Facebook given 6 months to comply with Privacy Commission order

The National Privacy Commission (NPC) on Friday has ordered Facebook for a comprehensive action on the supposed data breach that affected Filipino users, including an information education campaign on data protection and setting up a local help desk.

The order was issued after Facebook informed NPC that of the 30 million users worldwide the personal information of at least 756,000 Filipino accounts were affected.

The NPC has ordered Facebook to submit a more comprehensive report on the data breach notification report, notify the affected data subjects through an appropriate Data Breach Notification, and provide identity theft and phishing insurance for affected Filipino data subjects.

The Commission also asked Facebook to implement a program in the country or otherwise directed to Filipino data subjects to increase awareness on identity theft and phishing and establish a dedicated help desk or help center for Filipino data subjects on privacy related matters concerning Facebook located in the Philippines and with a local number.

Facebook was given six months to comply with the order issued by the Commission.

On the report of Lei Alviz on 24 Oras, NPC Deputy Commissioner Ivy Patdu said Filipinos might want to consider logging off Facebook in case the company refuses to comply with the Philippine government's demands.

"Dapat itatanong na rin sa mga Pilipino kung sakali ba na talagang nagmatigas ang Facebook, or ayaw sumunod, at ayaw ibigay ang nararapat para sa Pilipino, handa ka na bang mawalan ng Facebook?" Patdu said.

"Pero sa palagay ko ay hindi naman tayo aabot doon," she added.

On September 25, Facebook discovered that there was an unusual increase in traffic on the use of the "View As" feature, which is used to access accounts.

Facebook's latest vulnerability had existed since July 2017, but the company first identified it on Tuesday after spotting a "fairly large" increase in use of its "view as" privacy feature on Sept. 16, executives said.

"View as" allows users to verify their privacy settings by seeing what their own profile looks like to someone else. The flaw inadvertently gave the devices of "view as" users the wrong digital code, which, like a browser cookie, keeps users signed in to a service across multiple visits.

That code could allow the person using "view as" to post and browse from someone else's Facebook account, potentially exposing private messages, photos and posts. The attacker also could have gained full access to victims' accounts on any third-party app or website where they had logged in with Facebook credentials.

Three days after, Facebook informed users of this "vulnerability" and that the problem was already fixed.

On October 2, "in a conference call with Facebook officials and this Commission, Facebook, through counsel, informed this Commission that individual notification was not deemed ripe as the conditions for individual notification."

"Facebook contends in its letter dated 13 October 2018 that there is no material risk of more extensive harm occurring."

The NPC maintained on Friday that the social media network should supply all of its users the details on how they can ensure their data is well-protected.

"Kailangan ang bawat isa, talagang malaman nila na parte sila (kung) aling mga impormasyon ko ang naapektuhan," Patdu explained.

The NPC executive that since Filipinos used the social media platform, the company has the responsibility to raise awareness among the users on the protection of the information that they share in the Internet.

"Napakalaking kumpanya ang Facebook, malaki ang kinikita nila, dapat lang na, dahil nangyari sa kanila 'tong breach na 'to, mag-invest din sila sa pag-siguro na tayong mga Pilipino dito e bibigyan nila ng karampatang programa at atensyon,"

In a statement, Facebook said, "We are continuing to engage with the NPC on this matter and our investigation is ongoing." — with Margaret Claire Layug/BAP, GMA News