June 9, 2011: Markey, Barton to Facebook: Multiple Privacy, Security Problems Unacceptable

WASHINGTON, D.C. – Congressmen Edward J. Markey (D-Mass.) and Joe Barton (R-Texas), co-Chairmen of the Bi-Partisan Congressional Privacy Caucus, today issued the following statement on Facebook’s May 27, 2011 response to their letter about a security vulnerability reported by The Wall Street Journal.  The Journal’s story reported that a security weakness on Facebook provided advertisers, analytics firms and other third parties the capability to access Facebook users' accounts and personal information. According to The Journal article, this exposure lasted “for years”.
“I am alarmed by an emerging pattern of privacy and security problems at Facebook,” said Rep. Markey.
“Last fall, we asked Facebook about applications that were passing Facebook users’ personal information to third parties, and the company assured us that it had resolved the issue. Then, when we questioned Facebook last month about another privacy issue - the exposure of millions of users’ access tokens to third parties -  Facebook responded that it had addressed this vulnerability. However, the company also revealed in response to one of our questions that ‘a few’ of the developers that were found to be passing Facebook user information to data brokers last year have been allowed to return to offering applications on Facebook after an audit. It is disturbing that Facebook is permitting developers that flagrantly violated its users’ privacy, and Facebook’s own privacy policy, to interact again with Facebook users.

“This week, Facebook’s facial recognition feature was found to be automatically enabled for millions of users, requiring them to opt-out if they do not want to participate. This new feature may prove to be popular, but Facebook should not automatically alter users’ privacy settings by enabling this feature and then require users to opt-out.
“When it comes to its users’ privacy, Facebook’s policy should be: ‘Ask for permission, don’t assume it.’
“I will continue to monitor this situation and look forward to working with my colleagues on important privacy issues before Congress, including legislation that I have introduced with Rep. Barton, H.R. 1895, the Do Not Track Kids Act," concluded Rep. Markey.

“Facebook’s response to our recent letter left me with unanswered questions,” said Rep. Barton. “The main one being: If this issue was easily fixable, then why wasn’t it easily preventable?

“Symantec explained that ‘access tokens’ were exposed by third party developers. Facebook responded by highlighting that there were some developers that did not take a necessary step on their old platform to remedy this issue. Facebook insists that this problem has been corrected, but my concern is that people’s personal information would theoretically still be exposed today had someone not accidentally stumbled upon the problem.

“The only people who should have access to your information on Facebook are your ‘friends’,” said Rep. Barton. “We need to make sure that the protection of your privacy is a priority by closing any loophole that could leave you exposed to criminals and con-artists.”
Reps. Markey and Barton wrote to Facebook in October 2010 after The Wall Street Journal reported a series of privacy breaches that affected “tens of millions” of Facebook users whose personal information was leaked to third party applications, even those who adjusted their privacy settings to the strictest settings possible settings.

A copy of the October 2011 letter to Facebook from the Bi-Partisan Congressional Privacy Caucus regarding data storage can be found here.

A copy of the May 27, 2011 Facebook response to Reps. Markey and Barton can be found here.

A copy of the May 11, 2011 letter to Facebook can be found here.