Last week, thanks to investigative reporting, we learned that Facebook discovered in January that it was storing millions of users’ passwords in plain text format, making them fully readable for thousands of its employees. Facebook has acknowledged that this was a serious security error and privacy breach on its side, as its systems, ideally, “are designed to mask passwords using techniques that make them unreadable”, and promised that it “will be notifying everyone whose passwords we have found were stored in this way.” There is no evidence that any of the thousand employees with access to these unencrypted passwords actually accessed them, but Facebook’s decision to remain mum reveals an important lesson for the overarching privacy and security policy debate. Importantly, data security incidents are a widespread problem that goes well beyond Facebook.
Today, the Federal Communications Commission voted to approve a Fourth Further Notice of Proposed Rulemaking that seeks to adopt a vertical, or “Z-axis,” metric to enhance location accuracy for wireless E911 calls. The vote follows a recent Motherboard investigation into carriers selling or giving away this information to third parties. Public Knowledge recently filed an ex parte arguing for amending the FNPRM to address this oversight and applauds Commissioner Geoffrey Starks for taking consumer privacy concerns seriously.
Over the last three months, Motherboard’s Joseph Cox has produced an excellent series of articles on how the major mobile carriers have sold sensitive geolocation data to bounty hunters and others, including highly precise information designed for use with “Enhance 911” (E911). As we pointed out last month when this news came to light, turning over this E911 data (called assisted GPS or A-GPS), exposing E911 data to third parties -- whether by accident or intentionally, or using it in any way except for 911 or other purposes required by law violates the rules the Federal Communications Commission adopted in 2015 to protect E911 data.
Yesterday, the Senate Homeland Security and Governmental Affairs Committee’s Permanent Subcommittee on Investigations released its report on a probe into the 2017 Equifax hack stating that the company’s response was both “inadequate” and “hampered by [a] neglect of cybersecurity.” The report finds that the company’s shortcomings are both “long-standing” and “reflect a broader culture of complacency toward cybersecurity preparedness.”
This week featured back-to-back privacy hearings on Capitol Hill to discuss principles for federal privacy legislation. With the one-year anniversary of the European Union’s General Data Protection Regulation implementation coming in May and the California Consumer Privacy Act taking effect in 2020, industry players that have fiercely lobbied against federal privacy legislation in years past are now suddenly calling on Congress to pass a comprehensive privacy bill this year. Here’s a quick look at what happened in each hearing and a few key takeaways.