Congress Scrutinizes Facebook Health Data Privacy ComplaintCommittee Demands Answers About Consumers' Complaint Filed With FTC
In the latest privacy controversy involving Facebook, a Congressional committee is demanding the social media giant provide answers concerning a complaint filed with the Federal Trade Commission alleging misleading practices involving consumers' personal health information.
That complaint also called attention to an incident when a security researcher was able to download the names and other personal information of over 10,000 cancer patients who were participating in a Facebook health group.
In a letter sent Tuesday to Facebook CEO Mark Zuckerberg, House Energy and Commerce Committee Chair Frank Pallone, D-N.J., and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky, D-Ill., demanded a staff meeting no later than March 1 to discuss with Facebook issues raised by the recent FTC complaint, "so we can better understand Facebook's practices with respect to so-called closed and anonymous groups."
"Despite the indications that the groups were private and anonymous, people and companies who should not have been admitted to these groups gained access to them and to lists of group members."
—Energy and Commerce Committee
The complaint at the center of the latest Congressional inquiry into Facebook was filed in December but made public this week. It alleges that Facebook has been misleading its users regarding the private or anonymous nature of "closed" Facebook groups.
The complaint, filed by security researcher Fred Trotter and members of a Facebook health group, alleges that the company misleads users about how their personal health data is being shared, used and curated in Facebook Groups and that Facebook's practices are unfair.
It also argues that the Facebook Groups platform "should be regulated as a personal health record" under FTC rules.
Series of Allegations
The complaint lists a series of allegations against Facebook concerning its privacy and business practices.
According to a timeline included in the complaint, a member of a Facebook health group in March 2018 discovered that she had the ability to download the membership list of "closed" or "public" Facebook groups using a Chrome web browser extension called grouply.io.
The Facebook member reached out to security researcher Fred Trotter to discuss her concerns. In April 2018, using grouply.io, Trotter downloaded the names for the entire membership list - which included over 10,000 names - of a Facebook group.
"All members of this group are positive for the BRCA cancer mutation," the complaint notes. "Most of the names on the downloaded list include email addresses, city of residences and employers of the women who participate in the Facebook closed group."
On May 29, 2018, in accordance with Facebook's responsible disclosure policy, Trotter and other patient community members submitted a report to Facebook about the vulnerability allowing the download of personal information from the Facebook site. They dubbed the vulnerability Strict Inclusion Closed Reverse Lookup Attack, or SicGRL, calling the problem, "a life-threatening vulnerability in the Facebook privacy architecture," the complaint notes.
Personal Health Record?
The report to Facebook claimed that Facebook's group product counted as a personal health record under FTC rules, "and explicitly reminded Facebook that the breach notification rules and deadlines apply," the FTC complaint notes.
By June 12, 2018, "the 10 business day deadline for reporting the PHR breach to the FTC passed," the complaint notes. On June 20, 2018, Facebook responded to the SicGRL report submission, indicating that its security team would not "commit to fixing the problem and did not acknowledge the issue as a privacy or security vulnerability."
No member of the redacted Facebook group received a notice that Trotter downloaded their real names and the fact that they are BRCA positive, the complaint to FTC states.
On June 29, 2018, members of the Facebook group discovered that Facebook group membership is no longer "world readable," the complaint notes. "This change means that although SicGRL is still a problem, it is no longer trivial to exploit at scale," according to the complaint.
Because the vulnerability could no longer easily lead to "a mass-casualty event," Trotter and a member began discussing the problem with the news media in late June 2018, the complaint notes. And then in July 2018, Facebook publicly denied that a privacy breach had occurred, the complaint adds.
In addition to the alleged breach, the complaint also claims that Facebook is not transparent about how users are targeted for advertising and for invitations to join certain medical support groups, and how their health data could be accessed by others once they join those groups.
A Significant Hurdle
Privacy attorney David Holtzman, vice president of compliance at security consultancy Cynergistek, says the complaint raises surprising allegations that Facebook is operating a PHR.
"From a consumer's perspective, it seemed like a good idea to have a portal that allows for entry of identifiable information to be shared with a select group of other consumers," he notes. What those consumers did not expect, however, was that Facebook would allow the data to be disclosed to third parties or assembled into a broader, expansive personal profile of the consumer, he adds.
"The consumers face a significant hurdle in making the connection that the Facebook Groups product meets the definition of a PHR," he argues. "If the FTC finds these products are a PHR, then it is more likely that Facebook had an obligation to assess if the data had been compromised, and to carry out breach notification [under FTC's Health Breach Notification Rule] if it knew or should have known a breach had occurred."
The separate HIPAA Breach Notification Rule would not apply to Facebook because it is not a covered entity or a business associate to a covered entity, he notes.
In the letter to Zuckerberg, the Congressional committee writes that the FTC complaint notes "that health information of certain Facebook users may have been exposed, leading to countless unauthorized disclosures of personal health information, harassment and a risk of discrimination."
According to the complaint filed with the FTC, "Facebook's algorithms used personal information it collected from Facebook users to suggest and even solicit members of online support groups for a variety of medical conditions," the committee writes. "These groups were called closed groups and often had the word 'anonymous' in their name, suggesting that information shared within the group and even membership in the group would be private."
The complaint states that users of these groups "shared deeply personal health information, such as information about substance use disorders, about the challenges of parenting transgender children, HIV status, and past history of sexual assault," the committee letter says.
"Despite the indications that the groups were private and anonymous, people and companies who should not have been admitted to these groups gained access to them and to lists of group members," the committee letter states.
"People used the member lists and other information from these groups to target and harass members of the groups. Insurance companies may have used information from these private groups to make decisions about insurance offerings for group members."
Lack of Transparency
The consumer complaint raises a number of concerns about Facebook's privacy policies and practices, the committee's letter adds.
"Facebook's systems lack transparency as to how they are able to gather personal information and synthesize that information into suggestions of relevant medical condition support groups. Labeling these groups as closed or anonymous potentially misled Facebook users into joining these groups and revealing more personal information than they otherwise would have," the letter notes.
In addition, the letter states, "Facebook may have failed to properly notify group members that their personal health information may have been accessed by health insurance companies and online bullies, among others."
Facebook and the Energy and Commerce Committee did not immediately respond to Information Security Media Group's requests for comment on the allegations.
The FTC confirmed to ISMG that it received the complaint but declined to comment.
Meanwhile, Facebook reportedly is continuing to negotiate a massive proposed settlement with the FTC over other privacy failures (see: Report: Facebook Faces Multibillion Dollar US Privacy Fine).
FTC staff have discussed a fine of up to $5 billion against Facebook, The Wall Street Journal reports.
Facebook's practices are also facing harsh criticism from regulators in other countries.
For instance, a final report issued by the U.K. Parliament's Digital, Culture, Media and Sport Committee on Monday accuses Facebook of actively attempting to block efforts to understand how its targeted advertising ecosystem functions, acting as if it has a monopoly on personal information and generally behaving "like 'digital gangsters' in the online world, considering themselves to be ahead of and beyond the law." (See: Facebook Smackdown: U.K Seeks Digital Gangster Regulation).
In addition, Germany's competition authority has said that it wants to see "an internal divestiture of Facebook's data," so that users have meaningful input into how the social media company uses their personal information (see: German Antitrust Office Restricts Facebook Data Processing).