It happened quietly, with little statement or fanfare. Last Friday, operators somewhere deep inside Facebook’s shady Menlo Park headquarters turned off access to their platform for an application the Wall Street Journal [https://www.wsj.com/articles/facebook-probing-how-analytics-firm-shares-public-user-data-1532104502] accused of spying on users. Okay, so they didn’t use the word spying. But Facebook themselves called the activities of the Crimson Hexagon app (yes, it does sound like Ernst Stavro Blofeld’s cleaning company) surveillance.
The WSJ journalists pointed to (and Facebook admitted) that Crimson Hexagon has links with the US, Turkish, and Russian Governments. Although Facebook insists that their investigation so far hasn’t shown that any user data has been compromised, it’s difficult to see how Crimson Hexagon could have been carrying out ‘surveillance’ on Facebook users without accessing their data.
Why this could be bad for your company?
If Facebook come out of this saga looking like the villains in a Bond movie, perhaps we can be thankful that they seem like really bad ones. Since March 2017, the company has banned applications from using Facebook to carry our surveillance. Sounds good, perhaps, except Facebook themselves haven’t actually defined what surveillance means [https://www.wsj.com/articles/facebook-bans-use-of-user-data-for-surveillance-1489433901]. If you’re wondering how they planned to ban something without deciding what the thing they want to ban actually is… well, so are we, frankly.
But, here’s the nasty part. From what we know [https://www.theguardian.com/technology/2018/jul/20/facebook-crimson-hexagon-analytics-data-surveillance], it seems like Crimson Hexagon were using image and text analysis of user’s posts to gather data about them, their friends, their workplaces, their pets, what their goldfish had for breakfast… Okay, well maybe not that, but certainly everything they could find about them and their work.
If you have staff members who use Facebook (and you do, unless you lock your employees in a cupboard at the end of each day) then it seems as close as a snake is to its tail that information, potentially confidential information, from your company has been gathered by Crimson Hexagon.
And did we mention that Crimson Hexagon’s clients included the Turkish, Russian, and US Governments?
What can you do?
Make sure that you have a clear policy, that your staff all agree to, about using social media. It’s not enough just to say “not in the office”. “Not on devices you use for work,” and, “don’t post anything from the office,” are probably necessary now too. And, of course, make sure that you have robust policies and procedures to keep track of all the confidential data your team have access to. Only staff who genuinely need data should have it, and a thorough, secure data wipe of hard drives to make sure of this is a vital part of your data protection policies as well.