Listening to politicos, you'd think the systems were actually compromised, and, in the same breath, boogeypeople from Russia are mentioned in order to conflate things in the mind of the audience. This willful conflation is a tactic to drive a narrative.
HIPAA data is accessed by researchers, sometimes anonymized, but not in all cases. These are not considered breaches. In addition, as others indicate, FB posts are not, at least at this time, protected data.
> you'd think the systems were actually compromised
We're seeing a divide between the technical and popular interpretations of the term "breach". When an industry drops the ball and responds pedantically, that's a strong sign that further regulation is needed. If only to force a common language.
Facebook insists they were not "breached" because many states require notification in the event of "security breaches of information involving personally identifiable information" [1]. Each body of law defines "breach" differently. Most do not limit it to technical security malfunctions.
> When an industry drops the ball and responds pedantically, that's a strong sign that further regulation is needed. If only to force a common language.
We already have plenty of regulation here that Facebook is unambiguously subject to; the question is whether the relevant authorities will actually follow through on that.
For what it's worth, it's been two days, and we're already seeing an FTC investigation and a Congressional investigation, so it's a little premature to conclude that existing regulation is insufficient.
> HIPAA data is accessed by researchers, sometimes anonymized, but not in all cases. These are not considered breaches. In addition, as others indicate, FB posts are not, at least at this time, protected data.
In order to receive data protected under HIPAA by a covered entity, you have to go through an extraordinarily elaborate and complex legal process. In addition to signing an agreement that (in effect) binds you to all of the same restrictions on the data that the original covered entity (e.g. hospital/insurer) was, if you're accessing the data for research purposes, you'll have to go through an institutional review of your intended purpose and methods for the research.
Facebook does none of these, which is why they have been (rightfully) criticized for conducting unbelivably unethical studies[0] without either user consent or institutional approval, even though both of those are typically required by all reputable universities and publishers for research.
Facebook posts are not protected under HIPAA, but they're not entirely unprotected either, and it's totally valid to refer to that breach of responsibility and trust as a breach.
I'll agree with you in characterizing it as a breach of trust. That it is. Operatives in Washington, however, are trying to characterize it as something it is not.
It's not Russians hacking in, it's not part of some effort to destabilize democracy, etc. That characterization and demonization is indicative of the mindset of those people and that may be even pose more danger than the breach of trust by Facebook.
True! Mostly it was information about users and their social graph collected by people voluntarily. It's distressing that people were not informed, "We're going to use this to target political propaganda at you when you" when they took personality quizzes/etc, but all the data was shared by users. FB's security isn't breached, merely their users' trust.
> it's not part of some effort to destabilize democracy, etc
I'm not sure we all agree on that. ;) The whole point was that one can use the intelligence gleaned from these users' social graphs to target memes/advertising/messaging to specific subgroups whose political responses you are hoping to influence.
> It's not Russians hacking in, it's not part of some effort to destabilize democracy, etc.
I'll avoid the word "hacking" since it's used to mean a lot of different things to different people, but it absolutely could be part of an effort to destabilize or undermine (US) democracy.
What we've seen is definitely a breach of responsibility and a breach of trust. It's also probably a breach of the law, since the data Facebook collects is still subject to some protections (and it's hard to imagine how Facebook could have done all this while adhering to those). And while we don't yet know the motivation or intentions of the people involved in these actions, it could very well be motivated by an effort to destabilize or undermine US democracy. I don't see why you think those are mutually exclusive.
It's no secret that 3rd parties can get access to your facebook data though. there's been apps asking for permission to access your facebook data for years. That's the whole point of the facebook developer platform.
Do we know what data was harvested? Cause if its data that's supposed to be private then yeah, that's some murky business. If its public info, or info that can be accessed if you give an app permission to log-in, then is that really a "breach"?
I mean, it's terrible and CA was definitely misusing it, but if I install an app and it asks for permission to use my location and my contacts, and I grant them, is that a break of trust and a breach of the law on the Apple/Google front? What should Apple/Google be doing to protect my privacy?
Legit questions here; I do hope something is figured out and less people fall into this kind of trap. I've heard of Android games whose purpose actually is to harvest a ton of personal info. Apple seems to veto its apps better, and maybe that's the solution-- Facebook should veto 3rd parties better (Google should too, before something like this hits the fan).
HIPAA data is accessed by researchers, sometimes anonymized, but not in all cases. These are not considered breaches. In addition, as others indicate, FB posts are not, at least at this time, protected data.
So, while illustrative, the analogy is not apt.