Facebook is in the spotlight again, not for a data breach, putting their employees lives at risk, or treating us all like lab rats, but this time for allowing an individual developer to access data on millions of accounts, which can easily be shared with others (and was).
Update: I wrote a followup on why I actually dumped Facebook, including a list that I'm keeping up to date of every time they end up in the news. I've been updating it frequently. :p
Facebook gave app developers nearly unfettered access to all kinds of their users' data, and their users' friends' data. Someone took advantage of that fact, developing an app that 250,000 people used to inadvertently share upwards of 50 million users' data. Then the developer gave and/or sold the data to a company that used it to power some psychological/analytical software, the purpose of which was to persuade registered voters one way or another.
Just all kinds of creepy.
Have you ever signed up for a new online service, and been given the option to either create new credentials (ugh, another password??) or just login with your existing (Google, Twitter, Facebook, etc) account? Most of us choose the easy option, and Facebook assists its app developers by providing a service called Facebook Login.
But when you use Facebook Login to login to that app, it shares some of your data with the developer... furthermore, it also shares data about your friends, something that might be fixed now, but certainly wasn't when all this damage was done. Believe it or not, this is all fine and allowed by default. In fact, nothing in this incident constitutes a breach or hack (despite some sources calling it that), but it definitely raises serious ethical questions about access to our data, and how easily it can be gathered, shared, and abused.
Here, here, look. This is the approvals on one of my apps. Friends list. APPROVED BY DEFAULT. The Friends of Friends requires an OAUTH permission to be set, but you know how users click through things. pic.twitter.com/s0WRhPRQwc— Bill Sempf (@sempf) March 19, 2018
Collecting all that data is fine (according to Facebook, not you or me), right up until the developer decides to sell or otherwise share that data, which is exactly what one developer - Aleksandr Kogan - did when he passed along the data of millions of users to Cambridge Analytica. But the ethical problems start way before that. After all, if Cambridge Analytica had designed the app and collected the data themselves, I'm not sure there would've been a legal issue at all... but there'd sure as heck still be an ethical one.
But.. they didn't collect the data themselves, there is a ToS violation and legal issue, and now everyone's pointing the finger at someone else.
Kogan claims innocence, admitting he knew he was collecting massive amounts of data, but that Cambridge Analytica assured him it was all legal, and Facebook is using him as a scapegoat.
Cambridge Analytica claims innocence, admitting they acquired the data from Kogan, but that he lied about getting consent from all users, and hey they didn't even really use the data anyway.
Facebook claims innocence, admitting they knew it was possible to collect the data, but that Kogan and Cambridge Analytica ultimately abused the data and broke the ToS. But they also threatened lawsuits to block the press, so maybe they didn't think they were so innocent?
We all claim innocence, appalled the data could include locations, interests, photos, status updates, check-ins, and more. Disturbing for sure, and we have a right to be upset, but we gave up this information freely and of our own volition - and if our profiles our public, it's all available anyway.
Christopher Wylie brought it all to light, but is hardly a hero since he was apparently involved in getting the data, and/or starting the company that abused it.
The political left will no doubt blame the right, since Cambridge Analytica had large republican donors, but Obama abused Facebook to persuade voters too, scooping up "friend" data without getting consent from all those friends. This is an ethical issue that crosses all boundaries; whether all this data is seen as shocking and unacceptable, or as an opportunity ripe for picking.
What did this teach us?
Facebook doesn't give a crap about us
It's repeatedly proven to be reckless and incompetent (see the articles I linked to way at the top), and they seem more focused on placing blame than fixing the gaping hole through which anyone can cart off obscene amounts of user data.
Rest assured, we're not the consumers here. We're the product enjoying a few fringe benefits, and the consumers are anyone who stands to benefit from our data, like advertisers.
Assume your actions on Facebook are publicly accessible
I haven't read anything specific about "private" accounts, but I'd assume that data was scooped up too. Your data being publicly visible on the front end, and your data being accessible on the back end, are two different things. If a friend used the app, then your data was probably scooped up too.
And if one developer and one company got caught this one time, rest assured it's occurred many times. Our Facebook data is most likely all over. In fact, according to an article by James Allworth:
To give a sense of how many apps were out there [collecting data]: here's an AdWeek article back in 2012, quoting Facebook as saying there were 9 million apps and websites integrated with Facebook. And 2012 was three years before Facebook cut off API access to pulling this kind of data.
DO NOT INSTALL the Facebook or Messenger apps on your phone
I just saw a tweet where someone discovered his Facebook data download (you can request one too) included tons of phone call records.
Downloaded my facebook data as a ZIP file— Dylan McKay (@dylanmckaynz) March 21, 2018
Somehow it has my entire call history with my partner's mum pic.twitter.com/CIRUguf4vD
The only way I fathom this is that he installed the app and approved it's request for every single thing on your phone. You can check out the Facebook and Messenger apps in the Play store - here's a small portion of what they request:
- retrieve running apps
- read calendar events plus confidential information
- add or modify calendar events and send email to guests without owners' knowledge
- read your contacts
- modify your contacts
- precise location (GPS and network-based)
- read your text messages (SMS or MMS)
- send SMS messages
- take pictures and videos
- record audio
- directly call phone numbers
- reroute outgoing calls
- read call log
- adjust your wallpaper size
- pair with Bluetooth devices
- read Google service configuration
And I'm sure that Facebook can point to specific features that require most of this stuff. But if their One Awesome Feature "needs" to read your contacts, then Facebook has ongoing access to your contacts. And if That Other Awesome Feature "requires" your call log, then Facebook has ongoing access to your call log. And if you had any doubt before, have none now - Facebook wants access to it all.
Keep calm, this too shall pass.. but hopefully not for Facebook
It's not like this is the Equifax breach from a couple years ago - your financial data wasn't leaked to the world - but it's still possible you're giving away more than you think. If you like and share certain posts, install certain apps, post certain content, it could say more about you than you realize - especially when a computer is crunching the data and comparing it to everyone else.
As Aja Romano of Vox put it, this is "a failure to anticipate how technology meant to work on an individual level might be repurposed or exploited when scaled up to apply to millions."
What can you do?
So, if you do decide to make some changes, here are some suggestions, in order of least destructive to total annihilation of your account.
Review what you're sharing
Review what you're sharing, including photos you've uploaded, photos you're tagged in, and other activity (such as posts, likes, shares, etc). If there's anything you'd rather the world didn't see or know, remove it. Better late than never.
Review your privacy settings
Enable alerts when others tag you. You can remove yourself from a photo when you're tagged. Tagging photos is just silly - we're teaching someone else's computer how to recognize our faces better.
Stop unwanted apps from accessing your data. Even if you haven't used an app in 5 years, it still has ongoing access to your data until you revoke it. The box looks like this:
Stop your friends from sharing your data with random apps. In the same area as above, there's an "Apps Others Use" box. This is all the stuff your friends could inadvertently share about you when they "share friend data" with an app. These apps freaking know when you're online, and you're not even aware your friends are using them or that they even exist!
Disable all apps for even better security. There's an "Apps, Websites and Plugins" box, where you can disable all apps. It revokes all existing apps and prevents any future ones. A little inconvenience for a lot more security.
Keep your account but delete the data
If you still like certain aspects of Facebook, like a particular app or messenger, you can delete all your data but leave the account open. There's a Chrome extension called Social Book Post Manager that slowly (due to Facebook limitations) traverses your time line history, deleting everything you tell it to. I have no idea how well it works, but it looks highly rated.
Delete your account permanently
If you decide you've had enough and want to get rid of your account, the only obvious choice is to fake your own death. I kid you not - if you ask Facebook to delete your account, their response is "over your dead body".
But as it turns out, there's also a help page detailing how to delete your account even before you die (how nice of them). They don't make it easy to find, but once you do it's just a button click. It takes 90 days to fully delete (why??) but then it's gone... until 2020 when we find out Facebook doesn't actually delete your data and somehow all your medical records are out in the open. (Would anything shock us at this point?)
As for me, I think I'll delete all my photos and most of my other data. Maybe I'll give that Chrome extension a try. And I'll be deactivating my account for now. I like being able to see what my friends and family are up to, but Facebook is just too careless. If I don't miss it at all after awhile, I'll delete it for good.
One final parting thought from John Biggs over at TechCrunch - something to gnaw on while we decide if this really is the final straw that convinces us to pull the Facebook plug. Maybe it's time anyway, to let old relationships live in the past and in our memories, and to be more diligent about maintaining new relationships outside of the web.
"Ultimately you've created the largest dossier on yourself and you've done it freely, even gleefully. This dossier reflects your likes, your dislikes, your feelings, and political leanings. It includes clear pictures of your face from all angles, images of your pets and family, and details your travels. You are giving the world unfettered access to your life."
"But we love our social media, don't we? The power it affords. The feeling of connection. In the absence of human interaction we cling to whatever dark simulacrum is available. In the absence of the Town Square we talk to ourselves. In the absence of love and understanding we join the slow riot of online indifference."