It has been reported that developer and digital explorer Jane Manchun Wong has discovered an unnerving “feature” in Facebook’s giant’s smart display. Wong has successfully added another user’s photo album to her own Portal’s Superframe. The problem is Facebook states that a person can only add photo albums to Portal’s screensaver that are part of their Facebook account. Wong reported this to Facebook, but she says the company doesn’t “think this is a security vulnerability.”
This is an example of how an incomplete threat model can allow users to gain access to information they otherwise shouldn’t have access to. Unless Mark Zuckerberg has granted permission to use his image to Jane Wong, for example by making the image public or adding her as a Friend, then she is effectively using this image without consent. With copyright and privacy laws varying by jurisdiction, properly securing access to personal data is an imperative for all organisations. While most privacy laws currently don’t define PII to include likenesses, as any photographer knows – use of someone’s likeness often requires a license and release. Facebook allowing Portal users to gain access to anyone’s photo albums without proper rights management increases the risk for inappropriate usage. Effectively the premise being that if your users don’t know what you’re doing with their data – you increase business risk if something goes wrong!