[kerng]

Can we please stop calling these privacy violations bugs? It sounds like a benign thing. These are not bugs anymore. It's unauthorized access to records of millions, and Facebook is the one who performed the violation.

I can give a dog walker or cleaning personel the keys to my apartment, still if they steal stuff and I have evidence they will be prosecuted. It's not a bug that they don't have business ethics.

[product50]

So a hacker took all of Equifax's data including your SSNs, address, names, DOB etc. By your analogy, all of Equifax engineers should be in jail right now!

BTW, just in case you are unaware, Equifax got away with this hack with zero fines in US.

[kerng]

Your are mixing things up.... In this situation the hacker is Facebook.

Most of the other Facebook data breaches where they didn't secure data accordingly would compare more to what you refer to.

This case is different though as Facebook performed unauthorized actions on email accounts, basically breaking in.

[product50]

I am making a case for the OP's comment that Facebook may have made a genuine mistake by introducing this bug - like they literally called out in their statement.

A bug is a bug. Whether it allows a hacker to sneak in to steal all your data or whether it allows a company to collect data it wasn't supposed to (as in this case Facebook specifically mentioned that it didn't turn off the feature though it intended to).

[jimsmart]

> in this case Facebook specifically mentioned that it didn't turn off the feature though it intended to

What you are describing here is in fact a lack of action, or a lack of change policy (to cause such action). That's not a bug. A bug is unintentional behaviour of some code, not some folk who've said they'll do something, but then don't.

And as for whether the original behaviour is/was a bug is also a point of contention too: that's a lot of willfully bad behaviour that's got chained together somehow to do what it did, then reviewed, signed off, and deployed — that's quite some 'accident' — I write code, and to me this whole thing just smells of a cover-up (by FB calling this a 'bug', when it very much looks to be otherwise).

[orijing]

I'm curious, if the message saying that "FB will also import contacts if you proceed" were still visible, would you still consider it "unauthorized access"? Is it really "unauthorized" if users give informed consent?

I doubt it, so it seems that we're just bickering over whether the accidental removal of the message is considered a "bug" or a malicious act by some engineer to trick users into sharing their data because they (and their company) lack business ethics.

Which is more likely?

[kerng]

Move fast and break things is not what one should do when dealing with personal information of billions of people. People need to be held accountable, Facebook has to be held accountable.

Maybe a complete engineering stop for a few months, and development of new practices and processes.

Similar to what Microsoft did with Bill Gates Trustworthy Computing memo which led to the creation of the Secure Development Lifecycle is something Zuckerberg should order to do.