Is it really a “data breach”?

There’s been some confusion in the wake of the initial reporting, which was very clear in calling what happened a data breach. Data was lost, that’s for sure, but a breach usually suggests that there has been some sort of wall or protection that has been undone, and that isn’t what’s happened – in fact, the whole system works exactly as it should, and as it does without much controversy every day.

This is what Facebook has argued, in disputing The Guardian’s initial headline. Using the word breach might suggest to users that the site’s security systems have been broken into – which would be very damaging for the company itself, and worrying for users. That hasn’t happened.

Facebook put out a statement specifically addressing this claim.

"The claim that this is a data breach is completely false," it said. "Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked."

But the end result is arguably the same as a real breach. People lost control of important data about themselves and they didn’t know anything about it.

It's still important to recognise, though, that nothing was actually breached – Facebook's failing wasn't in its security protocols or the way it protects data. The question is about who it lets use its site to harvest data, and how they're allowed to do so.