Facebook hopes to 'normalize' idea of data scraping leaks, says leaked internal memo

An internal email sent in error to a Belgian journalist describes Facebook's strategy for changing the narrative about data scraping ahead of further incidents.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
3 min read

Facebook expects further data scraping in future.

Jaap Arriens/NurPhoto via Getty Images

Earlier this month, it came to light that personal data from 533 million Facebook profiles had been scraped and posted on a website for hackers. That data leak has prompted an investigation by the EU's privacy watchdog, but it may not be the last such event. In fact it's a privacy problem that Facebook reportedly expects will arise again in the future -- and hopes will be viewed as normal when it does.

In an email sent in error to Pieterjan Van Leemputten, a journalist for Belgian publication Data News on Monday, an unnamed member of the Facebook communications team comments on the declining coverage of the data scraping story, before going on to outline the company's long-term strategy for dealing with the problem.

"Longer term, though, we expect more scraping incidents and think its important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly," said the email.

Facebook didn't respond to a request for comment.

That email reveals several things. First, that although Facebook says it's fixed the vulnerability that allowed the data to be scraped in the incident revealed this month, it expects other similar exposures will take place in future. Second, it's planning to change the way the public views scraping incidents, by framing it is as something that affects all tech companies and is just par for the course.

To do this, it plans to release a blog post in the coming weeks that will talk more broadly about the anti-scraping work the company is doing. "We hope that this will normalize the fact that this activity is ongoing and avoid criticism that we aren't being transparent about particular incidents," said the email.

Facebook has faced a number of privacy challenges over the years, but the recently reported leak, in which data from before 2019, including names, birth dates and phone numbers was found on a website after being scraped from the service, was one of the most significant yet. It presents a challenge to the company to keep the trust of users who believe their personal details to be safe with the platform. The leaked email suggests that the company's strategy for dealing with this is to change people's expectations of its capabilities to keep their data safe, rather than to offer them better protections.

While Facebook clearly has in mind a plan for pacifying the general public, regulators upholding privacy rules are unlikely to be moved by the company's argument that the problem is industrywide. Just last week, Ireland's Data Protection Commission, the agency responsible for ensuring Facebook abides by European privacy rules, announced a probe into the massive data leak reported earlier this month.

The Irish DPC didn't respond to a request for comment about whether the leaked email would form part of its scraping investigation, or was of interest to its ongoing oversight of Facebook's activities.

As a "controller" of data, Facebook has a number of obligations under Europe's strict set of privacy rules, the General Data Protection Regulations, to ensure it informs both data protection authorities and affected users in a timely manner if their data has been exploited. Regardless of whether scraping is an industrywide problem or not, the obligations outlined by the GDPR still apply to Facebook. As a large and wealthy company, the penalties for not complying could also hit it harder than most -- it could be fined up to 4 percent of its annual global turnover.