Privacy Advisor

Facebook’s White Hat Program Helped Uncover Glitch

June 28, 2013

By Angelique Carson, CIPP/US

Facebook this week announced that a glitch exposed the personal information of six million users.

A bug was reported, indicating some users’ contact information was accessible by other users via the site’s “Download Your Information” feature. Those affected totaled around six million, but the company emphasized in its blog post that the information was only accessed by people who “either had some contact information about that person or connection to them.”

The incident has prompted some security experts to call for tighter controls on social networking sites, with one expert saying that the glitch makes phishing that much easier now.

However, in an interview with the IAPP, a Facebook spokeswoman said the glitch involved a “coding error in our system” and was not indicative of faulty privacy controls.  

At the IAPP Global Privacy Summit earlier this year, Facebook CPO Erin Egan discussed the ways Facebook places a premium on privacy by using a cross-functional team, with experts studying each product Facebook launches. Asked whether such a team played a role in discovering the bug, Facebook said that while it has “baked privacy into the products we engineer, no technology company can guarantee that its products will be 100-percent free of bugs.”

Therefore, the company uses a White Hat program, which invites external security researchers to report vulnerabilities, in some cases for a monetary “bug bounty.” It was through this program that the glitch was uncovered. Facebook says the Bug Bounty Program is an integral part of both the security and privacy program in that it “provides an incentive for outside researchers to report bugs to us so that we can fix them as quickly as possible. This is exactly the kind of program that mitigates risk for users,” she said.

Facebook notified regulators in the U.S., Canada and Europe and has been notifying affected users via e-mail. While Facebook is not mandated by any laws to disclose a breach, the company says it did so because it always strives for transparency with users and “wanted to notify affected people so they can take any action they deem necessary.”

Asked whether the quick disclosure had anything to do with the emotionally charged climate following revelations that the National Security Agency had been less than transparent on its own operations, Facebook said the bug was not related to privacy settings or practices, nor was it government related, but added, “We aggressively protect our users’ data when confronted with any law enforcement request, including those related to national security. We will continue to scrutinize every government data request that we receive.”

The company recently released a report on the number of government requests for user data in an effort to increase transparency. 

Read More by Angelique Carson:
Former U.S. Rep Bono Joins Leibowitz to Co-Chair New Privacy Coalition
If Nine of 10 Employees Knowingly Breach Policy, How Is Privacy Possible?
Rich Appointed Head of Consumer Protection
Consent Is King in Latin America: Navigating the Eight Existing DPAs with a Look to the Future