April 15, 2023: About a month back, a Dutch court found that US-based Meta’s European subsidiary, Facebook Ireland, had violated a domestic privacy law by misusing the personal data of the citizens of the Republic of Ireland between 2010 and 2020.
“Personal information was processed for the purposes of advertising, when in this case, that is not allowed… Personal information was given to third parties without Facebook users being informed and without there being a legal basis to do so,” the court said in its ruling after hearing a lawsuit filed by Data Privacy Stichting.
What the court found is only the latest in a series of controversial cases over the years where tech conglomerate Meta – which owns Facebook, Instagram, and WhatsApp – or its subsidiaries have been found guilty of data breach and other instances of date-related misuse.
More than 77% of internet users, nearly 3.6 billion people, are active on at least one Meta platform. With a market capitalisation of $571 billion, and helped along by the deep penetration of smartphones, CEO Mark Zuckerberg’s Meta Platforms is shaping trends and influencing minds on every continent.
Only in November last year, US news portal The Markup exposed how major tax filing services were sharing with Facebook sensitive financial information about Americans who file taxes online.
The information that was shared included details of the users’ income, filing status, refund details, and college scholarship details of dependants. The unauthorised sharing of the information placed Facebook in a position to tweak and improve its algorithms for targeted ads.
The news report said the data went from the tax filing service networks to Facebook via the Meta Pixel analytics tool. Pixel, which is owned by Meta, is an advanced code that quietly tracks activities on a web page. If you have a business website with Meta Pixel installed into it, it potentially paves the way for Zuckerberg’s office to get real-time updates on your website visitors’ activities without them knowing it, provided you decide to allow the data-sharing.
Interestingly, the tech company can use the shared data regardless of whether the people using the tax filing service use Facebook, Instagram, WhatsApp, or any other Meta product.
US patients’ medical data compromised?
Before the revelation about tax filing services, the news publication last year had dropped another bombshell with a report about Facebook possibly collecting sensitive data of patients in the US. According to the news report, Meta Pixel is installed in 33% of the top US hospitals’ websites, quietly collecting data about the site’s visitors.
The sensitive health information includes details about the patients’ medical conditions, prescriptions, and doctor’s appointments.
The publication said it tested the websites of the top 100 hospitals in America as judged by a weekly news magazine. “On 33 of them, we found the tracker, called Meta Pixel, sending Facebook a packet of data whenever a person clicked a button to schedule a doctor’s appointment. The data is connected to an IP address — an identifier that’s like a computer’s mailing address and can generally be linked to a specific individual or household — creating an intimate receipt of the appointment request for Facebook,” the report disclosed.
The Markup said that according to its investigation, on one or the other of the 33 hospital websites, Facebook was privy to the doctor’s name and the search term used to find them for queries related to pregnancy termination, home abortion etc., names of patients’ medications, medicine dosage, full details of the booking form, descriptions of their allergic reactions, and even their sexual orientation.
The Markup also found Meta Pixel installed inside the password-protected patient portals of seven hospitals.
The investigation brought out that Facebook was going for a quid pro quo arrangement with the websites. “In exchange for installing Pixel, Meta provides website owners analytics about the ads they’ve placed on Facebook and Instagram and tools to target people who’ve visited their website,” the report said.
The news portal said that after it published its findings, only seven of the 33 hospitals removed Meta Pixel from their appointment booking pages, and five of those seven removed it from their patient portals.
Another sensational data breach happened in April 2021, when the personal information of 533 million Facebook users was made public on an online forum.
Timeline of Facebook’s data breaches
Let’s take a look at the timeline of Facebook’s data breaches and privacy violations.
November 2022: Ireland’s Data Protection Commission slapped a €265 fine on Meta for violating the EU’s General Data Protection Regulation, called GDPR, as part of the April 2021 episode.
November 2022: A news media probe revealed that top tax filing service firms in the US shared sensitive financial data about users with Facebook via the Meta Pixel tool.
September 2022: The DPC levied a €405m fine on Instagram for privacy violations over the processing of personal data of child users of the Meta-owned social networking service.
June 2022: It was reported that Facebook may have been collecting intimate medical data of online users of the websites of 33 prominent American hospitals, using Meta Pixel.
April 2021: A sensational data breach came to light when the personal information of as many as 533 million Facebook users was made public on an online forum. The breach took place in 2019.
June 2020: Facebook claimed it “accidentally” shared user data with third-party developers who had no business to access the information.
December 2019: A Vietnam-based hacker group captured data – names, phone numbers, and Facebook IDs – from over 342 million Facebook accounts in two tranches.
September 2019: The Facebook IDs, phone numbers, user names, country locations, and gender information of 419 million Facebook users were found on an unsecured server.
July 2019: The FTC (US Federal Trade Commission) imposed a $5 billion penalty and ‘new privacy restrictions’ on Facebook.
April 2019: Facebook uploaded 1.5 million users’ email contacts without permission.
April 2019: 540 million Facebook user records were found on an Amazon cloud public server by researchers with the security firm UpGuard. The data included Facebook IDs, account names, comments, reactions, likes, and more.
March 2019: Up to 600 million Facebook passwords were found stored in Plaintext Files, some dating back to 2012.
December 2018: A New York Times report revealed Facebook was selling user data without permission to over 150 companies. Including Netflix and Spotify.
September 2018: Cyber attackers accessed data of up to 90 million Facebook users due to a flaw in the platform’s ‘View As’ feature.
May 2018: A Facebook bug made 14 million users’ private posts public.
March 2018: The Cambridge Analytica scandal broke, as the world learnt that the data of millions of Facebook users was compromised. It emerged that the British political consulting company had harvested the FB data of at least 87 million voters in the lead-up to the 2016 US election that Donald Trump won. Separately, Cambridge Analytica was later charged with harvesting the user database on Facebook to influence the outcome of the 2016 Brexit vote.
November 2016: Facebook faced intense criticism for misinformation circulated on its platform about the 2016 US election, with Buzzfeed reporting that fake news outperformed correct reports. Zuckerberg apologised and spelt out plans to improve how his company works.
March 2014: Facebook came under fire after it is revealed that it subjected 70,000 unsuspecting users to psychological tests in 2012 by deleting certain words from their newsfeeds – without their knowledge – to see whether it impacted their reactions to posts. Sheryl Sandberg, Facebook COO at that time, later apologised, saying the experiment was “poorly communicated”.
June 2013: A bug exposed sensitive personal data of six million Facebook users in a goof-up related to the contact information archive that let users’ email addresses and phone numbers be viewed by unauthorised individuals.
November 2011: Facebook settled with the US FTC on privacy charges related to the company’s failure to keep user data private.
May 2010: A US news outlet revealed that Facebook was sharing user data without their consent with advertisers via a feature called ‘Privacy Loophole’. Facebook initially stonewalled, saying it didn’t hold the information concerned as “personally identifiable”.
December 2009: Facebook made a tranche of user data public by shifting to a forum where users share information publicly.
December 2007: Facebook’s Beacon advertising programme sparked a controversy. In what is considered Facebook’s first privacy breach episode, Beacon drew criticism for tracking user purchases on other websites and then posting the tracked information on Facebook. After drawing flak, Facebook introduced an opt-out option for Beacon for its users.
IT GOES WAY
While Meta is leading the list of data breaches and privacy concerns, the increasing use of other companies’ tools, such as LinkedIn, Snapchat, Twitter, Zoom, and Chinese-owned TikTok, makes the entire social media spectrum a potential landmine of data misuse offences.
It’s true that privacy laws are in place across the world; the most stringent of them can be found in the EU. Yet, as repeated scandals involving Big Tech companies have shown, sensitive user data is never really fully insulated from risk and misuse despite the threat of legal ramifications.
For instance, in July 2022, Twitter was hacked and 200 million user email addresses were posted on the dark web. These leaked email addresses can at any time give rogue actors the information they need to unleash malicious attacks.
Almost all the data breach incidents discussed in this report seemingly originated in the western world, where all leading social media apps and microblogging sites are based. And the scandals span the most sensitive of user data, such as income details, tax records, medical issues, sexual orientations, political leanings, shopping tastes, spending patterns, and so on.
DO INDIANS FACE
THE SAME THREAT?
If US-based Big Tech companies can let data breach incidents happen right in their homeland often with near-impunity, it’s not difficult to imagine them allowing similar privacy breaches to happen in other parts of the world, particularly in countries such as India, which US Inc. treats largely as a profitable market.
Who knows if the Meta Pixel tracker is not installed on the websites of thousands of hospitals in India? Or if unsuspecting Indians’ tax records are not being collected by rogue data thieves? Or if smartphone-loving Indian voters aren’t being influenced by manipulated Facebook newsfeeds?
All rights to this content are reserved. If you want to republish this content in any form, in part or in full, please contact us at firstname.lastname@example.org.