Oops

The editors of the Washington Post helpfully point out that Facebook’s newly-discovered emphasis on privacy isn’t getting off to a very good start:

The company disclosed last week that it had exposed hundreds of millions of users’ passwords to its employees in plain text. The mishap, a question of carelessness rather than third-party sharing, is a reminder that the data debate is as much about protection as it is about privacy.

The KrebsOnSecurity blog first reported the flaw in Facebook’s system on Thursday. Facebook says no one outside the company could access the passwords, and there is no evidence its employees abused the vulnerability, which it detected in January during a security review. Still, the error is glaring: Storing passwords in an unreadable format is Security 101. It is standard practice for Facebook. And yet the company missed the problem for years. Facebook says the issue occurred not through its normal login system but through other mechanisms that unintentionally captured passwords, such as error logs.

Facebook’s lapse may not have violated any rules in the United States because the passwords were available only internally and no known harm has resulted from the mistake. But that is precisely the reason a privacy law must pay attention to data protection.

The only law that would really help is one that would outlaw Facebook’s business model. Its business model is to sell personal data. No amount of tinkering around the edges will change that.

Laws might induce Facebook to start observing ordinary and elementary security measures, however. Not retaining passwords online in plain text would be a good start.