Last week, thanks to investigative reporting, we learned that Facebook discovered in January that it was storing millions of users’ passwords in plain text format, making them fully readable for thousands of its employees. Facebook has acknowledged that this was a serious security error and privacy breach on its side, as its systems, ideally, “are designed to mask passwords using techniques that make them unreadable”, and promised that it “will be notifying everyone whose passwords we have found were stored in this way.” There is no evidence that any of the thousand employees with access to these unencrypted passwords actually accessed them, but Facebook’s decision to remain mum reveals an important lesson for the overarching privacy and security policy debate. Importantly, data security incidents are a widespread problem that goes well beyond Facebook.
App stores, such as Google Play and Apple’s App Store, have been good for consumers and independent developers in a number of ways. When they work well, they provide consumers with a convenient way to find and buy software that is safe and functional. I remember when my non-technical friends would never install software on their PCs, assuming that it was all a scam or malware of some kind. Now these same people can confidently install, use, and uninstall apps without fearing that it will ruin their devices or steal their personal information. Again, this is when things are working right. There are always bad actors to be vigilant against, and different app store curators do their jobs more and less well.
Last week, the New York Times reported that Facebook has decided to integrate the back-end infrastructures of its three fully-owned messaging products: Facebook Messenger, WhatsApp, and Instagram. At Public Knowledge, aware of the different nature, features, and conditions of use of these three services, we are carefully following the possible privacy and security and competition implications of this market-changing move.
Europe’s new privacy law, the General Data Protection Regulation (GDPR) will enter into force in May 2018. Understandably, given that data breaches and privacy violations have been in the headlines lately -- and given that the GDPR will reshuffle privacy protection in Europe and beyond -- many in the United States are looking to the GDPR for ideas of what to do - and what not to do. We think that it would be impractical and ineffective to copy and paste the GDPR to U.S. law -- the institutions and legal systems are just too different.