For Group Admins & ModeratorsFor Group Members

How a patient advocate discovered a massive security problem with closed groups on Facebook, and became a white hat hacker.

By July 4, 2018 August 7th, 2019 No Comments

Published at Brave Bosom

Background:  About Peer Support Groups & BRCA Community

For anyone reading this who is not part of a support group on Facebook, let’s start there.  Many patients who face trauma and need help navigating the healthcare system seek support from peers.  This is widely known by experts in healthcare, and the valuable role of social media support groups has been well-studied.

The BRCA and hereditary cancer community is a growing group of people who carry genetic mutations which significantly increase risk of developing cancer. A more detailed history of the community may be found here.  Further information relating to how our community’s genes were patented until 2013, is linked here and here.

Since 2013, access to genetic testing for hereditary cancer has become widely available, yet the healthcare system is not adequately evolving to serve the needs of cancer previvors and survivors who carry genetic mutations.  In order to compensate for this gap, a number of organized support groups using the Facebook Group platform with ‘Closed’ privacy settings were established.

The goal of these online peer-led support groups is simple: fill a gap of needs that is currently unmet needs by the healthcare system by sharing knowledge and offering emotional support to fellow patients. 

How a patient advocate became an “accidental white hat hacker”   

In March 2018, the Cambridge Analytica story showed how user data from Facebook could be easily obtained by third parties, which has led to Congressional Hearings and an ongoing investigation both in the United States and in parts of Europe. That this received worldwide attention and the intervention of several government bodies underscores the severity of the security breach.

After the Cambridge Analytica story broke, Andrea Downing wanted to find out if there were any privacy risks within her own BRCA-patient groups, in which she participates as a member and a moderator. Andrea started trying out various developer tools on Facebook, and she found something unbelievable as she began researching Facebook’s group platform. 

Andrea found ways to access and “scrape” data from closed groups using Facebook’s own built-in developer / third party tools.  Thus, the sensitive and valuable data from her supposedly private groups was not safe. She brought these concerns to a small group of other administrators and moderators in the BRCA Community, including founders of several support groups such as Karen Malkin-Lazarovitz and Lisa Cohen.  The initial small group collectively enlisted the help of other group administrators representing nearly 30,000 women all over the world to write an Open Letter to Facebook.

Enlisting help from a cybersecurity expert.

Having found that Facebook’s developer tools enable any user on Facebook to access her support groups’ data, Andrea wasn’t sure what to do next, so she decided to approach  an expert.  Andrea reached out to cyber security expert Fred Trotter for advice, after meeting him at a conference and knowing he wrote a book called “Hacking Healthcare.”  But Andrea didn’t really know anything about cybersecurity or hacking, nor did she yet understand that she was about to become an accidental security researcher.  

What happened next was a shock for both Fred and Andrea.  Andrea had expected a 30 minute call, where she shared the concerns from her community with the goal of getting input and technical feedback on how to fix the problem.  Not only did Fred confirm that Andrea had uncovered a dangerous security vulnerability which could scale to any closed group on Facebook. In other words,  a malicious hacker or third party could easily scrape data not only from BRCA groups, but also from any of the hundreds of thousands of other support closed groups.  This could endanger millions of Facebook users sharing by exposing their private health information to scammers, hackers, and blackmailers.

A crash course in cybersecurity.

This initial call with Fred set a chain of events in motion.  Fred started by explaining the process of responsible disclosure to Andrea and other group admins: if news of this security flaw were to become public and fall into the wrong hands, then support groups could be scraped by malicious actors (known as “black hats” in the cybersecurity world).  Fred and Andrea drafted an Open Letter To Facebook to let them know the details of the problem could not and should not be shared further or made public.  The goal was to keep the information contained until the security problem was fixed, to prevent black hat hackers from learning how to scrape data from other at-risk Facebook groups.  Understanding the gravity of the problem, Andrea and the other administrators provided instructions to administrators of other groups on how to change settings in their groups to limit the risk of leaking data.

Reporting the Problem to Facebook

Fred and Andrea began drafting a report of what they found with the goal of asking Facebook’s security team to fix the problem. They enlisted the help of another cybersecurity expert and former White House appointee, Matt Might.   Matt offered an important technical ‘second opinion’ about the scale, impact, and severity of the security problem as the report was drafted.   As a team, they carefully and discreetly enlisted a council of trusted experts who could assist their efforts by offering further evidence that the problem was urgent and should be immediately fixed by Facebook.  

This work leading to what is known in cyber-security circles as “responsible disclosure” was completed by Andrea, Fred, Matt, and a team of legal experts, and also included groups of UX design experts, ethicists, and concerned citizens. Together, they drafted a 30 page report to describe the steps to exploit the vulnerability, and potential impacts to patient support groups and other vulnerable communities. 

The first step to address this issue was to file a formal report through the Facebook ‘white hat portal.’ The detailed submission of findings was made on May 29th. After receiving a reply that Facebook’s team would look into the problem, Andrea and Fred waited for a full response.  Finally on June 20, Facebook sent a  response indicating that Facebook’s security team would not commit to fixing the vulnerability, and that the problem outlined by the team was built into Facebook ‘by design.’  

Growing concerned that Facebook would not address the issue, Andrea and Fred persisted with their request to Facebook to fix the problem.  On June 26 a second response was sent to Facebook requesting an immediate fix and a meeting to discuss how to resolve the security/privacy issues faced by all closed groups.  An updated draft of the Open Letter to Facebook from the hereditary cancer community was attached to the request.

On June 29th, Jill Holdren (co-author of this post) discovered that Facebook had fixed the problem.  On the same day, Facebook sent a 748 page report back to Congress detailing their data-sharing practices. While we haven’t received any further communication from Facebook, major changes to Facebook’s group platform are underway.

What comes next?

It is worth noting that this was not widely shared with group membership before the vulnerability was addressed to keep the issue contained. This was a painstaking decision made by the smaller group of those with knowledge of the problem out of an abundance of caution, carefully weighing the potential for a single group member to unwittingly share information publicly, which could cause all of our fears to be realized before the damage could be controlled.

Now, there is more work to be done.  Facebook closed the “hole” that was potentially leaking data in June.  Thus, we’re preventing future harm of scraping group data on a massive scale.  But like an oil spill, that does not mean we can just walk away and say mission accomplished. To prevent more of this type of vulnerability in the future, we need to understand the root causes of this problem.  

In the near term, we need to find out the following:

  1. How might we partner with trusted experts who can help us conduct data forensics and/or third party audits to understand where the “oil” has leaked as this would have happened without our community’s knowledge or consent.  
  2. How can we gather evidence and make sure we have all the facts about how this leak may have impacted patient communities?
  3. How do we develop a plan to remediate data that may have been leaked before this was fixed?
  4. How can we have an open dialogue with Facebook, the FTC, and others to understand how and why this happened – and to find new ways to ensure that it never happens again?

How can support group leaders on Facebook help?  

For anyone who is part of a Facebook Support group reading about this, it may feel overwhelming and scary.  Imagine how afraid and alone these community administrators felt in the beginning! To quote Fred in an early email about the vulnerability:  “Take heart.  We are going to a good place, despite the difficult journey. “

After hoping Facebook would take steps to report the breach to the FTC and take further steps to develop features to secure groups, we have submitted a formal complaint to the FTC which details the security problems that were found.

If patient support groups would like to comment or support this complaint to the FTC, please review the summary letter and add your name.

The Light Collective

Author The Light Collective

More posts by The Light Collective