Once more unto the breach, dear friends

The alarming regularity with which social media breaches seem to happen is of great concern. In my mind, more countries need to follow Europe’s example in order to make sure their citizens’ data is safe

Once more unto the breach, dear friends, once more; Or close the wall up with our English dead.” So begins a wartime speech by Henry, from Henry V, one of William Shakespeare’s plays. 

It seems Google chose not to follow the King’s urgent advice to his troops when it should have. 

Last week, Mint reported that Google will shut down the consumer version of Google+, the company’s social networking answer to Facebook, by August 2019, though corporate versions might still exist.

This was after Google announced that data from up to 500,000 users may have been exposed to external developers by a bug that was present for more than two years in its systems.

Two years!

Google said that it had become aware of this breach and patched the leak in March this year. The tech titan chose not to make this breach public then, and waited six months before it finally made the information public.

According to news reports, the company came clean only after it became aware that the Wall Street Journal was planning to write an exposé about the breach.

In other news, Facebook has also been breached. This company was a little more forthcoming about its problems and revealed the issue soon after it became aware of it.

Facebook first feared that about 50 million users’ personal data had been compromised, including—evidently—chief executive officer Mark Zuckerberg’s private information. This number was later reported as being higher, and the company automatically logged out 90 million users from their accounts as a precautionary measure.

This breach was of users’ “access tokens”, which is a code that identifies the user and allows other apps to access user information. Many people use their Google or Facebook accounts as gateways to the internet. When a user signs on to a new app, he or she is often allowed to sign in just by using his or her Facebook or Google access token credentials, which obviates the need to set up a separate account and password for the new app. This is a convenient option for many, and so is routinely used for any number of e-commerce and other sites.

Facebook has recently said that the number of people affected may be 30 million rather than 50 million, but that the data that was compromised was much more detailed.

It now fears that up to 14 million of the 30 million have had detailed information compromised, such as their religious affiliations, email addresses, and the types of computing devices they used to reach Facebook—in addition to more mundane information such as recent posts and locations.

Facebook claims that credit card data and passwords were not stolen.

The company has alerted regulators in the US and Europe. Under the new General Data Protection Regulations (GDPR), alerting regulators in Europe within 72 hours of discovering a breach is now law, and Facebook has done well to comply. India has also asked the company for information about the breach and the firm has agreed to the government’s request.

Nonetheless, it faces the possibility of stiff penalties in Europe, where under GDPR laws, it may have to cough up $1.63 billion.

Google’s breach at Google+ falls in a grey area, however. It discovered and fixed the breach in March, but chose not to say anything until last week. Europe’s GDPR didn’t come into force until May, so technically at least, Google appears to be off the hook.

The alarming regularity with which such breaches seem to happen is of great concern. In my mind, more countries need to follow Europe’s example in order to make sure their citizens’ data is safe. 

US federal law, for instance, does not require that companies disclose security vulnerabilities. This law appears to be a state subject in the US and, so, companies must instead work through varying legislations across US states, of which California’s seems the most stringent.

Google+ failed to provide any real competition to Facebook anyway, so by shutting it down, it appears that the firm has at least heeded King Henry’s second exhortation—to close up the wall with its own dead!

Siddharth Pai has led over $20 billion in technology transactions. He is the founder of Siana Capital, a venture fund management company focused on deep science and tech in India.

*This article first appeared in print in the Mint and online at www.livemint.com

For this and more, see: