
"I believe it would be good for the Internet if more countries adopted regulation such as GDPR as a common framework," he said. "It should protect your right to choose how your information is used — while enabling companies to use information for safety purposes and to provide services. It shouldn’t require data to be stored locally, which would make it more vulnerable to unwarranted access. And it should establish a way to hold companies such as Facebook accountable by imposing sanctions when we make mistakes.
While the idea of a global data protection framework to prevent the spread of harmful content online and to preserve election integrity, privacy and data portability is one that must be pursued, it is also true that a vast majority of people, especially those in the UK, want Facebook itself to be regulated as the platform has been found lacking when it came to protecting data privacy of its users or curbing developers' access to user data.
According to a recent survey carried out by Eskenzi PR, 83 percent of UK consumers believe Facebook needs to be regulated compared to around four percent who don't and those who are in favour of regulation are concerned about privacy issues, data misuse, cyber bullying and that the platform is being used by cyber-criminals.
"There are other reasons why Facebook deserves more scrutiny as well. Facebook pesters users to enter profile information about their relationship status, employers, hometown, education, and much more. That stuff is a goldmine for people who want political demographic data to use in targeted advertisements and posts containing fake news. Instagram and Twitter, for example, have much simpler profile pages with one-line bios and fewer personal details," said Paul Bischoff, privacy advocate at Comparitech.com.
"The way Facebook deals with developers also makes it a target for regulation. Third-party apps and websites allow users to log in with their Facebook accounts in return for personal details stored in those accounts. Other social networks do this, too, but Facebook and Google accounts are by far the most popular ones to log in with.
"Facebook has vastly improved how it deals with third-party apps and websites, such as by removing third-party access to websites and apps that the user hasn't recently interacted with. But Facebook in the past has given certain developers preferential treatment by allowing them to circumvent those rules or be grandfathered into older guidelines, and that's certainly a reasonable cause for EU regulators to step in," he added.