U.S. Senator Mark Pryor today called on the Federal Trade Commission (FTC) to investigate a security flaw that may have put the personal information of 500 million Facebook users at risk.
Pryor said software applications or "apps" on the social networking site have given third parties access to the personal information of millions of users, including teenagers, who believe they have control over who sees the information they send to others or post on the site. A proponent of stronger data security protections, Pryor believes consumers should be notified when security breaches occur. In addition, he requested the FTC provide recommendations for how to better protect these individuals in the future.
Pryor is the Consumer Protection Subcommittee Chairman on the U.S. Senate Committee on Commerce, Science and Transportation.
A copy of Pryor's letter can be found below:
Dear Chairman Leibowitz:
I am writing to convey my concern regarding an article in today's Wall Street Journal suggesting that a security vulnerability in certain applications or "apps" on the social networking site Facebook, with over 500 million participants worldwide, potentially gave third parties access to personal information of Facebook users. The security firm Symantec has estimated that approximately 100,000 Facebook apps may have inadvertently leaked to third parties millions of "access tokens" which function like spare keys to certain information in users' online profiles.
The article troubles me because many consumers, particularly young consumers, use social networking websites on a regular basis to communicate and exchange messages with friends, often relying upon a sense of control over the information they choose to share. It appears that unbeknownst to them, these "apps" may have leaked our teenagers' profiles or messages, contradicting the sense of control they rely upon and regularly assert.
Consequently, it is critical that vulnerabilities to security system integrity be prevented, and where identified, corrected immediately. As a corollary, consumers must be notified when their personal information is breached to protect them from harm. Following the recent Sony and Epsilon data breaches, this new report marks another high-profile breach in a series of recently alarming and large-scale demonstrations of inadequate security safeguards resulting in personal information disclosure.
I encourage you to investigate this matter as soon as possible to determine whether Facebook has thoroughly fixed the vulnerability, the extent to which "access tokens" are still in circulation on the Internet or stored in server log files and recommendations to protect users from unauthorized access to their profiles. I would appreciate your quick attention to this matter and I request you submit to me and my staff your response by May 25, 2011.
As the Consumer Protection Subcommittee Chairman on the U.S. Senate Committee on Commerce, Science and Transportation, I look forward to continuing to work with you as we address data security, breach notification and privacy concerns in the stream of commerce.