Data leaks aren't 'breaches' — but they're still screwing over users

The Have I Been Pwned website displayed on a smartphone with the Facebook logo in the background of the image.
(Image credit: mundissima/Shutterstock)

Facebook, LinkedIn, and Clubhouse have claimed that the dumps of their user data that recently showed up on internet forums are no big deal. That's because in each case, the information was "scraped" from publicly viewable user profiles rather than stolen in a break-in. 

Some cybersecurity professionals and journalists agreed, posting on social media that users had nothing to worry about because Clubhouse, Facebook and LinkedIn never intended to protect the data as private in the first place. To them, because no computer system was hacked, no data breach occurred. 

This is an incomplete argument. Not all data breaches include hacking, and plenty of harm can be done with information that companies force users to share in public profiles. 

Whether the data was stolen, leaked, or scraped, the result for consumers is the same — their privacy was violated by a company they thought they could trust.

It doesn't need to be a breach to violate your privacy

The reality is that privacy violations can happen without a security breach. I spoke with privacy experts who indicated a significant degree of concern about the recent incidents.

Lourdes Turrecha, founder of The Rise of Privacy Tech initiative and an adjunct professor of law at Santa Clara University in California, cautioned that while privacy and security breaches sometimes overlap, privacy incidents cover more violations than traditional hacking incidents. (Disclaimer: This writer is an advisor to The Rise of Privacy Tech.)

"Privacy incidents also include illegitimate use and processing of personal data at any point throughout the entire data lifecycle, from collection and processing, to storage and deletion," Turrecha said. 

"Moreover, data protection laws like Europe's General Data Protection Regulation (GDPR) do not exclude publicly available personal data from privacy protections," she added. ''As individuals, we don't lose our privacy rights just because our personal data is available on a public website." 

In fact, the Irish Data Protection Commission on Wednesday (April 14) launched an investigation, based on GDPR, into the compromise of 533 million Facebook accounts last week.

Could the companies have done more to stop this?

Mike Jones, chief privacy officer at employment agency Randstad USA, said this shortfall can be the result of cybersecurity professionals thinking about protecting systems instead of people, and of companies focused on legal compliance instead of user protection.

"If your commitment to privacy starts and ends at legal compliance, while cybersecurity teams only focus on systems," Jones said, "you're leaving a big hole in protecting consumers."

Jones thinks Clubhouse should have done more to prevent the rapid, automated scraping of its user profiles. (Facebook and LinkedIn also made this kind of data harvesting possible.)

"There's a big difference between one person accessing data once every few seconds by looking up individual profiles in the app, and one person accessing everyone's profile data quickly through an API [application-program interface]," he said. "The fact that Clubhouse made that available is a huge problem." 

Violations of privacy are violations of the law

There is serious doubt among privacy professionals about whether Clubhouse meets the regulatory requirements for privacy, especially in Europe where data misuse is legally considered a data breach. 

"Under GDPR and other data protection laws that borrow from it, Clubhouse is obligated to build their infrastructure, products, and services with considerations for individual privacy," said Debra Farber, a privacy expert who advises tech startups. 

"Instead, Clubhouse created privacy harms through aggressive growth hacking techniques that lack required permissions for processing personal data, a lawful basis for collecting it, and the ability for consumers to access, delete, correct, or transfer their personal data or withdraw their consent."   

The company is facing multiple investigations by European regulators for potential violations of data-protection laws. In the United States, Clubhouse hasn't given copies of their data to consumers who asked for it, as required by the California Consumer Privacy Act.

Failing users by design

UK-based privacy consultant Carl Gottlieb says that gauging incidents of data misuse by whether a security breach technically took place misses the point. 

"We should look at them as Privacy by Design failures," Gottlieb said. "Equating incidents like this with the likes of Equifax" — the 2017 Equifax data theft that compromised the personal information of 155 million people — "gets us focusing on the wrong things, like seeing everything as a security failure, rather than a functional design failure. 

"The more we label everything as a security incident," Gottlieb said, "the less likely we will ever see anyone held accountable for their Privacy by Design failures."

This can't go on forever

Such sloppy handling user data may soon be a thing of the past, Turrecha noted.

"The uptick in regulatory and consumer privacy expectations signals the rise of privacy tech innovations and the beginning of the end for privacy-invasive technologies and business models," she said, "especially at the scale with which they've proliferated and been tolerated in the past."

In a statement earlier this year regarding privacy violations made by the Flor period and ovulation tracking app, the U.S. Federal Trade Commission (FTC) made it clear that it considers the compromise of data to be a breach even when there is no technical hacking involved. 

The FTC cited several benefits of notifying users about these types of incidents, something Facebook, LinkedIn, and Clubhouse all failed to do. 

"Consumers deserve to know when a company made false privacy promises, so they can modify their usage or switch services," the FTC statement said. 

"Notice also informs how consumers review a service, and whether they will recommend it to others. Finally, notice accords consumers the dignity of knowing what happened."

As a society, we have decided that certain business models and practices should not be tolerated by the law, including human trafficking, Ponzi schemes and false advertising. It's entirely appropriate for us to demand greater respect and accountability from any company that collects or uses our personal information. 

We may find that as privacy and data rights expand around the world, certain business strategies simply won't be compatible with the type of protections we want for ourselves and our loved ones.

Melanie Ensign is the Founder and CEO of Discernible Inc, a specialized security and privacy communications firms. After managing security, privacy, and engineering communications for some of the world’s most notable brands including Facebook, Uber, and AT&T, she now coaches teams around the world how to design and adopt effective communication strategies that increase their influence and reduce risk. She counsels executives and technical teams alike on how to cut through internal politics, dysfunctional inertia, and meaningless metrics. Ensign also leads the press department for DEF CON, the world’s largest hacker conference. She holds an undergraduate degree in communications from the University of Illinois-Chicago and a master of science in public relations from Boston University.