Facebook charged with misleading users on health data visibility
Facebook has been accused of misleading users in its Group platform about who can see their private information, and argues Facebook did not disclose how much information could be visible to outsiders — including health information.
WHY IT MATTERS
“Sharing of privately posted personal health information violates the law, but this serious problem with Facebook’s privacy implementation also presents an ongoing risk of death or serious injury to Facebook users,” the complaint states.
The report, written by CareSet Systems CTO and hacktivist Fred Trotter and healthcare attorney David Harlow, offers an in-depth review of the health data being shared, used and curated in these Facebook Groups.
The document argued that even though the social media site actively encourages users to share private health information in numerous ways, Facebook’s privacy and access control sets are inconsistently applied.
In addition, the report said Facebook allowed substantial patient health information to leak and charges that as a personal health record (PHR) platform, is in violation of the FTC Health Breach Notification rule.
“If you're diagnosed with a rare disease, you can join a group and connect with people with that condition all around the world so you're not alone,” CEO Mark Zuckerburg wrote in a company blog post announcing its Groups platform.
THE BIGGER TREND
The report pointed out that in April 2018, using grouply.io, Trotter was able to download the real names for the entire membership list — more than 10,000 people — of a Facebook Group where all members are positive for the BRCA mutation.
Most of the names on the downloaded list include email addresses, city of residences and employers of the women who participate in the Facebook Closed Group.
By placing ads in a way to “nudge” users into joining these healthcare groups, Facebook can profit from the clinical details it data mines from its user base, according to the document.
“Facebook makes money by offering its users a personal health record product, and then selling information it learns about its users with the PHR context,” the authors charged.
The U.S. government and Facebook are already negotiating a record, multibillion-dollar fine for the company’s privacy lapses — a collection of consumer advocates under the organization EPIC urged the FTC in January to penalize Facebook aggressively with “substantial fines,” perhaps exceeding $2 billion.
WHAT ELSE TO KNOW
Complaint co-author Andrea Downing, who co-moderates a group for breast cancer patients, helped call attention to a vulnerability in Facebook’s Group system called a Strict Inclusion Closed Group Reverse Lookup (SICGRL) attack, by which a supposedly closed group reveals a list of members to all users.
“For any Facebook Group with strict inclusion requirements, this functionality amounts to publishing a personal fact about the user, which is nonpublic user information,” the vulnerability report reads.
Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: firstname.lastname@example.org