Fraud Management & Cybercrime , Governance & Risk Management , Privacy

Prosecutors Probe Facebook's Data Deals

New York Grand Jury Subpoenas Records in Criminal Probe - Report
Prosecutors Probe Facebook's Data Deals
Facebook CEO Mark Zuckerberg outlines the company's 10-year roadmap at the company's annual developer conference on May 2, 2018. (Photo: Facebook)

Facebook's data deals and privacy practices continue to be probed, including as part of a criminal investigation in New York.

See Also: AI in Cybersecurity: The Promise and Reality

As part of that probe, a New York federal grand jury "has subpoenaed records from at least two prominent makers of smartphones and other devices," both of which "had entered into partnerships with Facebook, gaining broad access to the personal information of hundreds of millions of its users," The New York Times reported on Wednesday, citing two anonymous sources.

It's not clear when the criminal probe, being conducted by the U.S. attorney's office for the Eastern District of New York, first launched or what it is investigating, the Times reports.

Facebook did not immediately respond to Information Security Media Group's request for comment.

"We are cooperating with investigators and take those probes seriously," a Facebook spokesman told the Times. "We've provided public testimony, answered questions and pledged that we will continue to do so."

At one time, Facebook had data-sharing deals with more than 150 companies, including Amazon, Apple, Microsoft and Sony, the Times reported. Other companies with access to Facebook data included ABC Television Network, dating site Hinge, streaming service Netflix, Russian webmail portal,'s "social listening tool" Radian6 and shipping giant UPS.

Last year, Facebook told Congress that it had phased out deals with many of these companies beginning in 2015. But the Wall Street Journal reported last June that Facebook had struck special deals with many companies, including Nissan, that allowed them to access data for much longer (see: Facebook to Congress: We Shared More Data Than We Said).

Facing questions from lawmakers, Facebook told the House Energy and Commerce Committee in 747 pages of answers last year that third parties and external apps had access to users' friends' data, "such as name, gender, birth date, location, photos and page likes," sometimes without their consent.

Cambridge Analytica Scandal

Facebook continues to face ongoing scrutiny over its data security and privacy practices, largely triggered by Cambridge Analytica, the now-defunct analytics firm that worked on President Donald Trump's election campaign for about five months and also worked with the "Leave" campaign during Britain's 2016 "Brexit" referendum on its EU membership.

Last year, it came to light that Cambridge Analytica had obtained 87 million profiles for the social network's users via a personality quiz created by Alexander Kogan, a Cambridge University researcher.

How did Cambridge Analytica obtain so much data about Facebook users?

Officials at Facebook attempted to deflect blame for the problem by claiming that its terms of service had been violated. But privacy experts and regulators began asking why the service wasn't doing more to monitor and restrict access to users' data. Facebook CEO Mark Zuckerberg also began appearing before Congress to answer questions, and the social network announced an internal investigation and clamp down on third-party use of its data.

"I believe it's important to tell people exactly how the information that they share on Facebook is going to be used," Facebook CEO Mark Zuckerberg testified before U.S. Senate committees on April 11, 2018. "I think everyone should have control over how their information is used."

The federal grand jury in New York appears to be investigating how Facebook may have profited from these data deals.

Regulators Respond

These aren't the only regulatory and criminal investigations Facebook has faced over Cambridge Analytica.

The U.S. Securities and Exchange Commission has also been investigating Facebook. And a Justice Department investigation into Cambridge Analytica being run by Northern District of California prosecutors continues to probe Facebook's claims that it was misled by the analytics firm, the Times reports.

Last October, the U.K. Information Commissioner's Office hit Facebook with a £500,000 ($660,000) for violating the country's rules on processing personal data and as well as failing "to take appropriate technical and organizational measures against unauthorized or unlawful processing of personal data" (see: Facebook Slammed With Maximum UK Privacy Fine).

The U.S. Federal Trade Commission is also reportedly negotiating a settlement with Facebook over its data security and privacy failures which might reach $5 billion, the Wall Street Journal has reported (see: Report: Facebook Faces Multibillion Dollar US Privacy Fine).

UK Seeks New 'Digital Authority'

Some countries are seeking more permanent solutions. This week, a U.K. House of Lords report recommended that Facebook and other social media firms be regulated by a new "Digital Authority."

"Self-regulation by online platforms is clearly failing. The current regulatory framework is out of date," says Stephen Gilbert, the Conservative chairman of the House's communications committee.

"Without intervention, the largest tech companies are likely to gain ever more control of technologies which extract personal data and make decisions affecting people's lives," he says. "Our proposals will ensure that rights are protected online as they are offline while keeping the internet open to innovation and creativity, with a new culture of ethical behavior embedded in the design of service."

Outages Trace to BGP Routing Leak

Separately, services from Facebook, including Instagram, have been disrupted by ongoing outages since Monday. The company says distributed denial-of-service attacks are not to blame.

On Wednesday, Netscout's threat intelligence team said the outages appear to trace to "an accidental BGP [Border Gateway Protocol] routing leak from a European ISP to a major transit ISP, which was then propagated onwards to some peers and/or downstreams of the transit ISP in question."

BGP distributes routing information, enabling routers to connect users with specific IP address prefixes. It has been regularly exploited by criminal gangs and nation-state actors. But Netscout says the BGP routing leak does not appear to be "malicious in nature."

A number of technological improvements could prevent outages and attacks that involve BGP. But experts say putting such fixes in place is a lengthy process and nowhere near completion (see: Criminals, Nation-States Keep Hijacking BGP and DNS).


Later on Thursday, Facebook blamed the outage on a "server configuration change."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.