CASE: FACEBOOK LEAK
Written on the 20th of May 2021 by Chris van ’t Hof, updated on the 12th of Dec 2024 by Serena de Pater
The case
On April 4 several news platforms reported personal data of 533 million Facebook users was leaked. Security Researcher Alon Gal reported the dataset was now available for free online. A few days later, on April 9, our DIVD volunteers were offered a dataset of 5.3 million Dutch users, containing names, places of residence and mobile phone numbers.
What we did
The first idea that came up was to send all these users an SMS text message to warn them their data was leaked and be extra careful not to respond to suspicious phone calls. Aside from the legal and logistical problems, we decided not to proceed as the media was catching up on the issue, warning users and redirecting them to Have I been Pwned.
The second idea that emerged was to search the dataset for the phone numbers of Dutch politicians and send them an SMS to warn them and raise awareness. Some volunteers claimed to have found contact information for members of the Cabinet and Parliament. We were particularly concerned about this, especially since after the elections on March 17, 2021, new Members of the Dutch Parliament were being installed, with very few of them having a background in information technology. Although a small awareness campaign might have been useful, we ultimately decided against it. Sharing such sensitive personal data would not be proportional to the goal of raising awareness, according to the DIVD Code of Ethics. Furthermore, the principle of subsidiarity indicates that awareness-raising was already being addressed through less intrusive means, as other parties, including the media and governmental bodies, were already issuing general warnings.