279 comments

[ 3.2 ms ] story [ 227 ms ] thread
Does it fall under GDPR violation?
No. Unless they didn't report it to the regulators.
Article 34 clearly states that the breached organization must inform the data subject "without undue delay". Given that the event occurred in September, and it is now December, I would characterize that as an undue delay.

There should be GDPR consequences of this - it's time that law got properly put to the test.

I'd imagine what matters is the delay from when you learn about the issue, not the delay from when it happened. This blog post looks a lot more like something they discovered now than something they discovered in September. (E.g. the way they'll have "tools for figuring out who was affected next week").
What? You get fined under GDPR for a breach. If you don’t report it, the fine will be a lot higher if they find out.

We will see how this plays out, but there should be a fine nevertheless (because others have been fined and they reported it).

Based on what article?
If you process personal data, you must make sure to protect the data. If you fail to protect the data, you can get a fine. How high it is depends on various factors. Reporting the breach timely to the authorities can help to have a lower fine.

But reporting it doesn’t make the fine go away. After all, you started to process personal data and are responsible for it. Alternatively, you could’ve opted for not processing personal data if you think you can’t protect the data adequately.

You can read all this here: https://gdpr-info.eu/issues/fines-penalties/

> "We're sorry this happened."

That about sums it up for all these privacy breaches these days. It's getting to the same level of "thoughts and prayers" for tragedies. No actual change or consequences for the problems happening, just empty "sorries" and "promises" that it won't happen again/they'll get it fixed. I don't know if this is a GDPR violation or not (as someone else asked), but if it is, I hope we start actually seeing action of these sorts of things.

Until consumers reveal that they care this is how it will be unless governments regulate/punish.
And as we've seen so far, consumers do not care in the slightest.
my response to this is always in the vein of, "how exactly should customers show they care?"

"Well, leave!" isn't an option. They can't leave. Quitting Facebook when you're an active user means you lose a huge amount of social contact. I can think of a dozen people I know who are there because it's how they send baby pics and the like to family. They're non-technical and don't care about federated mastodons, they just want to see their niece and go to their high school reunion.

So yeah they get really mad at this stuff but the network effect is so strong, you can't simultaneously convince the entire graduating class of whatever to plan reunions via some new thing when 1)everyone's already on facebook and 2)they've been using it for so long it's part of their workflow.

Most people I know are getting off of Facebook, or were never on it. The only people I know who are really still active are people using it to market themselves/their business, and are not there because they care about Facebook, but because they want to be findable there (and everywhere).

I guess I'm old, but I find that email is great for sending baby pics to friends and family, and for planning things.

I had this problem recently, I wanted to get in contact with an old friend I hadn't seen in years. Because it had been so long I no longer had a current phone number or email address. At this stage we didn't even live in the same country as each other. Solving this problem, or problems like it, might go a long way to reducing the appeal of Facebook.
That's exactly why I joined Facebook in the first place...
I feel you but a quick search finds "As of the third quarter of 2018, Facebook had 2.27 billion monthly active users"

so solve for that, not your dozen or so social group.

A huge percentage are browsing but not posting anymore I would guess.
Well anecdotally in your small social group that may be true. But Facebook has 2.27 Billion active users...
...for a certain value of 'active' (do they say how it's defined?) My experience of internet companies has generally been that user figures are somewhat exaggerated (to put it politely).
No matter how you define “active”, there is no indication that in the aggregate people are fleeing Facebook - no matter if a few anecdotes are posted on HN.
By Facebook’s generous standards, active users have been flat for a year or more.
Email is such a failure for sending family pictures. My relatives keep changing their addresses without telling anyone, and many email providers have small message size limits so if you attach several pictures then the message may bounce or just not get delivered. For all its faults, Facebook is a much more reliable and usable delivery channel.
Leaving is of course an option.

The fact that they don't leave mearly show that they value the gained social contact higher than the cost of data breaches.

that's my point, normal people value social interaction over an absolutist position of "well at least my data is secure!". normal people view never seeing their lil' cousin again as punishment, not the correct position to adopt bc it prevents being caught in a data breach
Let's make the next mandated change to Facebook's operations a red bordered, 90% screen coverage dialog, modal:

"We are required to notify you that we have leaked information from your account, please be advised that we have no idea who has your profile information, pictures, post history or any other information contained in your posts. Please consider resetiing your entire online persona to avoid financial and/or social consequences."

With two buttons: "Erase me from Facebook" or "I get it, I don't care."

Just planting seeds, Bill Hicks style...

> my response to this is always in the vein of, "how exactly should customers show they care?"

The answer is the same with any other foul business practice you oppose. The problem is not unique to digital businesses and I really hope those demanding justice don't request something more brash than they otherwise would in a non-digital situation.

And yes they can leave. There are real things you can't leave like your only ISP (internet is essential in modern society and no alternatives), then there are websites you can choose not to leave like FB (not essential in modern society). Your misuse of the word "can't" instead of "won't" just discourages any level of consumer responsibility.

can't and won't are effectively the same thing in this context; you're picking nits about free will.

Yes, of course everyone can always leave. The only price - for more than a few of those 2 billion - is the complete disruption of their social lives. Telling someone they can never see cute pics of their lil cousin again is punishment, not a serious decision about consumer responsibility.

You can tell because a history of malfeasance and yet, 2 billion active users.

Useless, repeatedly broken promises. It is time to see how much teeth the GDPR really has.
Can we look to any other similar regulation to estimate how much teeth it will have when actually enforced?
Genuinely curious on your view: what is an appropriate response?
Not the op, but meaningful fines, executive jail time for gross negligence and especially for intentionally taking inappropriate risks, breaking up or closing companies that are shown over time to be unable to safely handle sensitive information. Proper regulation. Consequences that can't be cynically taken as the cost of doing business.
Jail time for bugs? Have people here every worked on products?

Bugs and security vulns are literally inevitable. Security is important but it this was the standard I'm not sure that any company would still exist.

But why do financial services bugs garner a higher penalty than one that exposes private photos? This is an argument for regulation.
Nobody said jail time for bugs, and phrasing that way is intentionally obscuring the debate. Gross negligence is an entirely different standard than just software bugs.
Lots of people in this thread are explicitly saying jail time for bugs.

What evidence is there that this was gross negligence?

Jail time for bugs that should have been preventible and caused harm to users. Mistakes and bugs happen, but we also have methods of mitigating them. Standards, quality controls, tests, analysis, and other care. I specifically said jail time for gross negligence because that means not taking care and allowing harm to users.

If you had an error that leaked private information, it's worth an investigation. If it made it through despite controls, that's understandable. If they find you failed to do analysis on the risk to users privacy, if you failed to have controls in place, if you didn't code review or test the code, then you have made specific choices that harmed users. That should be criminal.

We need to take software engineering seriously as a discipline. We have the potential to do more wide scale aggregate harm than any structural engineering collapse. We need to start acting like it.

What is "should have been preventable"? Mandatory continuous fuzzing of all apis? Interprocedural static analysis to detect all of the owasp top ten? Manual audits of all dependencies and transitive dependencies on every update? Hire world class auditors to manually inspect code?

I'm a huge security person. It's my job. But its unbelievably difficult to secure programs even if there are clear steps in hindsight that could have prevented a bug.

> What is "should have been preventable"? Mandatory continuous fuzzing of all apis? Interprocedural static analysis to detect all of the owasp top ten? ...

All of the above, possibly. Other engineering disciplines seem to have defined what constitutes due diligence just fine. This isn’t a novel problem.

It’s obviously not possible to make anything perfectly safe or perfectly secure. But it’s certainly possible to define a minimum amount of effort that must be put towards these goals in the form of best practices, required oversight, and paper trails.

Edit: Even “fuzzy” disciplines like law have standards for what constitutes malpractice or negligence when representing a client.

> Security is important but it this was the standard I'm not sure that any company would still exist.

This is true and it's also the reason why there are more software vulnerabilities than necessary. Software could be a lot more secure. There will always be bugs, but its is possible to build software and platforms with many fewer vulnerabilities. But it's expensive, so we don't, and users suffer the consequences while the companies shrug their shoulders and count their money.

>>Genuinely curious on your view: what is an appropriate response?

CRIPPLING fines to start. Or shut down the freaking company if you can't secure it. Not everything is forgiven with a "we're sorry for 27845th time." Private pictures can and do ruin lives. (We can question the wisdom of posting private pics on FB but after all it's a huge company and they said they're private)

Execution. Facebook is big enough that it would serve as a useful warning.
> I don't know if this is a GDPR violation or not (as someone else asked), but if it is, I hope we start actually seeing action of these sorts of things.

Sounds like you're suggesting that we criminalize software bugs.

We criminalize other actions which result in harm to people. Why not software bugs too?
Well, there's two big differences... Planes have far fewer unknown unknowns than software: the specter bug in Intel chips is a great example of a place where the standard operating procedure was wrong, but no one ever knew it. It wasn't a case of negligence, though it had real world impact.

The other big difference is that (for the most part) keeping a passenger plane in the air isn't an adversarial task. Actual breaches are the result of active bad actors, which is completely different from the problems you encounter in designing a plane.

So criminal action seems crazy to me, though I can definitely see a great case for changing the incentives around storing user data. Could definitely see a good case for fines (and even an ongoing per-user tax, to make it an up front cost) for storing PII.

I think it’s disputable that “no one ever knew” (or could have guessed) regarding Spectre and speculative execution generally. Intel took a risk for the sake of performance. This did not take long to find:

Wang&already, 2006: “Information leakage through covert channels and side channels is becoming a serious problem, especially when these are enhanced by modern processor architecture features. We show how processor architecture features such as simultaneous multithreading, control speculation and shared caches can inadvertently accelerate such covert channels or enable new covert channels and side channels. We first illustrate the reality and severity of this problem by describing concrete attacks. We identify two new covert channels. We show orders of magnitude increases in covert channel capacities. We then present two solutions, Selective Partitioning and the novel Random Permutation Cache (RPCache). The RPCache can thwart most cache-based software side channel attacks, with minimal hardware costs and negligible performance impact.”

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.190...

If a plane crashed, and the company that manufactured the plane was fined because they had an engineering bug, no one would blink an eye.
The analogy doesn't work. Barring malicious intent or negligence leading to death I cannot imagine (or remember) a situation where the company would be fined for a software bug.
That is more of a failure of the imagination then. It's not like programming would cease to exist if fines were introduced.
>or negligence

Right. Companies like FB are entrusted with the private information of hundreds of millions of people. There should be investigations as there would be in a plane crash. If negligence is found, there should be appropriate punishment doled out.

This is more akin to the manufactoring company finding a defect that may or may not have contributed to a crash. Facebook hasn't said anything about if this bug was actually exploited
I'm sure it would be their top priority to tell everyone that the bug was exploited.
Yes, there is a qualitative difference between a plane crashing and people dying and 69 million photos being leaked. If you have trouble understanding the difference you should probably see a therapist.
It's just too bad that all crimes are punished by death. Awfully unfair and disproportionate in most cases.
Nice snarky response, I'm not the person that equated leaking photos to a plane crashing

>It's just too bad that all crimes are punished by death. Awfully unfair and disproportionate in most cases.

What are you even responding to? Explain this to me I'm too stupid to understand how your comment makes any sense in any context.

Many programmers like to insist that they're engineers and at the same time come up with excuses for why they shouldn't be held to the same standards as other types of engineers.
Software development is more like a craft rather than engineering. If you are willing to pay for an app the same money you pay for a bridge than you will get the same quality and rigorous checking. But even then, there are less than 10 types of bridges in the world comparing to software which has to simulate every human activity and sometimes imaginary activities like games, all that in much higher levels of complications, constant changes of requirements and infinitely open for later changes through the life time of the application. Do you really think you can compare those two things?
Some of us just want to be engineers but know full well how difficult that actually is and want to be paid well enough to seriously research that problem. Thus most of us are experimentalists and prototype engineers, not ones making claims strong enough to be liable for.
software bugs cause mass harm. We can't ask people to never make mistakes, but we can ask that they have appropriate practices, standards, quality controls, and care. Not taking appropriate measures to mitigate risks that can significantly affect millions of users is willful negligence, and should be a crime.
Yes, I am suggesting that. I don't necessarily think jail time is the right thing, but I do think something like meaningful fines are more than reasonable for major software bugs that cause these kinds of breaches of privacy. It will make larger companies like this be much more careful when money is on the table for them to lose.

To me, if we can criminalize something like a major oil spill such as BP/Deepwater Horizon, how is this much different? It's not like they did the oil spill on purpose, but they still need had consequences for those risks that they were taking. Software companies, esp larger ones like Facebook, should have the same kind of consequences for their risks of software bugs that cause these kinds of privacy breaches.

Also, as someone else below pointed out to someone else with a similar tone as your phrasing of "criminalize software bugs": "intentionally obscuring the debate. Gross negligence is an entirely different standard than just software bugs."

Just a quick question, do you write software? Do you have a legal or economic background? It seems pretty clear to me that anyone suggesting that software bugs in applications that have no risk of causing physical harm should have criminal liability has no idea what they are talking about and what damage such a law would cause.

Case in point look at the quality of medical software today. Hospitals still use windows xp and other completely insecure and outdated software. Because absolutely nobody wants to deal with the nightmare that is HIPAA.

HIPAA only carries criminal penalties when someone knowingly discloses covered information - not a software bug. Until the bug is identified at least. For the most part HIPAA is enforced with civil penalties.

And your "nightmare" scenario of (civil) liability flowing from programming bugs already exists in the investment world and it hasn't come apart at the seams. Google Axa Rosenberg. A coding error in their trading algorithm went undiscovered for two years. Negligent for sure, but not why the SEC went after them. The problem was they didn't promptly disclose the error to investors and they didn't promptly correct it. Algorithmic trading firms should have mechanisms to catch errors, correct errors, and disclose those errors to investors. And after seeing Axa Rosenberg's $250 million fine and Rosenberg's lifetime ban from the industry guess what they all implemented?

HIPAA only carries criminal penalties when someone knowingly discloses covered information

This is false.

Source: Works for a company that has mandatory HIPAA training for every employee every six months.

> This is false.

citation please. Here's mine:

> Criminal penalties

>

> Covered entities and specified individuals, as explained below, who "knowingly" obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.

>

> Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison.

>

> Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment up to 10 years.

Source: American Medical Association

https://www.ama-assn.org/practice-management/hipaa/hipaa-vio...

My company's lawyers disagree. I'll go with my company's lawyers' judgement over a group that exists solely to protect the interests of its member doctors.
Are these lawyers you have talked to and gotten meaningful and nuanced advice from, or are they lawyers your bosses have talked to and derived maximally avoidant policies from? I'm not saying that you shouldn't have policies that fit your risk profile, but I ask because I have been in those former conversations (and I have done a nontrivial amount of auditing+compliance work in this space) and have never come away with such an impression, while at the same time the level of perceived risk that your bosses derive from those conversations can be entirely untethered from the level of risk that actually exists. (This space is full of people saying "oh, HIPAA means we can't do that" as shorthand for "I don't want to do that," after all.)
They are lawyers who personally do our training and put together testing material based on that training.

To me that trumps a non-lawyer’s interpretation of a non-legal web site.

If you read the sibling comment where Spooky23 cites the HHS page on HIPAA, it might be worth ruminating on that versus your interpretation of why your company's lawyers lay out the training in the way that they do.

That they have a different company risk profile doesn't necessarily change the facts at hand. And, TBH, they don't have to tell you the truth if it helps achieve their immediate goals. (They can tell you you'd be personally and criminally liable. It might make you do what they want better. It might also not be true.) Or it may all be in good faith. But what you describe doesn't square with anything I've ever worked with, at multiple clients and employers.

They are wrong generally speaking. Willful conduct is the standard for criminal liability. A developer in good faith introducing a bug or inheriting one from a third party is not in that situations

My guess as to why the draconian position is more about the internal process. You have to identify and disclose breaches in a timely way; if you don’t the company is at risk.

From HHS summary of the rules:

(See: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg... ) (it’s also laid out in the regulation which I don’t have time to find.)

“Criminal Penalties. A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.”

> It seems pretty clear to me that anyone suggesting that software bugs in applications that have no risk of causing physical harm should have criminal liability has no idea what they are talking about and what damage such a law would cause.

So you're fine with financial losses, loss of privacy, and the material harm that goes along with both? Disregarding the impact that data breaches imply is just naive.

> Case in point look at the quality of medical software today. Hospitals still use windows xp and other completely insecure and outdated software. Because absolutely nobody wants to deal with the nightmare that is HIPAA.

I wrote medical device software for more than a decade. HIPAA has nothing to do with it. Many systems run on outdated platforms because the cost of replacing them is deemed to outweigh the benefits. That determination is debatable on a case by case basis, but in practice we see a hell of a lot more damage being caused by breaches of companies running on modern technology than we do e.g. hospital systems or LIMS.

> and the material harm

please, if there is provable material harm they can take it to civil court.

Uh huh, I'm sure it's just that easy, right? I mean, I'm certain it's an even playing field even for someone like me who has the money to hire an attorney. Hell, why regulate these industries at all? We can just file civil suits, right? Even if you win it costs less for them to settle than it does to change the way the do business/security.

We regulate the finance industry not because of a risk of physical harm, but because financial harm can be equally serious and civil suits do not act as a sufficient deterrent to bad behavior by the powerful. Why do you feel this sort of thing is different? I believe the only real difference is that this sort of thing is new, not well understood by most, and we just haven't caught up.

It's not practical for individual users to litigate, but hopefully someone will bring a civil class action suit.
Additionally, you can't always show a direct link between a data breach and e.g. subsequent bank fraud.
Hi. I've worked in medical software repeatedly. I totally want to deal with HIPAA. It's a good idea for clients (the people who actually matter) and it's not nearly as difficult a prospect to work with as people say. The set of demands it makes upon you are small and reasonably constrained and are nearly all process-based rather than technical. Where it is technical, plenty of folks will sign a BAA for you to take big chunks of the technical stack off your hands, too.

"But HIPAA" has never, in my experience, been employed except by people who find the idea of doing the right thing inconvenient or inconveniently expensive. (It is virtually never that hard and its benefits are clear.)

There are reasons for not modernizing tech stacks in the medical space. HIPAA is, in every case I've ever observed, not a meaningful one.

>"But HIPAA" has never, in my experience, been employed except by people who find the idea of doing the right thing inconvenient or inconveniently expensive. (It is virtually never that hard and its benefits are clear.)

Thank you for directly attacking my character without even addressing my actual argument.

I'm not arguing against HIPAA, I'm arguing against such regulations in spaces that don't require that kind of sensitivity. I think that medical data absolutely requires the protections it has. But it absolutely has had the unintended consequence of making current medical data more insecure and stifling innovation in the space. Most doctors don't even follow HIPAA compliance sending patient medical records over email.

I would estimate that 40% of doctors today are not compliant with HIPAA, sending X-rays and other similar patient information over email with providers that they haven't signed BAAs with.

>There are reasons for not modernizing tech stacks in the medical space. HIPAA is, in every case I've ever observed, not a meaningful one.

Then please enlighten us. Up until a few years ago (maybe even just a year) you couldn't use AWS to host medical data. Today you can't use Google Cloud to host medical data unless you are a large enough business to be able to get into contact with one of their sales reps. Can you even sign a business associate agreement with digital ocean? So up until a year ago you could not even have a small healthcare startup hosted on the cloud. Please explain to me how this hasn't stifled medical software innovation.

If it isn't HIPAA it's some other outdated regulation.

https://slate.com/technology/2018/06/why-doctors-offices-sti...

> Thank you for directly attacking my character without even addressing my actual argument.

"But it's hard, for no actual reason I will define" is not a meaningful argument. So--when one hears hoofbeats, think horses, not zebras.

> I would estimate that 40% of doctors today are not compliant with HIPAA, sending X-rays and other similar patient information over email with providers that they haven't signed BAAs with.

Probably true! But that's their own damned fault. Medical has Artesys and similar, dental has Apteryx and similar. This problem is largely solved but for hands-on unwillingness to use them.

Those providers should be nailed to the wall, the wall should not be torn down for them.

> Up until a few years ago (maybe even just a year) you couldn't use AWS to host medical data.

AWS has been signing BAAs since at least...2013? I believe the first time I looked into it was 2014. But, regardless--if your innovation was so tremendously stifled by this, I'm not particularly sympathetic. I've been running my own services and writing them too for at least a decade and you can do thou likewise, I promise. I am, however, saying that today it's very easy to do so 'cause Amazon is all-too-happy to sign one.

Also, I haven't had to use GCP for HIPAA-covered entities--found their BAA pretty easily though!--but even assuming you're correct the idea that you have to, hiss, talk to somebody before getting them to take some legal responsibility for your held PHI, I don't find that to be a particularly nasty requirement. I still find it odd that AWS will just let you sign right through with AWS Artifact.

Azure's all-too-happy to sign one, too. Not that I'd recommend it.

(comment deleted)
(comment deleted)
Don't worry, most of these people suggesting liability for software bugs will soon be the same ones complaining about how everything is costly. The concept of second and higher order effects from adding liability to everything is alien to them.

It's also funny that most of these calls are basically motivated because it's facebook. What they're again not realizing is that while Facebook and other megacorps can weather this, small companies won't be able to. It's like magnified stupidity!!

It's not unprecedented either. Under HIPAA, the Department of Health and Human Services has fined organizations millions of dollars for data breaches resulting from unpatched software and inadequate security practices.
And on that note, you see a lot less (though not zero) breaches of healthcare data and most HIPAA violations are due to analog errors rather than digital exposure.

The government does a good job in this area forgiving innocuous violations, as long as all parties disclose it immediately and follow procedure.

Do we see less? Or are the serious ones never reported. Breaches of health data are not exactly trackable back to the source, assuming they're even abused at all.
It doesn't necessarily need to be criminalized but when a company's software results in damages they should be responsible for compensating people for those damages. It's no different than consumer product liability.

The problem is that we're all giving our data away to these "free" platforms. That makes it difficult for a user to argue that they've "lost" something of value when there's a breach. But of course the user has lost something of value. Facebook has built their entire company around the value of our information but we let them have it both ways. It's valuable when they're selling it but worthless when they fail to protect it. Statutory damages for data breaches would deter negligence and (partially) compensate users who have been victims of data breaches.

Canada recently passed a law that adds fines to data breach incidents iirc. A professor mentioned it and its why I'm researching auth on my winter break.

Come to think of it, does anyone know of good auth resources for a mean stack that isn't a copy paste blog? I'm trying the udacity auth course as a starting point (uses oauth2)

Look into authorization as well as authentication.

Dex by coreos, Open Policy Agent, Kubernetes docs & code are all good examples, lots of frameworks have docs / code.

Jail would be full of WordPress devs
> Sounds like you're suggesting that we criminalize software bugs.

When there is irreparable damage I believe it should be criminalized. You cannot regain privacy after an incident such as this, it is irrevocably taken from you against your will.

Suppose there is a bug in the Linux kernel. Some business runs their webservers on Linux. They have user email addresses (PII). Is Linus responsible for breaches? If so, then OSS dies. If not, then how do you intend to prove that their are no vulns in any of your dependencies for the rest of time?
This is silly. If I build my bridge with equations I find on mathoverflow, the forum is not responsible for my bridge collapsing.

If you’re using OSS for mission-critical software you must either ensure that it’s fit for purpose or pay someone to do it for you. Nothing in the Linux Kernel documentation suggests that it can/should be used for flying airplanes of securing PII without doing additional due diligence.

The person storing the data is the one responsible for securing the data. Everyone keeps trying to push data security up the stack, but the company/ individual collecting it is the responsible party.
> Sounds like you're suggesting that we criminalize software bugs.

When my dad went to college, a very old and bitter professor (this was Civil Engineering, communist Eastern Europe) told the students on the first day in class something along the lines of: "If you know you're stupid or don't give a shit about your work, just go home and save everyone the trouble of dealing with your future fuckups. Mistakes here can cause deaths or losses of huge amounts of money".

I believe we've reached the point in which negligence in the software world can cause loss of lives, even when the software is not operating a crane or an airplane (think Grindr leaking account data over http in Saudi Arabia).

So you're minimizing the issue by asking if we should criminalize software bugs. We should and currently do criminalize negligence. If bugs are a result of negligence (you know, 'move fast and break things', 'better to ask for forgiveness than for permission') then fines, jailtime and criminal records should be a'coming. This is no longer child-play, this is the new world which runs on software.

Hammurabi's code (~1700 BC) includes this about building:

Building Code

229. If a builder builds a house for a man and does not make its construction sound, and the house which he has built collapses and causes the death of the owner of the house, the builder shall be put to death.

233. If a builder builds a house for a man and does not make its construction sound, and a wall cracks, that builder shall strengthen that wall at his own expense.

Bugs in houses have been criminalized for a very long time. Online data may be less fundamental than safe housing, but housing our data safely becomes proportionally more important as more of modern life depends on it.

[0] http://www.wright.edu/~christopher.oldstone-moore/Hamm.htm

But they aren’t. Most home sales in the US follow caveat emptor. If you buy a house from a private seller and then later discover mold in the walls or a crack in the foundation I wish you luck in getting the seller to pay for the repair.
The parent was establishing precedent.
And I'm establishing that the precedent cited doesn't exist, not in modern times anyway. If the argument is that home sellers are punished if they don't protect the buyer and so data sellers should be punished if they don't protect the data, that doesn't really hold up because home sellers aren't typically punished.
Note that I (OP) am referring to builders, not sellers. With respect to the systems that hold FB's data, I'd argue they are more like builders than sellers.
New home sales include warranty which is the modern equivalent of the parent’s story. While buying used if you can prove that the seller knew of a mold problem and didn’t disclose it then you have a legal case.
They do not carry the as-is, where-is clause you describe unless explicitly. If you can prove prior knowledge they are still liable. Proving the prior is the hard part, but private sales most certainly enforce a good faith clause
Builder is the key. If you have a house built and the foundation is cracked or mold is growing, you’ll be able to successfully sue.
"Skin in the Game":

If a social media company leaks private photos of its users, the company's executives and senior staff shall have its photos leaked.

I would love something like that. Nobody protects anyone else's interests in this modern world unless there's Skin in the Game. Would highly recommend reading Nassim Taleb's book of the same name; he is popularizing this term, and its implications to society.

the same "eye for an eye" goes for "if you have nothing to hide" - well then, you first
Yes, this approach assumes universal parity in the result of the act, which is far from true. For example the leaked health records of a healthy individual are not as damaging as those of someone with a lifelong condition, yet both cases are very, very bad.
the same "eye for an eye" goes for "if you have nothing to hide" - well then, you first

You misunderstand what "eye for an eye" means.

"Eye for an eye" means let the punishment fit the crime.

Before "eye for an eye" was established by religious texts, the common retaliation for poking someone's eye out was death.

"Eye for an eye" was a step towards a more civilized justice system.

I use it in the context of Taleb's book, mentioned in the parent, wherein he discusses this - symmetrical risk
When houses fall they fall they kill people.

And houses are not free.

Need I remind you of the genocide in Myanmar organised to a large degree on social media, or the threat to political dissidents all over the world when authorities or malicious actors can get their hands on leaked, private data of individuals?

Are you seriously suggesting that information in this day and age does not have the power to directly cause harm, including lethal harm, to people?

I am suggesting that Facebook is free, fleeting software, and that people shouldn't put a huge host of stock in it. Even legally.

Also - that it can be used for organizing bad behaviours is an entirely different subject that has little to do with quality or security.

If Facebook were free and its company had a completely hands-off approach with your data, much like a company that makes paper notepads never looks at what you write, I'd agree.

But Facebook is a company that actively snoops and uses the data of its resources, the end-user. It's like a security guard who's paid to prevent shoplifting actively ignoring violent crimes because it's not related to stealing, or a baby food company ignoring that some metal got into their food because the food is still OK if you pick out the metal bits.

I think you make a good point, at the same time, it's nary impossible to decide right from wrong on the internet, there are many sides to every story.

If the government wants to hire people to decide what counts as what - they should do that.

Do we have anything more than the company's word for it that it was a bug?
But it's not the mere existence of software bugs that is at issue here. Everyone's first attempt at solving a problem in software is going to have bugs. Everyone's last attempt at solving a problem in software is likely to have bugs -- that's why we design systems with safelocks in place.

There is risk in any human endeavour that touches upon someone else's life, in every domain. But, for example, only some of the deaths that occur in a hospital are the result of malpractice. That is the type of mistake for which we hold others accountable: not the mere act of providing insufficient care, but the act of providing insufficient care as a result of a dereliction of professional duty or a failure to exercise an ordinary degree of professional skill or learning.

IMHO:

1. If this was a novel, or very complicated breach, that Facebook did everything possible to avoid, but avoiding it was beyond the knowledge and skills of their security, engineering and QA teams, who otherwise did their absolute best, then it's at the very least defensible. One could argue that you shouldn't handle private data if you can't do it securely, but risk is inherent to anything, and perhaps worth it under the right circumstances.

2. If this was just "move fast and break things" policy, then a big fine is in order, and if no insurance is in place, whoever approved it should get to pay it out of their own pocket. This is the equivalent of a civil engineering company designing a collapsing bridge because everyone showed up at work hungover, or skipped safety calculations because they just take too damn long and time to market is critical.

If you think gee, this was just a bunch of photos, man, it's not like a bridge collapsed, how certain are you they didn't end up traded on the black market, or used for blackmail? Bet-your-company's-profits certain they weren't?

3. If this was deliberate policy -- not just accident, but a conscious business decision that was then reverted and declared a breach -- then whoever came up with it and/or approved it should be facing jail time.

Edit: also, it pisses me off that people are trying to decide how responsible we should about what we do based on other fields. They don't fine companies that write crashing firwmares for planes or cars or they fine it X amount, clearly we're only doing computer stuff so we should be fined less, no?

What the hell? First, they are fined (see, for instance, Toyota, who were fined 1.2B for their infamous acceleration firmware bug). And second, even if they weren't, we shouldn't be aspiring to do the worst thing that's still acceptable! We should be striving for better than anything else, not for well, at least we're not worse than civil engineers...

When we're entering an era where everything will involve software, yes, bad software and careless bugs should be severely punished.
The alternative is to allow the least competent actors continue to lose user data without any consequences.
Sounds like you're suggesting we take no action when law violations happen.
Why shouldnt we? If you are proven in court of law you knew about certain bugs or you underspend on engineering while your public outreach grew expenantially, how come you shouldnt be liable?

Anywhere else its a plain case of malpractice whether its law or medicine, etc.

Facebook sure does have a lot of "bugs" that grant them access to things they shouldn't have. Things that allow them to profit immensely.

It happens with such regularity that I'm amazed anyone here would be kind enough to accept their fake apologies for clearly malicious actions.

I think criminalizing commercial data leaks is a more workable idea.
The punishment should be mass loss of users due to loss of trust, but for some reason people still use it.
Comparing Facebook to murder is dramatic and childish.

This Facebook hysteria is tiring.

(comment deleted)
Nothing bad ever comes to companies as a consequence of these leaks, so what is their incentive to stop them? It happens so often that it goes down the memory hole after maybe a week or two, so even that isn't much of an incentive. We shouldn't be surprised about this.
There's a crowd here on HN that hates regulation but this is exactly why regulation exists. Massive, wealthy, powerful industries just aren't held accountable by average consumers or markets. There's no serious competitor that benefits if your data isn't safe at Facebook. And average people not only aren't powerful but have their own lives to look after.

Without regulation massive companies are entirely unchecked, there is virtually never market pressure to fix problems like this.

As one aside on this, the main issue people have with regulations is not regulations in and of themselves, but the negative effect they have on small businesses and competition/entrepreneurship more generally. I think you'd find extremely few genuine voices against regulations that only start to apply once a company (and all associated entities) grosses in excess of e.g. $100 million annual revenue. By that point companies the costs (as a fraction of their total revenue) in ensuring compliance, and complying itself is only going to be a minuscule fraction of revenue. By contrast these same costs can, and do, destroy or simply prevent the formation of smaller companies that could greatly expand the market to the benefit of all.
Seems straight forward to write that compliance to certain measures is based on gaap annual revenue.

Though in practice, enforcement of regulations in general is already handled this way.

For example a new startup in the valley doesn’t get a note from the gov because they launched without a privacy policy.

Same in the App Store, a minor app breaking App Store rules doesn’t get knocked out because the downloads are too small to bother.

So basically regulation that impacts them directly or materially?

The ideal of some arbitrary cut off point has been tried in lots of scenarios, and is gamed by all parties.

Example: Copyright will protect new works for x years, at which point Disney lobbies for the arbitrary goal posts to be moved.

Exactly. Large companies love regulations when they affect everybody since they can easily abide the regulations while they help to destroy potential competitors.

Keeping regulations focused on big players serves the dual purpose of focusing regulation where its affect will be most significant, while also ensuring it doesn't negatively affect the market. But yeah, like you're mentioning the big problem is that once companies reach a certain size they begin to develop the political connections necessary for them to simply kill, or at least castrate, any potential regulation that might genuinely require them to behave in a way that is inconvenient - even if it's better for society.

Libertarian hackers always think of regulations as pesky pinpricks from the nanny state but in this case, in their domain of software, regulations would actually serve more of something along the lines of industry standards to ensure that software is created up to code. Hackers want good code, don't they?
I don't understand why people have to otherize each other. No, again opposition to regulations has nothing to do with some ambiguous opposition to nanny stating in and of itself. That is tangential to the real issue. Before getting to that, let's take a really quick digression.

Tax payer funded systems are one of the most controversial things we have. You'll find sharp disagreement on topics like e.g. public vs private funding for everything from education to medical and a wide array of other issues. Yet you'll find most of nobody that wants to privatize e.g. the fire department. This is because most of everybody would agree that the fire department does a good job, does it efficiently, and does it cheaply.

The point of this is that if there were a regulatory framework that was unambiguously and intrinsically superior to any alternative you'd find next to no opposition to it. Everybody wants the same thing in the end -- we just disagree on what's more likely to get you there. In many ways, I think lemonade stands are just a timeless and perfect example. In many states in the US today it is literally illegal, or at least unlawful, for a kid to go sell lemonade in their front yard. They can [and have] faced ticketing, confiscation, and so on. This is clearly idiotic by any standard, yet the very rules and regulations the produced this were all at some point created with good intentions. Perhaps ensuring food safety, or avoiding money laundering, or whatever other rule they happen to be breaking by selling a cup of lemonade for a quarter.

A rule that would generally stand to impose substantial penalties for writing bad code is something that would have unimaginably vast consequences at the lower level. And I think you're looking more at destroying small business in the tech industry than in suddenly having a world where all code is "good". By contrast the companies at the top can afford to greatly expand their staff and create factory lines of code review, extensive internal penetration testing, general audits, and so on. And perhaps most importantly, when they do end up violating the rule they have the resources to manage this just fine. And so it's very possible that the regulation could have an overall net positive effect there. But if it were applied to society as a whole (instead of just large companies), I think you'd be effectively killing off tech industry competition.

>Nothing bad ever comes to companies as a consequence of these leaks, so what is their incentive to stop them?

I could probably get away with murder, but for some reason I'm not out on the town strangling prostitutes.

Why do companies always need an "incentive" to not be anti-social? Why can't CEOs simply derive pleasure from delivering a quality service in exchange for some advertising eyeballs?

Considering that gdpr doesnt contain a single technical requirement (in contrast to all food / safety / medical regulations) , typically anyone and anything or nothing can be a violation. Your guess is as good as mine
This may change when lives are actually lost. Self crashing cars have the potential to destroy the potential saving of life by intentional or accidental software bugs and security vulnerabilities. A congressman I was speaking with rephrased my statement and said that I was suggesting that self driving cars be treated as medical devices. I wholeheartedly agreed with his wording.

That said, the same changes won't likely occur with sites like FB unless it can be proven that the data leaked lead to loss of life or physical harm. They create incentive's for people to happily be the product. How do we prove that damage has occurred to the product? Have any forums popped up where people share stories of harm to their family as a result of data leaked from FB?

I can imagine GDPR being useful in the EU for corporate FB accounts. Wasn't FB working on a work-specific version of their site? If so, corporate legal teams would get involved in leaks, I would imagine.

> I can imagine GDPR being useful in the EU for corporate FB accounts. Wasn't FB working on a work-specific version of their site? If so, corporate legal teams would get involved in leaks, I would imagine.

I can imagine GDPR working very well for consumers as well, and it seems we are up for some real legal entertainment in the next few months/years :-)

Edit: It also wouldn't surprise me if it gets worse before it gets better. If I was a publisher right now I'd seriously consider blocking access from EU countries. (But that would of course be an invitation for a small, agile publisher who'd succeed either with a micropayments based approach or a context based ads approach.)

It will happen if FB have to suffer financial consequences. GDPR will help, but we need companies to understand that personal data is not an asset, they are also liabilities.
You are probably right. I would be curious to see a review from a lawyer on the AUP that users agree to. Some things can not be waived in certain jurisdictions. Otherwise people may have given permission and ownership of some of their data to FB to do with as they please.
Whoops soz .... lol, l8erz.

Kerching

> The bug also impacted photos that people uploaded to Facebook but chose not to post.

What about, for example, pictures sent in a private message?

I'm so very glad I deleted my account months ago.

In so much that they let you delete your account.
If they aren't actually deleting accounts then they are going to end up with a hefty fine under the GPDR one day...
Given that it's known that Facebook builds shadow profiles of non-users it seems hard to believe that they would give up the data of ex-users.

https://www.bustle.com/p/what-are-shadow-profiles-facebook-c...

I am unfortunately not a EU citizen. But I would be very very very sad indeed if my data was not deleted.
"Oh yeah we deleted the account, you can't log in with that same email and password anymore so it's as good as gone!"
For pictures present on your phone which Facebook uploaded just in case you’d want to post them later. To hide latency essentially
>I'm so very glad I deleted my account months ago.

I did as well. One thing that stood out to me in the article was that users who were impacted by the breach would be notified via a Facebook message. What about people who were impacted by the breach who no longer have an account?

(comment deleted)
On this topic, does anyone know if photo access granted to facebook apps on ios means facebook will upload all photos in the background?

Have never seen an analysis of it.

I'd hope this is one of the things Apple audits against in their app review process.
I think it should be clear to everyone at this point that nothing on Facebook is private. Don't put anything there you wouldn't post publicly.
Any company that talks about their old "move fast and break things" motto as if it's a good idea should be treated this way (or not used at all).

In industry perspective: We call ourselves "engineers", but real engineers are held accountable when they sign off on using an untested metal alloy in bridge joists and then people die when the bridge collapses. Facebook's constant bad engineering may not kill people directly, but it does lead to a lot of really important information stolen, peoples financial future being ruined, and who knows what other consequences for their users. If you still work for Facebook in this day and age you should be ashamed of yourself; I know people can justify just about anything while claiming that they'll "make it better from the inside" or because they just need to collect a fat paycheck and are comfortable and don't want to look for something new, but we need to fight these impulses anywhere we work.

Beyond that, nothing online is private. And generally, nothing can be removed. There will always be bugs, mistakes, new vulnerabilities. Eventually it will get out.
Two can keep a secret if one of them is dead, sure. But that doesn't mean you have to assume that having something on the internet means it's going to leak all by itself. The advice we should be giving is not putting all of our eggs in centralized baskets

Especially if we know the baskets have goals not aligned with our own, despite it being oh-so-convenient, but also not centralized in the first place.

“Private” photos that people uploaded to Facebook.

Sounds like a good time to reiterate the advice: Don’t upload things to the internet that you don’t want to be on the internet. That way there won’t be any of your things on the internet that you didn’t want to be there.

Unfortunately, that advice is nearly useless on HN as the people who need it aren't on this platform.
Except that your friends, family, and others can upload private photos with you in them.
I left FB when they made reverted a policy that let you opt to confirm all tags before they showed up in searches for you.

This means anyone in the world can upload an image, tag you in it, and it will show up in searches for you. It still won’t show up on your profile if you have confirmations for that enabled, but still.

No need to tag, just facial recognition will get you from previous tags and other metadata
Will it show up in searches from just facial recognition? That would be very bad for anyone trying to live in a way incongruent with their culture’s standards. (I personally left in solidarity with a Muslim friend who no longer wears Hijab, but would prefer her family didn’t know that; pictures of her without Hijab started showing up in searches without her approval suddenly and without warning when they removed the old “confirm before search results” option)
Just stop having a face. And friends, or family. Become an unperson. The solution is so obvious.

It's always hilarious how people try to pretend that it's easy to just drop out of society and the systems that people use to keep in touch. Sure, you can live like the unabomber in a shed in Montana with no phone service, but having that be the only option to keep your personal data safe from leaks is a bit much of an ask. People should be able to live their lives and take reasonable but not extraordinary precautions to safeguard their privacy and be able to have some expectation of privacy as a result. Unfortunately, there is so much data being collected on everyone, so many intrusions to our private lives, and so little care being taken by the stewards of that private data that it is not, it turns out, a reasonable expectation. And the onus for solving that problem shouldn't be on individuals. We shouldn't be forced to live our lives in fear of digital representations of our appearance being leaked onto the internet as someone might have once feared an ordinary photograph could steal a soul. Rather, those who are going to great efforts to destroy the boundaries of personal privacy should be heavily regulated to prevent them from doing so and heavily incentivized to safeguard private data whenever they are in possession of it.

Sadly, this is the moment that those photos stop being private. I get that this is hard for the general public to understand - but at this point, uploading anything to Facebook = obfuscated, maybe, but not private.
> including images that people began uploading to the site but didn’t post publicly.

This means that if you started to upload a photo to the uploader wizard and then thought better, the photo is still out there.

Also, never take nude photos with your face/head in the photo. Never let someone take photos/video of you drunk. Unless you want kids with this person, always use a condom.
This ship hasn’t just sailed, but its masts are no longer even visible over the horizon. Both major phone operating systems actively encourage synchronizing all photos with a server on the internet.
As usual, I'd like to point out how scummy this site really is.

The paywall advertises a "Premium EU Ad-Free Subscription" which is more expensive than the standard subscription and explicitly states "No on-site advertising or third-party ad tracking" as one of the perks.

Trying to buy it has the following:

> By subscribing, you agree to the above terms, the Terms of Service, Digital Products Terms of Sale & Privacy Policy.

On the privacy policy, we have this:

> hen you use our Services, third parties may collect or receive certain information about you and/or your use of the Services (e.g., hashed data, click stream information, browser type, time and date, information about your interactions with advertisements and other content), including through the use of cookies, beacons, mobile ad identifiers, and similar technologies, in order to provide content, advertising, or functionality or to measure and analyze ad performance, on our Services or other websites or platforms. This information may be combined with information collected across different websites, online services, and other linked or associated devices. These third parties may use your information to improve their own services and consistent with their own privacy policies.

There is absolutely no mention of the "Premium" ad-free subscription in the privacy policy at all, so they are still granting themselves the right to stalk you all over the place even with the premium, more expensive subscription.

Not to mention, the privacy policy page itself loads a handful of different trackers before any kind of consent was even granted. I can see Google Analytics, something from "c.go-mpulse.net", something else from "bam.nr-data.net" explicitly sending my user-agent in the URL (why? They'd get it in the headers anyway), Google News JS, Google Pay and the New Relic JS agent.

My only response to this is a big "fuck you" and this link: https://outline.com/zd5du7 so you can read the content without any of that garbage and without paying them since they don't even deserve a single penny.

It's too much to hope that Facebook takes a hint from Google and shuts down its social network to preserve user privacy, right?
Google didn't shut down Google+ to preserve user privacy. Not sure if that's what you're implying with your comment-- I hope it's not.
> Google didn't shut down Google+ to preserve user privacy

They accelerated the planned shutdown for exactly that reason.

They did that because cost of maintaining platform was higher than its ROI. If Google+ had like 300M-400M monthly active users I don't think they would have shut down Google+
The ROI on Google+ has been negative since before it launched.
Investments tend to take a while to return-- this one didn't pay off though.
They claim that, though, and that's the joke GGP was making.
At which point should we stop treating these things as bugs and start treating them like features instead?

Not this particular thing per se but, you know, it's Facebook. As the recent history has proven these things kind of come with the package.

BURN THEM TO THE GROUND
Someone needs to go Mr. Robot and 5/9 Facebook's servers. This is getting ridiculous.
Since Facebook is walking away all the time without any consequences, this will happen again and again.

The long-term solution to this mess should come from users abandoning it which is happening gradually based on recent reports.

> The long-term solution to this mess should come from users abandoning it

Where will the people go? If it's other software it might end being as bad or worse.

What’s the value of Facebook? Serious question as you think people should have alternative
I didn't say an alternative that is like Facebook.

People want to communicate with others. If they use software for that then.... my original question applies.

And you've avoided answering that question.

Is there going to be no moderation policy for the constant day-in day-out Facebook tabloid clickbait?
Why is anyone still using FB/Whatsapp/Instagram? It seems the vast majority just don't care at all about privacy.
WhatsApp: Because the market share outside the US is insane. Germany has 70% Android users and they don’t use iMessage. Nor any of the other ones unfortunately.
Too big to avoid.

Data leaks happen to every tech company. As users/customers, won't have knowledge of the leaks unless they are publicly reported.

How can you "socialize" these days without using at least one of these internet social/media platforms?

Ways to avoid givin them your data are either to be totally reclusive or to be a tech geek who relies only on niche tech products that aren't mainstream.

What if they are used as highly valuable networking platforms for your job? Some people live off some kind of business model taking advantage of the sites. Also they work hard at maintaining their audience captivated and engaged.

Don't believe this BS. FB is selling your private info/photos. A planned breach to divulge your data to 3rd parties, then they cover it up "oh no, we got hacked!". Quit that lame ass platform long ago... MZ is not who you think he is.
Please don't come to HN with this garbage.
I never assume that “settings” guarantee what they claim. It’s just not practical even with good intentions, for a single non-public code base.

As a developer, I know it is hard to implement something once, harder to implement consistently across multiple interfaces, and damn near impossible to keep correct years later after employee turnover and other twists.

The sad thing is that it costs a ton more money to do things really well, and companies can basically take advantage of the low price of doing things poorly until finally forced. And by then, they have tons of money so they can comply but any startup is screwed because now it costs more for everyone, even those entering the game.

This bug is just another example of the Valley children doing what they do best - writing terrible code. Keep moving fast and breaking things, kids. Please keep your culture confined to the west.
even moreso when you remember that SO MANY COMPANIES enforce most of their auth z/n at the edge, and are a lot looser between internal services
If there’s one thing that Facebook has been highly successful at, it’s making people numb and uncaring about any of these “bugs”.

Like the saying goes, “One death is a tragedy; one million is a statistic” — Facebook has made all its privacy blunders and issues over many years a statistic...something people may nod their head at, feel bad for a moment and go back happily to the same company’s platforms.

Unless lawmakers around the world do something, nothing will materially affect Facebook (the company). Even if they do, I personally have no faith that the company is capable of changing unless people at the top, like Mark Zuckerberg and Sheryl Sandberg, are out.

Not very good at the data security thing. In other industries such as health care, there are tables that define fines and penalties. Maybe the same is needed here.
Most of the comments below are echoing the statement "jail time for bugs!!!!!" and similar sentiments, and therein lies the problem.

"bugs" is a catch all word, it covers everything from a pesky typo in UI to bugs like this, severe security issues, meltdown/spectre, VW bugs, and so and so forth.

Of course no jail time for a typo, but why not a jail time or severe financial and career consequences for severe bugs especially when it can be shown that a bug was caused due to intentional decisions, malicious intents, sloppy testing, rushed product etc. and not due to genuine mistakes - similar to medical malpractices.

Of course lawyers will love it, but it can improve the overall situation.

And yes, I'm a software engineers and do know what I'm talking about.

Who would be held responsible? Coder? QA? Code reviewer? PM? person putting pressure on PM?
Depends...

If malicious intent, most likely the business owners, PM or engineering management, but in some cases software engineers.

If due to rushed product, certainly the management and not software engineers or QA.

and so on..

It depends..

Unrelated, but I'd love to know how that article managed to get a picture of that Facebook sign without people standing in front of it. I drive by it daily and I've never seen it without people posing in front of it :)
If you take multiple pictures then run algorithm that only keeps mode ( most occurring ) pixels then stationary object will stay and moving people or objects will disappear. Photoshop has this function. Tutorials on YouTube.
How come Google never has had a breach? Do they do a better job with security? Is Facebook more of a target than Google?
Good question, to which I don’t know the full answer. But if you look at their motto “move fast and break things”, insistence on pushing new features as fast as possible, and the recent clash and resignation of their CSO, I’d say google are just more mature about security, and understand their products are entirely reliant on trust of their users.
Does it matter? I have a hard time thinking of a worse company to entrust with personal information. The reach of Google makes Facebook look like a joke. At least when it's leaking they're not making more money.
Probably the latter: the larger the value of a network, the more likely it is to attract attackers.