We take a look at how Facebook, Amazon, Microsoft, Google, and Apple have addressed recent controversies around cybersecurity — and how they’re filling privacy gaps.
Cybersecurity is a hot topic today.
Already this year, at least 30 organizations — including coffee chain Dunkin’ and cloud provider Rubrik — experienced major data breaches. Most recently, Dow Jones saw over 2.4M identity records, including those of politicians and government officials, leak across the internet.
These high-profile data breaches (among many others over the last few years) have put the general public on high alert, with talk of data protection becoming an increasing priority. (Read our future of data security report for more on this topic.)
It comes as no surprise, then, that big tech players like Facebook, Amazon, Microsoft, Google, and Apple (FAMGA) are investing heavily in data security — especially as several have fallen victim to data breaches themselves.
Facebook, for example, disclosed that an unprecedented data breach in September 2018 exposed the social media accounts of up to 90M users — including login credentials — effectively compromising access to any site that lets users log in with their Facebook account.
But the company is not alone. These tech giants track our behavior, store our financial information, know where we work and live, what we buy, and more — and as a result, each has made moves to prioritize cybersecurity initiatives across two distinct areas:
- Personal data: Perhaps the most sought after currency of the digital age. And because it’s so valuable — and not well understood — the scope of exactly what the big tech brands have been collecting is only recently being recognized by the general public.
- Corporate data: Virtually every major company, across industries ranging from healthcare to finance, has back end systems that are built around services provided by big tech.
Collectively, FAMGA has poured nearly $2.5B into cybersecurity startups globally — especially as tech companies have been largely at the center of privacy regulation issues. In May 2018, for example, the General Data Protection Regulation (GDPR) went into effect as a means to protect personal data across the EU, further propelling companies worldwide to take data protection more seriously.
Select investments (green lines) & acquisitions (orange) in the cybersecurity space.
In addition to investments, FAMGA has applied for dozens of patents over the last few years, focusing on everything from securing users’ login credentials to combating cyber crime, and more.
In this analysis, we explore some of the biggest cybersecurity controversies which affected FAMGA, how they’ve responded, and what they are doing now to fill in the remaining gaps.
Table of contents
In the last few years, Facebook has been in the spotlight for a myriad of controversies. Its market cap seemed unaffected until July 2018, when Facebook lost around 20% of its value in one day off of news of slowing user growth.
Since then, the stock price has struggled to completely recover as Facebook has worked to find ways to take its most valuable commodity — user information — and protect it without seeing a hit to the bottom line.
In early March, Facebook announced a pivot towards privacy with an increased focus on private messaging first and then building a platform around that. In a post, CEO of Facebook Mark Zuckerberg said:
“I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won’t stick around forever.”
This shift certainly raises questions about the future of Facebook’s business model — one that currently relies almost completely on ad revenue — as it dives deeper into private, encrypted messaging services.
Perhaps the most infamous controversy that has rocked Facebook over the last few years was its involvement with the UK-based data firm Cambridge Analytica.
In the run-up to the 2016 US presidential election and the UK Brexit vote, it was reported that approximately 90M user profiles might have been harvested without their knowledge through an app called “This is Your Digital Life.” (Check out our explainer on psychographics for more detail).
While the Cambridge Analytica controversy was not specifically a data leak, but more an exposure of loose data practices by Facebook, it’s important to note that the company’s data practices are still under scrutiny.
This was only the start of a difficult two years for Facebook. Additional security breaches — including the one exposing a potential 90M users — as well as being targeted by malicious actors seeking to find breaches in data security to harvest user information, have also taken their toll.
While trust in Facebook is down, the financials had been relatively strong. In its Q4 Earnings Report for 2018, earnings, revenue, and active users were all up over the previous year. However, in March, Facebook was hit with a series of negative stories, including news that the Eastern District of New York is looking into ‘”data deals” Facebook had made with companies that allowed these outside companies access to users information without their permission.
What Facebook is Doing to Address the Gaps
In response to the data breaches, both Mark Zuckerberg and Sheryl Sandberg, COO of Facebook, have vowed to put a deeper focus on protecting users’ personal data — calling attention to stricter policies and a need to be more vigilant about data protection.
In a recent call, Zuckerberg addressed the challenges that Facebook, in particular, faces when it comes to a constant barrage of attacks:
“Security, it’s an arms race. We’re continuing to improve our defenses, and I think this also underscores that there are just constant attacks from people who are trying to take over accounts or steal information from people in our community.”
But Facebook is also accountable. The company has actively shared user information with third parties in the past and has created a murky understanding of user consent, perpetuating the spread of personal data — a major topic across several scandals.
The announcement that Facebook was looking to focus on private encrypted messaging means potentially merging Facebook, WhatsApp, and Instagram (all platforms it owns) under one roof. This move would allow users to share messages and information that’s both encrypted and impermanent, and would render the public news feed as less important.
Facebook is also looking to use artificial intelligence to improve data security across its organization, even at the expense of making a profit.
In an earnings call, Zuckerberg warned investors that Facebook’s overall growth would likely slow in the coming years because of the investments the company would be making into cybersecurity and privacy initiatives saying, “we’re investing so much in security that it will significantly impact our profitability.”
On the patent side, Facebook filed for a patent on “anonymizing user identifiable information” in early 2018. This patent would allow for personally identifiable information (PII), such as names, addresses, phone numbers, to be scrambled in datasets so the information stored in servers would not be tied to a particular person.
This patent is also designed to solve issues around requests for data deletion by users.
Typically, a deletion request requires the system to search through a database of files and rewrite each file, thus exposing all of the users’ PII and never fully deleting all of the user’s information. This system could be used to protect a user’s identity and make it easier to comply with deletion requests.
Beyond patent activity, Facebook acquired four startups in 2018, one with a cybersecurity focus. (Here are 14 other cybersecurity companies Facebook could acquire next.)
Confirm.io is a Boston-based startup that verifies government-issued IDs for third-party businesses. Facebook wants to tap into and further develop Confirm’s API for authenticating government issued identification via advanced forensics, including biometric and facial data — without the need for human intervention.
Experts predict that Facebook is experimenting with allowing users to use biometrics to access their accounts.
Amazon hasn’t had nearly the problems with data breaches that have hit some of the other big tech brands. However, it’s spending time focusing on securing its smart home capabilities, especially as the smart speaker market has exploded and is projected to continue to grow over the next five years. (Read more about its smart speaker dominance here.)
Source: The Smart Audio Report
Amazon is also the US government’s cloud provider. In November 2017, the company announced its “AWS Secret Region,” becoming “the first and only commercial cloud provider to offer regions to serve government workloads across the full range of data classifications, including Unclassified, Sensitive, Secret, and Top Secret.” The company is also competing to win a contract known as Joint Enterprise Defense Infrastructure (JEDI), which would allow it to provide cloud services for the Department of Defense.
When it comes to security concerns for Amazon, it’s only suffered from a handful of notable controversies over the years.
Most recently, just before Black Friday, the company cited a “technical error” on the website, which exposed an undisclosed number of customers’ names and email addresses.
The bigger story of 2018 for Amazon were fears around the possibility that Echo home speakers were recording conversations through Alexa and sending them to other users. Amazon addressed the concern in a statement, saying that a series of accidentally issued Alexa commands caused the issue.
Source: Ars Technica
Exploring the user’s log allowed Amazon’s technical team to identify the source of the error and provide an update.
What Amazon is Doing to Address the Gaps
Beyond securing its own users’ data, Amazon has two primary areas of focus for cybersecurity and data protection: Amazon Web Services (AWS) and smart home security.
AWS is a division of Amazon that focuses on cloud computing, database storage, and other functionalities. It has a massive enterprise level client base with some of the biggest companies in the world — like Netflix, Expedia, and NASA — using it.
Among several security breaches, Accenture, Uber, and Time Warner were some of the most high profile which resulted from incorrect setting configurations on AWS services. Uber, for example, was involved in an incident that exposed 57M customers.
In light of these errors, Amazon is no longer leaving data security entirely up to its clients. The company has since worked to improve the AWS user interface to help better manage and control access. It’s also implemented GuardDuty, a threat detection service to protect AWS accounts. The company is also launching additional services for AWS focused on security, including machine learning-powered Amazon Macie.
Improving settings might seem innocuous, but studies have indicated that most security breaches in the cloud are due to settings errors, which a data breach costing an average of $6.5M, according to Cloudnosys.
Amazon has also applied for a patent called “management of encrypted data storage” that describes encryption services for AWS users. This is an especially attractive offering to companies in industries such as finance, medicine, and hospitality — where it’s critical to protect users’ private data.
When it comes to cybersecurity around Alexa, Amazon has made strides to quell users’ concerns, including providing more comprehensive documentation to users of when they are being recorded, how data is used, and how to delete recorded data.
Amazon also has strict control standards on apps, implemented harsher review processes, and began encrypting the recorded data that flows between Echo devices to Amazon’s servers.
In early 2019, Amazon acquired Eero, which manufactures Wi-Fi networking devices with mesh routers that have a built-in cybersecurity service. Amazon may use that underlying technology in its smart home products — including smart speakers — for added layers of protection.
Microsoft has a heavy focus on protecting data and cybersecurity — mainly because it has such a wide reach across enterprise systems. That includes a deep focus on improving cloud security, especially as it’s also one of the companies bidding on military-focused JEDI contract (along with Amazon and Oracle).
Microsoft’s most recent security controversy came at the end of 2018. In December, a bug hunter based in India discovered a vulnerability in a Microsoft sub domain that could have given hackers access to users’ Microsoft Office accounts.
What Microsoft is Doing to Address the Gaps
While cloud security — especially around its cloud computing service Azure — is paramount, Microsoft is also taking a serious role in election security.
The company has rolled out two programs specifically aimed at election security, both in the US and in Europe.
Microsoft AccountGuard is a system that will offer threat detection and security guidance across “both email systems run by organizations and the personal accounts of these organizations’ leaders and staff who opt-in.”
Alongside the AccountGuard program is another feature called the Defending Democracy Program that is aimed at protecting “organizations that underpin democracy” from hacking and disinformation campaigns. These programs have been rolled out across the US and are now being offered in Europe.
While speaking at Mobile World Congress 2019, Microsoft CEO Satya Nadella touched upon the increased focus the tech giant have on cybersecurity saying:
”We believe privacy is a fundamental human right. That’s why we prioritize cybersecurity, not just for the largest of companies, but for small businesses and consumers, who are often the most vulnerable to cyber attacks.”
Microsoft’s investment in data security and protection adds up to over $1B each year, according to Tech Republic.
As Azure’s enterprise use grows, and chips away at Amazon’s market share, it becomes even more essential for the company to invest in innovation and AI to defend against an estimated 7T cyber threats each day.
Microsoft is also exploring homomorphic encryption (HE). (We dig into several startups working on HE here.)
Homomorphic encryption is a scheme where operations can be performed on data without it being decrypted first. If you ask for data from the set, you’ll still get the right answers, but the sources will be encrypted, keeping privacy intact.
In late 2018, Microsoft moved its homomorphic encryption library, called Simple Encrypted Arithmetic Library (SEAL), to an open source system on GitHub. This reflects a push from Microsoft, and other stakeholders like Intel, IBM, and SAP, to introduce agreed standards for HE.
To that end, Microsoft has looked to develop multiple patents in this area.
Two patents, “neural networks for encrypted data” granted in 2016 and “encrypting genomic data for storage and genomic computations” granted in 2018, are both focused on ways to secure encrypted data in the cloud and the ability to share that data while encrypted.
As AI and natural language processing (NLP) become more integrated, Microsoft may hope to use biometric related tools such as handwriting scans, voice recognition, and computer vision to keep access to data secured.
Microsoft’s 2017 acquisition of the Israeli firm Hexadite was focused on boosting cybersecurity. The goal of the acquisition was to take Hexadite’s capabilities in next-generation security threat investigation and apply it to Microsoft’s Windows Defender Advanced Threat Protection to allow for faster identification and remediation of threats.
Google was rocked by not one, but two breaches around its Google+ platform in 2018. While Google+ suffered from low engagement rates and was already in the process of winding down, the data breaches contributed to Google shuttering the service early. But Google has also been focusing on developing better audits and cybersecurity measures, especially in the enterprise space.
Google+ never quite had the impact on social media that Google had hoped and during a routine systems security audit, a vulnerability was discovered that potentially exposed the data of approximately 500,000 users.
After another was discovered in late 2018 that potentially exposed the private names and email addresses of upwards of 50M users, Google announced that it would be shutting down Google+ early.
Google saw push back regarding the delay of these announcements. With millions of people potentially affected, it did not alert users or regulatory bodies in the EU about the first breach until months later.
Currently, the company is involved in a class action lawsuit with Rhode Island’s Pension Fund related to the data breaches. Google has also been fined nearly $60M by France’s data protection regulator for GDPR violations.
What Google is Doing to Address the Gaps
When it comes to data protection, Google has been developing a number of products and solutions to address threats on various fronts.
Project Strobe was launched in 2018 as a “root-and-branch review of third-party developer access to Google account and Android device data.” It specifically looked at where Google users were not engaging with Google products and services because of fears around privacy and data security.
While the shutdown of Google+ was one of its main findings, Google also upgraded and improved users control of account settings and permissions for Google accounts. This included new limitations for apps looking to access tools like Gmail and diminishing the ability for apps to access call logs and SMS history on Android mobile devices.
Similar to Microsoft, Google is also seeking to provide protections for election security. In the 2018 US midterms, an estimated 65% candidates used Gmail accounts, according to Area1 Security.
Google’s Advanced Protection Program was created for high-risk users including “journalists, activists, business leaders, and political campaign teams.” It offers more advanced features, such as 2-step verification for sign in and more restrictive account access to third-party apps.
In another move aimed at data security, Alphabet announced the launch of a subsidiary called Chronicle in early 2018, spawned from Alphabet’s “moonshot factory,” called X. Chronicle’s goal is to develop products for greater cybersecurity protection, especially systems for enterprise security management.
To that end, Chronicle recently launched Backstory, a “global telemetry platform” that offers built-in threat signals with the aim of helping users to securely store petabytes of data. With all of this data in one place, not spread over different tools and systems, it can be searched for viruses, hacks, and security breaches more quickly.
VirusTotal, a tool that analyzes files to detect malware and viruses in real time, was acquired by Google in 2012, but was recently moved to Chronicle’s ownership last year.
Recent Google patents also emphasize its focus on enterprise level cloud security.
One patent, for “access control for user related data” describes a system to help detect potential large scale leaks while deploying encryption technology that can help maintain the privacy of the data.
Apple has always prided itself with being deeply focused on user privacy and hasn’t come under the scrutiny of other FAMGA companies. However, it still has been impacted by data breaches and is taking strides to secure its users’ data even more, especially on the enterprise level.
Earlier this year, the company temporarily disabled both Facebook and Google’s internal applications as a result of the companies collecting certain user data in violation of the terms of Apple’s developer enterprise program.
Some Chinese users were recently the victims of a hack that exposed account information. In some cases, hackers were able to withdraw funds from users accounts on apps including Alipay.
Another issue that made news was a recent FaceTime privacy breach that “allowed users to receive audio and video from the device of the person they were calling even before the person had accepted or rejected the call.”
A teenager first discovered the error and his mother reported it to Apple, but the company did not take serious action until videos and reports emerged showing users replicating the issue. It’s unknown for exactly how long the breach lasted until it was discovered.
What Apple is Doing to Address the Gaps
Apple CEO Tim Cook has often been the most vocal of the big tech heads when it comes to discussing the dangers of a lax attitude on data — especially in terms of selling for marketing — and the need for better privacy solutions.
He recently told a data security conference in Belgium that modern technology has led to a “data-industrial complex” where private and personal data has become “weaponized against us with military efficiency.” He didn’t limit the pain to individuals who have been hacked, but society as a whole.
Apple has placed a big focus on enterprise cybersecurity solutions. It announced a partnership in 2018 with Cisco, Aon, and Allianze to enhance and work in conjunction with their networking, ransomware, and security capabilities.
The companies aim to offer a “cyber risk management solution for businesses,” taking key pieces from each of the partners; cyber insurance from Allianz, resilience evaluation from Aon, ransomware defense from Cisco, and integrating them with Apple products on iOS devices.
Since Apple doesn’t have the enterprise market share of Microsoft, this is a unique security feature it can add in the hope of competing on a corporate level.
On the consumer side, Apple recently embedded anti-tracking features called Intelligent Tracking Prevention (ITP2) in Safari, a move many saw as a rebuke of Facebook’s extensive tracking methods.
ITP2 has already made it more difficult for marketers to track metrics and conversion rates for users who are exposed to ads while on Safari — both on desktop and mobile devices.
Apple’s different approach to security when compared to its competitors stands out in the patents it develops as well, filing for patents that add additional layers of protection from potential advertising tracking.
A recent patent for “repackaging media content data with anonymous identifiers” describes a way to let users access multimedia content, videos for example, on their devices without their personal information or identities being exposed to third parties. This will be increasingly important as the company moves further into services, especially entertainment.
As data security becomes more important to end users, big tech will seek to continue to find ways to protect data while still offering the tools and services used by billions of people around the globe.
Facebook, Amazon, Microsoft, Google, and Apple are all working on ways to enhance cybersecurity practices across their systems. From renewed privacy policies to security-focused patents to leveraging the help of startups, each is expanding its focus on data protection to encourage user trust.
Moving forward, we can expect that cybersecurity practices will play a vital role in how consumers and enterprises decide to share their data — and FAMGA will benefit from continuing to make this a major priority.