Showing posts with label data retention. Show all posts
Showing posts with label data retention. Show all posts

Thursday, 7 June 2018

Only 39 days to go until concerned Australian citizens can opt out of the Turnbull Government's collection of personal health information for its national database


Apparently this email is currently being sent out to registered Australian citizens.

Australian Digital Health Agency, email, 5 June 2018:

Hello,

You are receiving this email because you registered your email address at myhealthrecord.gov.au to find out more information about how to opt-out of the My Health Record system.

If you do not want a My Health Record, you must register your choice between 16 July and 15 October 2018 during the opt-out period. It is not possible to opt-out of having a record before the opt-out period starts.

The opt-out period will not apply to individuals who have previously chosen to have a My Health Record, or were included in the Nepean Blue Mountains or North Queensland opt-out trials in 2016. Individuals who have an existing My Health Record can cancel their record at any time. Instructions on cancelling a record can be found on the My Health Record website.

Once the opt-out period starts you will receive another email letting you know that the opt-out period has started and what to do if you still want to opt-out.

A My Health Record is a secure online summary of an individual’s key health information. 1 in 5 Australians already have one. It’s an individual’s choice who sees their My Health Record, what’s in it and who it is shared with. My Health Record has safeguards in place to protect an individuals’ information including encryption, firewalls and secure login.

For further information about the My Health Record, please visit the My Health Record website.

Thank you,

The My Health Record System Operator
www.digitalhealth.gov.au

[my yellow highlighting]

Wednesday, 16 May 2018

An insider has finally admitted what any digital native would be well aware of - your personal health information entered into a national database will be no safer that having it up on Facebook


Remembering that a federal government national screening program, working with with a private entity, has already accessed personal information from Medicare without consent of registered individuals and entered these persons into a research program - again without consent - and these individuals apparently could not easily opt out of being listed as a research subject but were often only verbally offered  the option of declining to take part in testing, which presumably meant that health data from other sources was still capable of being collected about them by the program. One has to wonder what the Turnbull Government and medical establishment actually consider patient rights to be in practice when it comes to "My Health Record".

Healthcare IT News, 4 May 2018:

Weeks before the anticipated announcement of the My Health Record opt out period, an insider’s leak has claimed the Australian Digital Health Agency has decided associated risks for consumers “will not be explicitly discussed on the website”.

As the ADHA heads towards the imminent announcement of the three-month window in which Australians will be able to opt out of My Health Record before being signed up to the online health information repository, the agency was caught by surprise today when details emerged in a blog post by GP and member of the steering group for the national expansion of MHR, Dr Edwin Kruys.

Kruys wrote that MHR offers “clear benefits” to healthcare through providing clinicians with greater access to discharge summaries, pathology and diagnostic reports, prescription records and more, but said “every digital solution has its pros and cons” and behind-the-scenes risk mitigation has been one of the priorities of the ADHA. However, he claimed Australians may not be made aware of the risks involved in allowing their private medical information to be shared via the Federal Government’s system.

“It has been decided that the risks associated with the MyHR will not be explicitly discussed on the website,” Kruys wrote.

“This obviously includes the risk of cyber attacks and public confidence in the security of the data.”

The most contentious contribution in the post related to the secondary use of Australians’ health information, the framework of which has yet to be announced by Health Minister Greg Hunt.

Contacted by HITNA, the agency moved swiftly to have Kruys delete the paragraph relating to secondary use.

In the comment that has since been removed, Kruys wrote, “Many consumers and clinicians regard secondary use of the MyHR data as a risk. The MyHR will contain a ‘toggle’, giving consumers the option to switch secondary use of their own data on or off.”

Under the My Health Records Act 2012, health information in MHR may be collected, used and disclosed “for any purpose” with the consent of the healthcare recipient. One of the functions of the system operator is “to prepare and provide de-identified data for research and public health purposes”. 

Before these provisions of the act will be implemented, a framework for secondary use of MHR systems data must be established. 

HealthConsult was engaged to assist the Federal Government in developing a draft framework and implementation plan for the process and within its public consultation process in 2017 received supportive submissions from the Australasian College of Health Informatics, the Australian Bureau of Statistics and numerous research institutes, universities, and clinicians’ groups.

Computerworld, 14 May 2018:

Use of both de-identified data and, in some circumstances, identifiable data will be permitted under a new government framework for so-called “secondary use” of data derived from the national eHealth record system. Linking data from the My Health Record system to other datasets is also allowed under some circumstances.

The Department of Health last year commissioned the development of the framework for using My Health Record data for purposes other than its primary purpose of providing healthcare to an individual.

Secondary use can include research, policy analysis and work on improving health services.

Under the new framework, individuals who don’t want their data used for secondary purposes will be required to opt-out. The opt-out process is separate from the procedure necessary for individuals who don’t want an eHealth record automatically created for them (the government last year decided to shift to an opt-out approach for My Health Record)……

Access to the data will be overseen by an MHR Secondary Use of Data Governance Board, which will approve applications to access the system.

Any Australian-based entity with the exception of insurance agencies will be permitted to apply for access the MHR data. Overseas-based applicants “must be working in collaboration with an Australian applicant” for a project and will not have direct access to MHR data.

The data drawn from the records may not leave Australia, but under the framework there is scope for data analyses and reports produced using the data to be shared internationally……

The Department of Health came under fire in 2016 after it released for download supposedly anonymised health data. Melbourne University researchers were able to successfully re-identify a range of data.

Last month the Office of the Australian Information Commissioner revealed that health service providers accounted for almost a quarter of the breaches reported in the first six weeks of operation of the Notifiable Data Breach (NDB) scheme.


Australians who don't want a personal electronic health record will have from July 16 to October 15 to opt-out of the national scheme the federal government announced on Monday.

Every Australian will have a My Health Record unless they choose to opt-out during the three-month period, according to the Australian Digital Health Agency.

The announcement follows the release of the government’s secondary use of data rules earlier this month that inflamed concerns of patient privacy and data use.


Under the framework, medical information would be made available to third parties from 2020 - including some identifying data for public health and research purposes - unless individuals opted out.

In other news....... 


A cyber attack on Family Planning NSW's website has exposed the personal information of up to 8000 clients, including women who have booked appointments or sought advice about abortion, contraception and other services.

Clients received an email from FPNSW on Monday alerting them that their website had been hacked on Anzac Day.

The compromised data contained information from roughly 8000 clients who had contacted FPNSW via its website in the past 2½ years to make appointments or give feedback.

It included the personal details clients entered via an online form, including names, contact details, dates of birth and the reason for their enquiries….

The website was secured by 10am on April 26, 2018 and all web database information has been secure since that time

SBS News, 14 May 2018:

Clients were told Family Planning NSW was one of several agencies targeted by cybercriminals who requested a bitcoin ransom on April 25…..
The not-for-profit has five clinics in NSW, with more than 28,000 people visiting every year.

The most recent Digital Rights Watch State of Digital Rights (May 2018) report can be found here.

The report’s 8 recommendations include:

Repeal of the mandatory metadata retention scheme

Introduction of a Commonwealth statutory civil cause of action for serious invasions of privacy

A complete cessation of commercial espionage conducted by the Australian Signals Directorate

Changes to copyright laws so they are flexible, transparent and provide due process to users

Support for nation states to uphold the United Nations Convention on the Rights of the Child in the digital age

Expand the definition of sensitive information under the Privacy Act to specifically include behavioural biometrics

Increase measures to educate private businesses and other entities of their responsibilities under the Privacy Act regarding behavioural biometrics, and the right to pseudonymity

Introduce a compulsory register of entities that collect static and behavioural biometric data, to provide the public with information about the entities that are collecting biometric data and for what purpose

The loopholes opened with the 2011 reform of the FOI laws should be closed by returning ASD, ASIO, ASIS and other intelligence agencies to the ambit of the FOI Act, with the interpretation of national security as a ground for refusal of FOI requests being reviewed and narrowed

Telecommunications providers and internet platforms must develop processes to increase transparency in content moderation and, make known what content was removed or triggered an account suspension.

Friday, 11 May 2018

File this under "Yet Another National Database" cross referenced wih "What Could Possibly Go Wrong?"




A massive breach of Commonweath Bank data exposed last week has raised security fears around a new national database of Australian bank customers, as Labor pushes for a delay to part of the scheme's scheduled introduction in less than two months.
The database - set to go live on July 1 - will include the details of every person who has taken out a loan or a credit card, along with their repayment history.

The Mandatory Comprehensive Credit Reporting scheme was a recommendation of the 2014 financial system inquiry and is designed to give lenders access to a deeper, richer set of data to ensure loans are only being approved for people who can afford to repay them.

The new requirements will first apply to the Commonwealth Bank, ANZ Bank, Westpac and National Australia Bank, given they account for up to 80 per cent of lending to households.

But the collection of sensitive data by private companies has raised concerns in the wake of several high-profile data breaches, including the disappearance of 20 million customers records from the Commonwealth Bank.

The Financial Rights Legal Centre and the Consumer Action Law Centre claim the financial details of millions of Australians will be vulnerable under the new scheme - which includes positive and negative credit histories.

Financial Rights Legal Centre policy officer Julia Davis said the development "was a major intrusion into our financial privacy".

"I don’t think Australians realise this is about to happen," she said.

The legislation states all credit reporting bodies must store the information on a cloud service that has been assessed by the Australian Signals Directorate. It also contains a provision allowing banks to stop supplying customer data to credit providers should there be a major security breach.

Ms Davis said the oversight was welcome but the internal systems of credit reporting bodies remained "completely opaque."

"Once that data goes live in the one place you can't put the toothpaste back in the tube," she said.

Equifax, one of the companies which will have access to the data, had its systems in the US hacked last year, exposing the personal information of 143 million Americans and triggering to the resignation of its chief executive.

It is also being sued by consumer watchdog the Australian Competition and Consumer Commission over allegations it misrepresented its product to consumers by asking them to pay for their own credit histories which are usually available online for free.

The company's general manager of external relations, Matthew Strassberg, said Equifax had "only been a marquee above the door for six months," after the US giant took over the Australian operation formerly known as Veda.

He said the credit reporting business would provide "a 360 degree picture."
"A bank will have a very deep insight into what they know of you," he told Fairfax Media.

Mr Strassberg said he recognised that Australians were concerned about data security…..

Monday, 23 April 2018

Away from the spotlight of congressional hearings Zuckerberg and Facebook Inc. show their true colours – implementing weaker privacy protection for 1.5 billion users


The Guardian, 19 April 2018:

Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the “spirit” of the legislation globally.

In a tweak to its terms and conditions, Facebook is shifting the responsibility for all users outside the US, Canada and the EU from its international HQ in Ireland to its main offices in California. It means that those users will now be on a site governed by US law rather than Irish law.

The move is due to come into effect shortly before General Data Protection Regulation (GDPR) comes into force in Europe on 25 May. Facebook is liable under GDPR for fines of up to 4% of its global turnover – around $1.6bn – if it breaks the new data protection rules.

The shift highlights the cautious phrasing Facebook has applied to its promises around GDPR. Earlier this month, when asked whether his company would promise GDPR protections to its users worldwide, Zuckerberg demurred. “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” he said.
A week later, during his hearings in front of the US Congress, Zuckerberg was again asked if he would promise that GDPR’s protections would apply to all Facebook users. His answer was affirmative – but only referred to GDPR “controls”, rather than “protections”. Worldwide, Facebook has rolled out a suite of tools to let users exercise their rights under GDPR, such as downloading and deleting data, and the company’s new consent-gathering controls are similarly universal.

Facebook told Reuters “we apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland”. It said the change was only carried out “because EU law requires specific language” in mandated privacy notices, which US law does not.

In a statement to the Guardian, it added: “We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live. These updates do not change that.”

Privacy researcher Lukasz Olejnik disagreed, noting that the change carried large ramifications for the affected users. “Moving around one and a half billion users into other jurisdictions is not a simple copy-and-paste exercise,” he said.

“This is a major and unprecedented change in the data privacy landscape. The change will amount to the reduction of privacy guarantees and the rights of users, with a number of ramifications, notably for consent requirements. Users will clearly lose some existing rights, as US standards are lower than those in Europe.

“Data protection authorities from the countries of the affected users, such as New Zealand and Australia, may want to reassess this situation and analyse the situation. 

Even if their data privacy regulators are less rapid than those in Europe, this event is giving them a chance to act. Although it is unclear how active they will choose to be, the global privacy regulation landscape is changing, with countries in the world refining their approach. Europe is clearly on the forefront of this competition, but we should expect other countries to eventually catch up.” [my yellow highlighting]

NOTE:

The Australian Dept. of Human Services still continues to invite those who use its welfare services to visit its five Facebook pages on which it will:


* post about payments and services 

* answer questions 
* give useful tips 
* share news, and 
* give updates on relevant issue

All associated data (including questions and answers) will of course be captured by Facebook, then collated, transferred, stored overseas, monetised and possibly 'weaponised' during the next election campaign cycle which occurs in the area visitors to these pages live.


Monday, 16 April 2018

In Febuary-March 2018 there were 63 Notifiable Data Breaches in Australia involving the personal information of up to 341,849 individuals


In the 2016–17 financial year, the Office of the Australian Information Commissioner (OAIC) reported that it received 114 data breach notifications on a voluntary basis.

On 22 February the Notifiable Data Breaches (NDB) scheme came into force.

Between 22 February and 31 March 2018 there were 63 mandatory notifiable data breaches reported involving the personal information of up to est. 341,849 individuals, with 55 of these breaches reported in March alone.

Of these breaches:
24 were the result of criminal or malicious attack;
32 were the result of human error;
2 were system fault; and
1 was classified as “Other”.

The type of personal information involved in the data breaches:
Three of these data breaches involved the personal information of between 10,000 and 999,999 people in each instance.

At least 15 of the 63 data breached involved personal information held by “health service providers”. Health service providers are considered to be any organisation that provides a health service and holds health information.

Every individual whose personal information was breached was supposed to be notified by the entity holding their information, however the OAIC Quarterly Statistics Report: January 2018 - March 2018 did not specifically state that this had occurred. 

Saturday, 14 April 2018

Quotes of the Week



“We have the right to store a copy of your  [personal e-health] record and we are the only ones in the market to have this level 4 certification.”  [Romain Bonjean, co-founder Tyde, app developer registered portal operator with Australian Government Digital Health Agency & My Health Record, quoted in the Australian Financial Review on 6 April 2018]

“Life is short and shorter for smokers. Just legalise vaping.”  [Andrew Laming MP, Dissenting Report, submitted to Australian HoR Standing Committee on Health, Aged Care and Sport, March 2018]

“When we kick their ass they all like to claim we’re drunk. I’ve been hanging out getting ready to ram a hot poker up David Hogg’s ass. Busy working; preparing.”  [St. Louis radio host Jamie Allman threatening anti-gun activist & highschool student David Hogg, as reported by Snopes, 9 April 2018]


“They promised us a grilling. We got PR.”  [UK journalist Carole Cadwalladr tweeting about US Senate hearing at which Facebook founder & CEO Mark Zuckerberg appeared on 10 March 2018]

“I start to wonder if, in fact, how the developers mine money for Facebook has become a bit of a mystery to Zuck.”  [IT journalist Richard Chirgwin opining on Facebook founder & CEO Mark Zuckerberg, Twitter, 12 April 2018]

Wednesday, 11 April 2018

Almost right from its very beginning Facebook Inc was not the benign Internet presence it pretended to be


Facebook Inc. - incorporated in July 2004 and headquartered at 1 Hacker Way (so named by Facebook management), Menlo Park, California 94025 - has at least twelve data centres around the world which collect, transmit, collate, store and monetise data drawn from an est. 2 billion active Facebook accounts. 

In May 2017 this social media company was worth est. US$407.3 billion according to Forbes.com.

Now that the social media giant finds itself being officially investigated to varying degrees by the United Kingdom, Australia and the United States on matters of user data collection, data retention, privacy and safety - as well as being the object of a number of lawsuits - here is a timeline indicating how Mark Zuckerberg brought Facebook to this low point......


FACEBOOK INC
2005

Facebook Privacy Policy states that Thefacebook takes appropriate precautions to protect our users' information. Your account information is located on a secured server behind a firewall. However it also states When you visit the Web Site you may provide us with two types of information: personal information you knowingly choose to disclose that is collected by us and Web Site use information collected by us on an aggregate basis as you and others browse our Web Site.
When you register on the Web Site, you provide us with certain personal information, such as your name, your email address, your telephone number, your address, your gender, schools attended and any other personal or preference information that you provide to us.
When you enter our Web Site, we collect the user's browser type and IP address. This information is gathered for all users to the Web Site. In addition, we store certain information from your browser using "cookies." A cookie is a piece of data stored on the user's computer tied to information about the user. We use session ID cookies to confirm that users are logged in. These cookies terminate once the users close the browser. We do not use cookies to collect private information from any user.
Thefacebook also collects information about you from other sources, such as newspapers and instant messaging services. This information is gathered regardless of your use of the Web Site. 

2006

Facebook’s privacy policy is now expressing this sentiment; We understand you may not want everyone in the world to have the information you share on Facebook; that is why we give you control of your information. Our default privacy settings limit the information displayed in your profile to your school, your specified local area, and other reasonable community limitations that we tell you about….

However the company is still collecting as much information about Facebook users that it can, as well as informing account holders that; Facebook may also collect information about you from other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service through the operation of the service (e.g., photo tags) in order to provide you with more useful information and a more personalized experience. By using Facebook, you are consenting to have your personal data transferred to and processed in the United States.

2007

Facebook Platform  - app developers can now access the “’social graph’ ie., tracked connections between users and their friends.

Beacon - shares what users are doing on other websites with their Facebook friends without specific consent.

2008

Facebook Connect - corrects Beacon’s mistakes by requiring users to take deliberate action before they share activity from other websites when logged in using Facebook.

2009


Beacon officially shut down after at least one lawsuit commenced over privacy issue.

Facebook hosts the Farmville game which was later revealed as a data miner.

2010

Facebook’s privacy policy states; When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. ... The default privacy setting for certain types of information you post on Facebook is set to “everyone.” ... Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.

On 28 April 2010 Electronic Frontiers Foundation reported that: Facebook announced a plan to transform most of the bits in your profile (including your hometown, education, work, activities, interests, and more) into connections, which are public information. If you refuse to make these items into a Connection, Facebook will remove all unlinked information.

2011

Social reporting tool – allows Facebook users to directly contact other users to request a post or image takedown if either relates directly to them. Any takedown is voluntary if content doesn't breach Facebook rules.

Facebook Inc initially refuses to take down a defamatory site invading the privacy of Clarence Valley highschool students. It only does so after direct pressure is applied by a community member.

2012

In February the Parliament of Australia invites the Australian public to connect with it via Facebook.

Facebook begins roll out Facebook Camera for iOS to English-speaking countries - a standalone photos app where users can shoot, filter, and share single or sets of photos and scroll through a feed of photos uploaded to Facebook by friends.


2013

Facebook begins collaboration with Dr. Alexandr Kogan eventually supplying him with data on 57 million Facebook friendships by 2015. User data supplied to Kogan for his research was later sent to Cambridge Analytica without Facebook users knowledge or consent.

Facebook hosts Hangouts - live video.

2014

Facebook Groups - app for iOS and Android introduced and then deleted some months later.

Facebook buys WhatsAppMessaging.

Facebook conducts a number of psychological experiments on users without their knowledge or consent. It is reported that 689,000 users had their home pages manipulated.


2015

Security Checkup - new tool to simplifying privacy controls.

Head of Research at Facebook Inc, Peter Fleming, and one of the company’s  contract researchers are listed as co-authors of Alexander Kogan’s published research on the relationship of social class and international friendships. 


2016


2017

Privacy Basics - new tool to simplify privacy controls.

Becomes public knowledge that Facebook revealed to one Australian advertiser that it had a database of young users – 1.9 million high schoolers, 1.5 million tertiary students and 3 million young workers – and that it could tell advertisers when young workers were particularly vulnerable.

Facebook reported to be planning $750 million data center in New Albany, Ohio employing only 50 permanent staff.

Facebook admits to US Securities and Exchange Commission that 1.5% of its 2.01 billion accounts worldwide are “undesirable” - that is likely to be fake accounts. Yahoo Finance calculates that to be upwards of 30 million accounts.

In December Germany’s Federal Cartel Office released preliminary investigation findings and stated: The Bundeskartellamt has informed the company Facebook in writing of its preliminary legal assessment in the abuse of dominance proceeding which the authority is conducting against Facebook. Based on the current stage of the proceedings, the authority assumes that Facebook is dominant on the German market for social networks. The authority holds the view that Facebook is abusing this dominant position by making the use of its social network conditional on its being allowed to limitlessly amass every kind of data generated by using third-party websites and merge it with the user's Facebook account. These third-party sites include firstly services owned by Facebook such as WhatsApp or Instagram, and secondly websites and apps of other operators with embedded Facebook APIs.

Google search engines now host multiple Facebook apps.

By 2017 numerous government departments and agencies in Australia have Facebook accounts, from which the company can harvest visitor data whether or not the visitor has a Facebook account.

Included on the long list of government departments/agencies is the federal Dept. of Human Services (DHS)DHS states that it posts on its Facebook page about payments and services, answers questions, gives useful tips, shares news, and give updates on relevant issues. This means that anyone who visits or interacts with the five DHS Facebook pages will have their Internet usage data scraped, information contained in any questions asked retained and collated with any other information Facebook holds on that visitor. DHS appears to be aware of privacy vulnerabilities in its use of Facebook as it is at pains to point out that The department is not responsible for the privacy practices or content of Facebook.......

Australian federal and state electoral commissions also have active Facebook pages.

In December 2017 Facebook rolled out Messenger Kids app which is installed via an adult's Facebook account. This app offers video and text chats for children using their own digital devices. Although Messenger Kids displays no ads it does not appear to be exempt from Facebook's user data collection.

Facebook Inc initially refuses to remove a scam account attempting to raise money and only does so after media pressure

2018

On 16 March Facebook Inc. announces it has suspended the accounts of Aleksandr Kogan, Cambridge Analytica and Strategic Communication Laboratries Group on the basis they had misused Facebook user data,  

In late March it was revealed that Facebook's Android app is capable of hoovering up extensive call data without users knowledge or consent.

Facebook-created VR app like Spaces obtain information about what users doing there, much in the same way that any third-party app developer would. Facebook also records a “heatmap” of viewer data for 360-degree videos, for instance, flagging which parts of a video people find most interesting.

Facebook admits that it archived unpublished and deleted user videos created using a now redundant video streaming function. 

Facebook Inc. admits that up to 87 million account holders may have had their personal information accessed by the Trump presidential campaign-linked data miner Cambridge Analytica. Either because  Facebook users accessed the thisisyourdigitallife app or because they had friended a person had done so.

Only 53 Australian Facebook users took the thisisyourdigitallife personality quiz but the app hoovered up the data on est 311,127 other users included in friendship lists once it accessed those 53 accounts. Just 10 New Zealanders used the app but data from another est. 67,000 users was collected via their friendship groups.

Facebook also admits that its software allowed reverse searching of its user pages employing only ‘phone numbers and email addresses and that “malicious actors” may have used this feature to scrap public profile data from most of its 2 billion users.

The company admits that its account recovery process can also allow these malicious actors to access user data.


In April Facebook announces a tightening of its privacy controls and states it intends to police all third party requests for access to user data. Given the company stated it had in total 215,000 staff worldwide as of December 2017 and, not all those staff would be available to personally monitor third party requests relating to Facebook’s est. 2 billion active monthly users, one wonders just how reliable this latest ‘promise’ from Facebook Inc. will be.

On 4 April 2018 USA Today reported that: Members of the House and Senate committees that will question Facebook CEO Mark Zuckerberg about user privacy protection next week are also some of the biggest recipients of campaign contributions from company employees and the Facebook Inc. PAC.
The committee that got the most Facebook contributions is the House Energy and Commerce Committee, which announced Wednesday morning it would question Zuckerberg on April 11.

Open Secrets lists Facebook Inc PAC contributions to 2016 U.S. federal election campaigns:
Contributions from this PAC to federal candidates (list recipients)
(44% to Democrats, 55% to Republicans)
$519,500
Contributions to this PAC from individual donors of $200 or more (list donors)
 $619,240

In April Facebook admits that it has entered an unspecified number of the 1.3 billion 
Messenger accounts and, without users knowledge or consent, selectively removed messages sent to those users by Mark Zuckerberg and other unnamed Facebook Inc executives/employees

Australian Privacy Commissioner launches investigation into Facebook Inc.

Five U.S. state attorneys-general reported to have begun investigations into how Facebook Inc. collects, shares and does or doesn't protect user information.

According to the Insurance Journal on 5 April 2018: Users and investors have filed at least 18 lawsuits since last month’s revelations about Cambridge Analytica. Beyond privacy violations, they are accusing Facebook of user agreement breaches, negligence, consumer fraud, unfair competition, securities fraud and racketeering.

On 6 April Facebook Inc annouces that it has suspended the account of Canadian tech company AggregateIQ because of its involvenment in the Cambridge Analytica scandal and three days later suspends CubeYou on similar grounds while it investigates.

On 9 April TNW reports that Facebook's cryptocurrency ad filter failed.

The Washington Post  reported on 9 April:
As for Facebook itself, former FBI special agent Clinton Watts told me that, in one sense, the numbers should not be surprising since “everyone has a message to get out, and Facebook is the best place to do it. Russia, Cambridge Analytica or any campaign for that matter has to go to social media to be effective.” The problem arose in Facebook’s mode of operating. “Their motto was move fast and break things, and they did, they moved fast and in the end broke the trust of their users with the platform,” Watts said. “They didn’t do solid assessments of who was accessing data on their platforms, and they didn’t effectively scrutinize advertisements and accounts surfacing on their platforms.”

By 10 April it was being reported that a number of Facebook IT engineers were quitting or asking to change departments over ethical concerns.

On 11 April 2018 Facebook Inc. founder, CEO and controlling shareholder, 33 year-old Mark Elliot Zuckerberg appears before the US House of Representatives House Energy and Commerce Committee's Facebook: Transparency and Use of Consumer Data hearing.

The day before Zuckerberg fronted the Senate Committee on the Judiciary, Senate Committee on Commerce, Science, and Transportation’s  Facebook, Social Media Privacy, and the Use and Abuse of Data hearing.

Despite all of the above, as of 11 April 2018 the Australian Government Dept of Human Services retains its "Humans Services", "Student Update", "Families Update" and "Seniors Update" Facebook pages and, the departmental website still links to "How to 'Like' " instructions and shows visitors how to set up their own Facebook account with a link to its very own 'how to' YouTube video. Cenrelink's General Manager also still has an official Facebook account.

Note:
Given the federal Department of Human Services admitted that it had employed third parties to monitor social media including Facebook for information about welfare recipients that it could match with internal departmental data, one has to wonder what range of methods were used to undertake this surveillance and exactly who the contractors were.