The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Amid Backlash, Facebook Unveils Data Abuse Bounty

by Dennis Fisher on Wednesday April 11, 2018

Contact Us
Free Demo
Chat

The aim of the program, released on Wednesday, is to help the company find and remove apps that are collecting information and transferring it to third parties.

Facebook is continuing the process of digging out from beneath the rubble of the Cambridge Analytica scandal by crowdsourcing the process of identifying apps that don’t handle the data they collect correctly.

The company’s new Data Abuse Bounty is designed to help Facebook officials find and remove apps on the platform that are collecting information from users and then selling or transferring it to other people or groups. Specifically, the program offers rewards for people who can provide proof of apps that are using Facebook’s platform to collect information for the purpose of passing it to a third party, which then abuses it.

“This program will reward people with first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people’s data to another party to be sold, stolen or used for scams or political influence. Just like the bug bounty program, we will reward based on the impact of each report. While there is no maximum, high impact bug reports have garnered as much as $40,000 for people who bring them to our attention,” Collin Greene, head of product security at Facebook, said in a post announcing the new program.

“We’ll review all legitimate reports and respond as quickly as possible when we identify a credible threat to people’s information. If we confirm data abuse, we will shut down the offending app and take legal action against the company selling or buying the data, if necessary. We’ll pay the person who reported the issue, and we’ll also alert those we believe to be affected.”

The Data Abuse Bounty is part of Facebook’s reaction to the Cambridge Analytica scandal, a situation that would have fit the company’s definition of data abuse quite well. In that case, one company collected the data and then transferred it to a third party, which then used it for political influence. The announcement of the new bounty program came on the same day that Facebook CEO Mark Zuckerberg testified in front of a joint session of the Senate Judiciary and Senate Commerce, Science, and Transportation committees about the Cambridge Analytica situation. The lawmakers questioned Zuckerberg for several hours about Facebook’s privacy policies, security practices, and data collection activities. Zuckerberg said several times that Facebook would do better and be make it easier for users to understand what data is being collected and how the company and others will use it.

The new bounty is part of those changes, but it sets a high bar for participants. In order to qualify, a report must include detailed proof of the abuse and the reporter has to have first-hand knowledge of what’s going on.

“You must have direct first-hand knowledge of facts showing that data collected by a Facebook platform app is or has been passed to another party. You cannot submit a report based on speculation, but must be aware of the facts yourself. The scenario we expect is one company that built an app to collect information that then passes that information to another company to be abused. You must have knowledge of both of these parties,” the program’s rules say.

“Proof comes in two stages. The initial stage should be your first hand knowledge of the situation you would like to report. If it sounds credible we will ask for more proof to help us investigate. This could include Facebook data such as Personally Identifiable Information (PII) being abused, emails, contracts, or company names. It is crucial you only provide us with data you legally have access to and only with Facebook data in the case of PII. We also want to understand the scenarios in which the data is being abused and any motives of those doing so.”

Facebook is touting this as a first-of-its-kind program and said that it may expand the scope of it in the future. Regardless of whether this program has any real effect, the one thing you can count on is that Congress will be watching Facebook’s actions closely.

Tags: Social Media Security

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.