Zuckerberg must face public scrutiny over latest data breach, say UK MPs

UK members of parliament have once again called for Facebook’s founder, Mark Zuckerberg, to travel to the country to face questions about how his business operates.

They’re renewing calls for facetime with the Facebook CEO in light of the massive data breach it disclosed on Friday — which the company said could affect as many as 90 million users, with 50M confirmed to have been compromised. It’s not clear exactly how many UK (or European) accounts are involved at this stage.

Facebook said on Friday that it had fixed the flaws, which were introduced after an update in July, and had been exploited by hackers to swipe access tokens. Attackers had been able to use its APIs to scrape some user data, it also said. It reset all potentially affected tokens once it discovered the hack late last month.

Damian Collins, who chairs a UK parliamentary select committee which, earlier this year, spent several months this year interrogating data protection issues, and recently called for a levy on social media platforms to help defend democratic institutions from online disinformation, told the Telegraph: “Facebook’s latest data breach demonstrates more clearly than ever why Mark Zuckerberg should face public scrutiny about the practices and policies his company employs to keep British users’ data safe.”

Julian Knight, another member of the committee, also said: “It would be helpful to hear from Mr Zuckerberg, but I won’t be holding my breath.”

Earlier this year MPs on the Department for Digital, Culture, Media and Sport (DCMS) select committee appealed for Zuckerberg to personally give evidence as they scrutinized the impact of online disinformation on democractic processes. However Facebook repeatedly declined to send its founder — instead sending some alternative staffers, including — finally — its CTO.

The committee was not satisfied, complaining that the reps it sent were unable to answer their questions. Collins also slammed the company for what he described as an evasive “pattern of behaviour” — and “a desire to hold onto information and not disclose it”.

It also kept up its pressure for Zuckerberg to testify — offering the chance for him to answer questions remotely, via video link. Still Facebook declined.

In May, in a pretty extraordinary development, the DCMS committee then told Facebook that if its founder stepped foot on UK soil they would issue him with a formal summons.

Safe to say, Zuckerberg made no trips to the UK, although he did attend a meeting of the EU parliament’s conference of presidents towards the end of May (where he was heckled for also avoiding MEPs’ questions).

Given his record of rejecting invitations from the UK parliament, it seems unlikely the company will suddenly offer its CEO up now — to discuss an awkward security breach to boot.

Though Facebook’s lack of engagement with UK politicians might make the government keener to seize on the committee’s recommendation of a social media levy to offset damage caused by tech platforms’ accelerating online disinformation.

We’ve reached out to Facebook with questions and will up date this story with any response.

The data breach is the first that falls clearly under new EU-wide privacy rules which carry beefed up penalties for violations.

On Friday, in a statement commenting on the Facebook hack, the UK’s data protection agency said: “It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”

The company does appear to have abided by the requirements of GDPR to report major breaches within 72 hours of discovery.