Most of us have opened a webpage at some point or another and been confronted – perhaps with a degree of surprise – with a picture of our own face, and an option to log in to third-party applications via a social media account. This trend has brought Facebook back into the headlines over privacy concerns this month, as it emerged last week it will be formally investigated over a data breach affecting 50 million user accounts. Not long after the scandal over Cambridge Analytica – during which Facebook CEO, Mark Zuckerberg, told users that Facebook has “a responsibility to protect your data, and if we can’t then we don’t deserve to serve you” – it has emerged that hackers were able to steal Facebook’s ‘access tokens’, the digital keys which keep you logged in so you don’t need to re-enter a password.
Mike Isaac, the tech reporter at the New York Times who has been investigating the story, suggests that “Zuckerberg has been positioning Facebook as an identity layer or passport to the rest of the internet, so it makes it much simpler for people to just get up and use your apps immediately. But with that sort of convenience, the trade-off comes as a real security issue – which is that, when you have all that stuff in one place, hackers are going to go after that one centralised place that much more”. The social media giant claimed that third-party apps and services which allow users to login via their Facebook accounts were not compromised in the attack, but logged 40 million users out of their accounts as a precautionary measure. The Irish Data Protection Commissioner, as the relevant authority in the host country of the company’s European subsidiary, has now opened a formal investigation. Facebook is now staring down the barrel of a $1.6 billion fine as a result – the agency is empowered, at least in theory, to issue fines of up to 4% of global turnover.
The legal and regulatory pressure is now intense on even the most dominant market players to act stringently on matters of privacy, and this is only increasing with time. As EU member states expect increasingly rigorous standards in the wake of GDPR, so too are governments around the world stepping up their requirements in the face of mounting public concern. The Australian Government, for instance, has announced a two-month review into current arrangements for the protection of identity information, with plans to update its National Identity Security Strategy. “Each year, many Australians fall victim to identity crime, with an estimated cost of over $2 billion annually,” explained the country’s Home Affairs Minister. “The effective management and sharing of identity information is also critical to maintaining public trust in the delivery of government services – citizens want to know that their privacy is maintained and the services being provided are tailored to their needs and easy to use.” The message here is clear – users want to know they can act online with confidence, but are unwilling to sacrifice convenience in that pursuit.
Facebook was joined in related news this week by fellow giant Google, who have decided to shut down consumer access to their social media platform Google+ entirely, after it emerged that a bug in the code had allowed access to users’ private details by third-party application developers. By Google’s own estimation up to 438 different applications may have been able to access private profile data, and as many as many as 496,951 users may have had their data compromised. As the developments suggest that even the world’s richest and most advanced tech companies cannot ensure privacy through multi-purpose social media logins, we are forced to consider what the most secure alternatives available are. The mobile industry can help here. By ensuring that what users know (a PIN) is paired with something they have at all times (their mobile phone) – and additionally, where appropriate, something they are (a biometric scan) – the pan-industry digital identity solution, Mobile Connect sidesteps the pitfalls associated with social media logins, while relying on the unparalleled security credentials of the mobile networks. The time may have arrived to accept that what always seemed a slightly curious approach to some has now been discredited, and a secure approach is required. With Mobile Connect-based solutions now available from Asia to America and the world over, the capability is now there, and the case is increasingly clear.