Support 100 years of independent journalism.

  1. Science & Tech
15 October 2018updated 01 Jul 2021 12:14pm

Facebook’s data breach shows us how the internet is broken – and we’re making it worse

Online data security is fundamentally broken, and the more we link accounts the worse it will get.

By James Ball

Online security is completely broken, and we are engineering the world to make that – possibly unfixable – problem even worse, day by day.

We have a tendency to compare the online world to the offline one, so when we think of security we liken passwords to a door key.

We can over-extend that analogy: imagine you used the same key for your car, office, bank safe deposit box and house, and you have a rough approximation of the risk of re-using passwords. We can think of backdoor routes into sites – through unpatched security holes and similar – as more like climbing through a window.

But these hokey analogies only start to show some of the risk. In the case of the recent breach of Facebook’s security, which affected at least 30 million users, the vulnerability allowed the hackers – almost certainly a nation state – to impersonate logged-on users, roughly akin to disguising themselves as you to trick their way past building security. They never got the key, but they got in and had a look around.

The exploit to get into those Facebook accounts was a convoluted one, and reminds us of the complexity of modern online architecture – millions of lines of code, interlinked libraries, open-source components, and interaction between different sites. It’s akin to a building having a million windows, and someone has to constantly check whether they’re all locked.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

If that sounds an impossible job, then you’d be right: almost every major web service has suffered a major breach at some point, and that’s not just the private sector ones. This weekend alone, around 30,000 US Department of Defense staff found their card and travel details had been accessed via an attack on a contractor.

And famously, even the agencies in charge of online security and their nation’s most closely-guarded secrets cannot avoid hacks: not only did the USA’s National Security Agency (NSA) and the UK’s GCHQ face losing their secrets via Edward Snowden’s disclosures, the NSA also lost control of some of its own hacking tools – which were then used in an attack which hit the NHS’s IT systems.

These are just the hacks that we know about: competent hackers – whether working for profit or for their government – don’t broadcast when they’ve got into a system. They just quietly sit back and hoover up the data they can freely access.

On top of these undiscovered leaks, there are ones that have been found but we haven’t been told about: Google was exposed earlier this month as having decided not to disclose a security hole which could have hit 500,000 users. It is unclear whether the company will face any repercussions for that decision.

To summarise: our biggest and most technologically sophisticated companies are regularly failing to protect the data they collect. So are our governments and even our intelligence agencies.

While they remain unable to do that, they are all collecting more data on more people than ever before, creating irresistible hoards of personal data, many of which are impossible to alter once collected: information accessed during the Facebook attack included details such as sexual orientation, search history, and other personal information.

So: ever bigger honeypots of data, that we can’t protect, with no obvious change in sight. That’s as bad as it gets, right? Wrong. Companies like Facebook, Google and Twitter now offer what’s called “open auth” – the ability to use your logged-in session with one of those sites to log in to others.

On the surface, that’s sensible: instead of millions of sites having to build secure login systems, fewer do – and you need to login less often, and type passwords much less.

But it also makes the already unassailable security risks even more systemic: getting into Facebook can now mean getting into dozens of other connected sites – and we’re moving more in that direction too.

Almost every serious security professional will tell you that online data security is fundamentally broken – and that we should move towards minimising the damage when serious attackers get into systems (and making it much easier to detect such intrusions) than pursuing the “fortress” model of illusory security.

Instead, we get security theatre – reminders about our own passwords and data, even as serious attackers take thousands or millions of these at a time.

We have created a huge systemic risk to our own privacy, finances and security – perhaps even to our economic system – and we barely understand it, or care about it. The experts know the security of the internet is broken. They’re just waiting for the public to care.

Topics in this article: