It’s not if, but when. Between crooks, hackers, and foreign governments, Facebook probably can’t avoid a serious user data breach forever. When it happens, Facebook may never be able to quiet fears that “personal data isn’t safe there”. That could cause a chilling effect on sharing, jeopardize its future in commerce, and cut its lifetime short.
This isn’t to say Facebook’s not doing everything in its power to prevent this. It has a sizable security team of top talent, infiltrates hacker rings to thwart their schemes, and offers cash bounties to white hats who identify bugs or holes.
Yesterday, though, Facebook announced something very unsettling. A “sophisticated attack” uploaded malware onto the computers of several Facebook engineers when they visited a hacked mobile developer site. Facebook quickly quarantined and scrubbed the devices, called the police, and kicked off an investigation. So far, there’s been no evidence that any user data had been compromised. Perhaps the attackers were after Facebook’s trade secrets or information about partners. Regardless, it was a very close call.
To date, Facebook has managed to kept possibly the world’s largest repository of private information from falling into the wrong hands. It’s fellow social networks haven’t been as successful. Twitter most recently saw 250,000 accounts accessed by hackers, and last year the passwords for 6.5 million LinkedIn accounts were stolen and published online.
But there’s a huge difference between those social networks getting hacked, and someone getting into your Facebook account. Most data on Twitter and LinkedIn is public by default. Sure there’s direct messages, or the few misguided souls who keep their profiles locked down. On Facebook, though, privacy is the default. That means Facebook has a lot more to lose from getting hacked.
The absolute damage of an eventual breach might not be too severe. Perhaps some photos and messages stolen, or at worst some credit card information. Facebook would likely respond quickly by quarantining affected accounts until users changed their passwords and reclaim control.
It’s the psychological damage to Facebook’s brand that will be the real killer. The world’s news outlets would be all over a breach. Though it looks like no user data was accessed, yesterday’s announcement brought swift coverage from the New York Times, BBC, ABC News, The Guardian, and just about every tech news blog.
The world will know, and the fear will sweep across the news feed. Quick to jump to the worst conclusions and re-share sensational stories, Facebook will be filled with people advising friends to cease sharing, pull out all their data, and shut down their accounts. Most won’t go that far, but the looming worry that nothing is safe on Facebook will permeate the world population and slam its stock price.
Facebook already struggles to fight a perception that it creeps on people’s data, and that its privacy controls are so confusing that people accidentally expose their own information. The emergence of vulnerability to outside attack will compound these issues. Together, they could derail Zuckerberg’s Law — the theory that the amount of content we share doubles every year.
Facebook’s business model is a value exchange. It offers a free, powerful, unified communication tool, and to access it, users trade in their data and allow Facebook to monetize it through advertising and other methods. But that exchange requires that we trust Facebook to keep our private data safe. If that trust is shaken, adding your most private thoughts, media, contact info, and financial data becomes more of conscious decision about risk.
Injecting that hesitation into the sharing process could be the biggest threat to Facebook’s long-term success outside of a rising social network that refuses to be acquired. In other words, no matter how well Facebook plays the security game, the odds are stacked against it, and the stakes have never been higher.