As we described last week, Mark used login data of early Facebook members to break in to the private email accounts of two Harvard Crimson editors, according to instant messages viewed by Business Insider. He also broke into the systems of competitor ConnectU and changed user profiles, also according to IMs.
Mark now oversees private data of 400 million people as the CEO of Facebook. Questions have been raised about whether this 2004 behavior violated laws and whether users can trust the company to keep their information from being misused.
We reported the details of these hacks last Friday. Here's a quick recap: In May 2004, as a sophomore at Harvard, Mark Zuckerberg learned that the Harvard Crimson was working on a story about the founding of TheFacebook.com, a site Mark had launched three months earlier that evolved into Facebook. According to instant messages viewed by Business Insider, Mark searched the site to find users who identified themselves as members of the Crimson's staff. Having located several accounts, Mark then scanned a log of failed logins, which members had entered while logging on to the site. Figuring that Facebook users might have accidentally entered the passwords to other services, such as email accounts, Mark tried the failed logins of these Harvard Crimson staffers on their email accounts. In this way, Mark successfully accessed the private email accounts of at least two Crimson staffers and read at least 11 emails, according to the IMs we viewed.Also in 2004, Mark Zuckerberg hacked into the systems of a rival social network for college students, ConnectU, and deactivated some accounts.
Since first reporting these hacks last week, we asked Electronic Frontier Foundation's top privacy lawyer, Kevin Bankston, about the legality of such behavior. Bankston says it could have violated laws:
An email break-in like the one that's been alleged would likely violate the federal criminal statutes that regulate electronic privacy and prohibit computer fraud, and depending on the hacker's motives could even rise to the level of a felony punishable by up to five years in prison.
Specifically, lawyers tell us, Mark's 2004 actions could have violated the following laws: Unauthorized access to communications in electronic storage is a violation of federal law 18 USC 2701(a). If the motive behind Mark's actions was commercial advantage or private commercial gain, this crime is a felony — punishable by up to five years in jail. If the intent was not commercial, the crime is a misdemeanor, punishable by one year in jail. Unauthorized access to a protected computer is a violation of federal law 18 USC 1030(a)(2)(c). Again, if the crime was perpetrated for commercial advantage or private commercial gain, it is punishable by up to five years in prison. Additionally, if this law was broken in order to facilitate a second crime, such as 8 USC 2701(a), it is a felony.
The statute of limitations of both these federal laws is five years, so Mark is safe from federal prosecution. In Massachusetts, however, the general larceny statute (Mass. Gen. L. ch. 266, § 30), which doubles as computer fraud statute by covering theft of "electronically processed or stored data," has a statute of limitations of 6 years. If the value of this data exceeds $250, this crime is a felony punishable by up to 5 years in prison.
The EFF attorney, Kevin Bankston, added that "these allegations — in particular, the troubling accusation that Facebook users' information was misused to enable the claimed email hack — raise serious questions about whether or not 400 million people should be entrusting their online privacy to Facebook."
We also asked Harvard University about Mark's actions, which occurred while he was a sophomore. Harvard would not comment specifically on this situation:
"The Administrative Board considers each case on an individual basis and we do not comment on cases involving Harvard students, faculty, or staff. We also do not speculate on how we might respond since all decisions are based on thorough review of the specific facts presented and the students' responses to those facts."
Ben Edelman, a lawyer, privacy hawk, and Ph.D at Harvard Business School, was startled by the email break-in, as well as the way in which Mark Zuckerberg acquired the information necessary to do it:
No one expects a web site to retain a mistyped password, and certainly no one expects a site admin to use that password to access a user's account on another site. When a user logs into a site, the user rightly expects that his password is used only to authenticate his connection — not to gain access to the user's other accounts on other sites. Users naturally trust that site admins will respect the confidentiality of users' information and especially users' passwords. For an admin to take a user's password, and use it to access other sites, is a serious violation of users' expectations.
Given all this, we had three questions for Facebook:
Does Mark regret his 2004 actions?
Facebook gave us a similar response to the one it provided last week: "We're not going to respond to allegations from unnamed sources." The company has not denied that the break-ins took place.
Does Facebook still retain users' failed logins?
Facebook did not directly answer this question. It provided a general discussion of how it views login information:
The login is one of the most important barriers to unauthorized access to accounts. As such, of course we do lots of analysis over how it is used and have many related sophisticated systems as a result to prevent brute force and other attacks. However, we do not discuss these measures to protect their effectiveness.
Does Facebook have safeguards in place to prevent all employees from improperly accessing user data, or is such access simply punishable after-the-fact?
The privacy and security of our users' information is of paramount importance to us. While, for security reasons, we do not publicly disclose all of the safeguards we have in place, we have advanced internal tools that restrict access to information to those who need it to do their jobs (an example would be someone on our User Operations team who helps people fix problems with their accounts).
A cross functional committee of senior employees decide on a case by case basis who gets access to these tools. Most employees do not have access to these tools at all. In addition, employees who are approved to access these internal tools must sign an agreement and complete an extensive training program beforehand. Finally, we track the actions performed through internal tools, each use is logged and requires the employee to explain the purpose of his or her use, and we audit all of this regularly.