Information security professionals often examine “third-party risk”. Simply put, associations with business partners and contractors can present outside risks to the data, financial, and/or physical security of an organization. The risk may be contractors with access to secure areas or sensitive business processes. The risk can be shared data in the temporary custody of a partner. The risk can be virtual access to a network or a facility without adequate audit.
Today I was informed by Facebook that my privacy could have been compromised because “friends” of mine used an application platform profiling app called “This is Your Digital Life”. I wish I could tell you more or show you the notification, but in typical arrogant Facebook fashion, the notification was a fly-by. It was presented on the screen of my smart mobile device. I put the phone in my pocket and headed to my office to compose this piece, but once the Facebook feed refreshed I can no longer find it. It is not on my notification list. So much for transparency. So much for ease of use. Now you see it, now you don’t.
So what does this mean? Well, in this case Facebook allowed a third party that I did not authorize to access my profile data. They allowed the third party because a second party (my Facebook friends) accessed an application that pulled the data. They allowed this even though I opted out of the Facebook application platform and therefore had a reasonable expectation of data privacy. Facebook fails. And my mom was right. You are impacted by the actions of your friends.
What is the answer? Take ’em down. Let’s see a class action lawsuit financially impact Facebook. There are enough of us in this potential class that have, by Facebook’s own admission, suffered harm. Congress is not likely to impose a satisfactory regulatory solution any time soon. So let’s take it to the courts and show companies that a willful direct and careless violation of our data privacy will be the most expensive mistake that their companies can make.