In regards to the latest privacy controversy involving Facebook, the Congressional committee is demanding the social media giant provide answers concerning a complaint filed with the Federal Trade Commission alleging misleading practices involving consumers’ personal health information.
The complaint called attention to an incident when a security researcher was able to download the names and other personal information of over 10,000 cancer patients who were participating in a Facebook health group.
On Tuesday a letter was sent to to Facebook CEO Mark Zuckerberg, House Energy and Commerce Committee Chair Frank Pallone, D-N.J., and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky, D-Ill., demanded a staff meeting no later than March 1 to discuss with Facebook issues raised by the recent FTC complain.
Although the complaint was filed in December it was made public this week. According to the complaint, it alleges that Facebook has been misleading its users regarding the private or anonymous nature of closed Facebook groups.
The complaint was filed by security researcher Fred Trotter and members of a Facebook health group, alleges that the company misleads users about how their personal health data is being shared, used and curated in Facebook Groups and that Facebook’s practices are unfair.
Series of Allegations
The complaint lists a series of allegations against Facebook concerning its privacy and business practices.
In March 2018, a member of a Facebook health group discovered that she had the ability to download the membership list of “closed” or “public” Facebook groups using a Chrome web browser extension called grouply.io.
The Facebook member reached out to security researcher Fred Trotter to discuss the matter. In April 2018, using grouply.io, Trotter downloaded the names for the entire membership list of the Facebook group.
On May 29, 2018, in accordance with Facebook’s responsible disclosure policy, Trotter and other patient community members submitted a report to Facebook about the vulnerability allowing the download of personal information from the Facebook site.
Personal Health Record?
The report to Facebook claimed that Facebook’s group product counted as a personal health record under FTC rules, and reminded Facebook that the breach notification rules and deadlines apply.
By June 12, 2018, the deadline for reporting the PHR breach to the FTC passed. On June 20, 2018, Facebook responded to the SicGRL report submission, indicating that its security team would not commit to fixing the problem and did not acknowledge the issue as a privacy or security vulnerability.
On June 29, 2018, members of the Facebook group discovered that Facebook group membership is no longer world readable. Although, SicGRL is still a problem, it is no longer trivial to exploit at scale.
In addition to the alleged breach, the complaint claims that Facebook is not transparent about how users are targeted for advertising and for invitations to join certain medical support groups.
A Significant Hurdle
According to Privacy attorney David Holtzman, vice president of compliance at security consultancy Cynergistek, the complaint raised surprising allegations that Facebook is operating a PHR.
From a consumer’s perspective, it seemed like a good idea to have a portal that allows for entry of identifiable information to be shared with a select group of other consumer; however, did not expect that Facebook would allow the data to be disclosed to third parties or assembled into a broader, expansive personal profile of the consumer.
Consumers faced a significant hurdle in making the connection that the Facebook Groups product meets the definition of a PHR.
In the letter to Zuckerberg, the Congressional committee writes that health information of certain Facebook users may have been exposed, leading to countless unauthorized disclosures of personal health information, harassment and a risk of discrimination.
According to the complaint filed with the FTC, Facebook’s algorithms used the personal information it collected from Facebook users to suggest and even solicit members of online support groups for a variety of medical conditions. The groups were called closed groups and often had the word ‘anonymous’ in their name, suggesting that information shared within the group and even membership in the group would be private.
The complaint states that users of these groups revealed personal health information, such as information about substance use disorders, about the challenges of parenting transgender children, HIV status, and past history of sexual assault.
People used the member lists and other information from these groups to target and harass members of the groups.
Lack of Transparency
Due to the amount of consumer complaint, concerns were raised about Facebook’s privacy policies and practices, the committee’s letter adds.
Facebook’s systems lack transparency as to how they are able to gather personal information and synthesize that information into suggestions of relevant medical condition support groups.
Furthermore, the letter state that Facebook may have failed to properly notify group members that their personal health information may have been accessed by health insurance companies and online bullies, among others.
Facebook and the Energy and Commerce Committee did not immediately respond to Information Security Media Group’s requests for comment on the allegations.
According to FTC, they received the complaint but declined to comment.
Meanwhile, Facebook reportedly is continuing to negotiate a massive proposed settlement with the FTC over other privacy failures.
A Wall Street Journal reports, that FTC staff have discussed a fine of up to $5 billion against Facebook. In addition, Facebook’s practices are also facing harsh criticism from regulators in other countries.
In a report issued by the U.K. Parliament’s Digital, Culture, Media and Sport Committee on Monday accuses Facebook of actively attempting to block efforts to understand how its targeted advertising ecosystem functions, acting as if it has a monopoly on personal information.
In Germany’s competition authority declared that it wants to see an internal divestiture of Facebook’s data; therefore, users would have meaningful input into how the social media company uses their personal information.