Was there really a breach of Facebook data, an abuse of Facebook data extracted according to policy, or something else? The truth is that Facebook was not breached and that there is a gross misunderstanding by the general public due to poor and inflammatory media coverage of what happened here. In this article I will clear the air on what happened, provide illustrations for easy understanding, and go in to who is really accountable.
How do 3rd party companies get Facebook user data?
Here is how it works... Any app, such as your everyday iphone app, can access your Facebook data with your permission. Once permission is given then these apps can read and store this facebook data in their own databases, potentially building mega databases of user data. Let's take a closer look.
One of several ways an app can accomplish this is by letting me or any of its users login to the app using my Facebook username and password, aka credentials (1). An app needs to integrate its code with Facebook which is a pretty basic thing for app developers. You have seen and most likely used many apps that use the Facebook username and password as the way you would log in to to the app. These apps can offer this authentication experience as the sole way to login to the app or offer a combination of Facebook login and other login options. There is nothing wrong with any of this and actually makes your and my life easier because we don't need to remember so many passwords or fill out so many different registration forms. Here is where things get interesting...
When I login to an app using Facebook, I will typically be asked to allow the app to have access to some of my Facebook data (2). This request is explicitly presented when I login but what truly happens with my data after that can be sort of a leap of faith - I will get in to this later. Basically, when I login to an app using my Facebook login, I am giving the app access to my public profile. This shouldn't be such a big deal because this data is already public and I can make this data private via by adjusting your Facebook data privacy settings at any time on Facebook. The app may also ask for permission to access other data such as email address, likes, or almost anything else about me that Facebook stores and which may not be public (public meaning information that I do not need to login to Facebook to see). The key here though is that I am granting permission for the app to use my Facebook data outside of Facebook (3). The app can then store my Facebook data, which I granted it permission to receive, in its own database (4). However there is a limit to how these apps can use my data and that is detailed in Facebook's policies. Later in this article I provide excerpts from their policies on this topic. How these apps or companies use my data, not necessarily how they get my data, is part of the problem.
How do the companies get so much data though?
With the Cambridge Analytica scandal the media was throwing out numbers like 50 million users impacted. That is a lot of users to get data on. In other words, did they or rather the Cambridge professor get 50 million people to login to his app with Facebook as described above? The answer is no and is a big part of what is so interesting here.
When Facebook login is used on an app, one of the data points that they can ask me permission for is my friends. This is reasonable and can help an app offer more social rich features. For example if the app is a restaurant review app and I allow it to access my friends list, it will enable me (and the app) to see which friends are using the app and also data such as a "like" my friend gave to a restaurant. What better than a recommendation from a friend!? However, it would also allow the app to potentially see/collect more data from Facebook than just likes, such as data which could help determine political orientation. As you can see this is an easy way for apps to collect some juicy data not just on you but on all of your friends. So one login could mean data points from 400 friends (5)! I know you are catching on and probably also starting to think of all the ways this can be abused ...that was before April 2015.
Facebook has since removed this unfettered access. To be precise it introduced a new way for apps to interact with Facebook in April 2014 and removed the old way in April 2015. When I log in to an app now using my Facebook credentials, the app can still ask to get access to my friends. However, in order for the app to access my friend, my friend also needs to use the app and granted the app permission to access his friend list. So in brief both friends need to use the app and both need to grant permission for the app to see each own's friend list. If I have a friend who does not use the app, the app will not have access to his information. This severely limits an apps ability to amass large amounts of data today.
The Cambridge professor's app was deployed in 2013 and leveraged the highly abusable version of Facebook which was removed in 2015. Not only that, he supposedly sold, against Facebook policy, the data to Cambridge Analytica. To further complicate the matter Cambridge Analytica supposedly didn't delete the data when they were supposed to. Zuck himself provides a good post about this too here.
The reality is that the core of the problem has been solved years ago but there are probably still companies out there that have aggregated large masses of user data from Facebook pre-2015. Facebook is taking additional measures today, which you can read about in Zuck's above mentioned post, to further mitigate end user exposure to abuse. I don't put all the blame on Facebook by any means and there certainly was no data breach. While Facebook was too lax in the past about access to user data, they did correct this years ago. Facebook could have also taken more aggressive measures sooner in terms of identifying abusers and holding them more accountable to the Facebook policies via audits, other forensics, and punitive action. I ultimately put more blame on those that actually abuse the system such as the wealth of greedy and unethical companies out there who violate Facebook policy and user privacy. Cambridge Analytica didn't question where a professor received 200 million user records? Even if the professor collected the data in compliance with Facebook policy, he wasn't allowed to sell it and Cambridge Analytica was complicit here.
You and I also have responsibility here. Now, more so than in the past, Facebook provides us with the control to determine which of our Facebook data these apps have access to. It is up to us, the end user, to play a role in ensuring that if we want to use this free platform (Facebook) we actively manage our data on the platform.
While the issue of companies easily aggregating large databases has been resolved, all of the problems have not disappeared. For example, a really popular app may have 50 million users and collected its user data user by user. Nothing wrong with that. Or there may be an app with only 1,000 users but has collected a deep trove of valuable data on each user. In both these cases, these apps can still take my data and abuse it. In the illustration above, points 4 and 6 are still areas of exposure today for end users. As mentioned above, Facebook needs to be more aggressive with auditing how companies use the data it gleans from them and punish violators. Companies that get access to Facebook data in this way need to be more responsible and ethical. Technology also needs to improve - data needs to be somehow permanently tagged like a picture watermark to show its source/owner.
Apps, websites and third-party integrations on or using our Services.
When you use third-party apps, websites or other services that use, or are integrated with, our Services, they may receive information about what you post or share. For example, when you play a game with your Facebook friends or use the Facebook Comment or Share button on a website, the game developer or website may get information about your activities in the game or receive a comment or link that you share from their website on Facebook. In addition, when you download or use such third-party services, they can access your Public Profile, which includes your username or user ID, your age range and country/language, your list of friends, as well as any information that you share with them. Information collected by these apps, websites or integrated services is subject to their own terms and policies.
Learn more about how you can control the information about you that you or others share with these apps and websites.
One thing I noticed above that is odd is that according to the developer documentation--and as I've described above--a user's list of friends is not included as part of the public profile data that can be accessed by default. I am not sure why there is this discrepancy.
What does Facebook's Platform Policy say?
App owners, like the Cambridge Professor, need to follow the Platform Policy. The "Platform" is the Facebook ecosystem and includes the Facebook developer tools, aka: the kit that the app owners use to implement the Facebook login method. Here is a section copied from the Platform Policy as of March 2018 which address user data. Points 9, 10, and 13 seems pretty clear and relevant here.
3. Protect data
Protect the information you receive from us against unauthorized access, use, or disclosure. For example, don't use data obtained from us to provide tools that are used for surveillance.
Only show data obtained from a user access token on the devices associated with that token.
Only use friend data (including friends list) in the person’s experience in your app.
If you cache data you receive from us, use it to improve your app’s user experience and keep it up to date.
Don’t proxy, request or collect Facebook usernames or passwords.
Keep private your secret key and access tokens. You can share them with an agent acting to operate your app if they sign a confidentiality agreement.
If you use any partner services, make them sign a contract to protect any information you obtained from us, limit their use of that information, and keep it confidential.
Keep Facebook user IDs within your control. Contract with any providers who help you build or run your app to ensure that they keep the user IDs secure and confidential and comply with our policies. If you need an anonymous unique identifier to share with third parties, use our mechanism.
Don't sell, license, or purchase any data obtained from us or our services.
Don't transfer any data that you receive from us (including anonymous, aggregate, or derived data) to any ad network, data broker or other advertising or monetization-related service.
Don't put Facebook data in a search engine or directory, or include web search functionality on Facebook.
If you are acquired by or merge with a third party, you can continue to use our data only within your app.
If you use friend data from Facebook to establish social connections in your app, only do so if each person in that connection has granted you access to that information.
Don't use data obtained from Facebook to make decisions about eligibility, including whether to approve or reject an application or how much interest to charge on a loan.
And then there is the media...
The vulnerability of end users and our exposure to these potential abuses by companies is not really a secret. There are so many people in the tech industry globally across companies that understand how to extract Facebook data, that actually do extract Facebook data, and that are well aware of how it can be abused. This isn't even a Facebook problem as they aren't the only social network out there that developers can interface with and extract data from.
First, the media should be ashamed of itself for calling this a breach. Yes, it is a breach of trust but not a data breach or breach of Facebook's system, which is how it has been positioned by the media. Using this term has caused great hysteria especially in the stock market, which holds the money of hard working people. Second, using this term is another attempt by many in the media to discredit the Trump election and smear his credibility by associating "data breach" with the Trump campaign in flashy sound bytes. As this popular Facebook data harvesting practice has been in practice for a long time now, it is most certain that many of savvy campaigns and politicians have sourced data in the same manner. Last, this is really about protecting you and me but only became a story because there is a political spin on it...media expediency. This probably could have been a story years ago if the media was hell bent on bashing Obama with the effect of providing protections for us, the end users, sooner. Too bad that the media, who uses Facebook personally too, can't see this as a story about protecting the end user.
The positive from this all is that Facebook is taking further action to protect your and my data, more awareness has been raised by end users, and I hope companies will feel more compelled to do the right thing with our data.
How you can manage permissions for your Facebook connected apps
Since I am already on the topic, the following explains how to manage the data that is being provided to apps you use...or for that matter may not know you are still connected to. You may be surprised at how many apps you are connected to and have your data.
- FOR iOS APP
- Login to your actual Facebook account
- Tap on the menu icon (3 bars) on the bottom right
- Tap on SETTINGS
- Tap on ACCOUNT SETTINGS
- Tap on APPS
- Tap on LOGGED IN WITH FACEBOOK
- A list of your apps will appear. Tap on an app to remove it completely or to grant/deny access to certain Facebook data points that the app can access.
- FOR BROWSER (at least my version of Facebook on my computer's browser)
- Login to your actual Facebook account
- Click on the downward triangle on the top right
- Click on APPS which is located on left side menu
- Click on the edit icon of the app listed there to update permissions
One important caveat is that even if you remove the app itself or permission for the app to access your Facebook data moving forward, the app may still hold whatever Facebook sourced data it currently has about you. Facebook states that you/I should contact the app owner to have our data removed. This again is related to all of the problems discussed above. For example, if the Facebook behemoth can't get Cambridge Analytica to delete data, how can I get an app owner to delete my data. Should I have to go to dozens or even hundreds of app owners requesting each of them to delete my data? How do I even verify that all of these app owners have actually deleted my data? There is no way to do this and Facebook knows this. This is where Facebook needs to help protect us more and can do so through technology innovation.
*App screenshots in the illustrations are sourced from Facebook Developer documentation.