This is a fair thing to point out! I as a user feel I'm being much more respected when I'm allowed to use some independent client software of my choices, than being told that "for my own good" I must use the absolute abomination that is most of the software provided by Big Tech firms themselves. Like, thanks for your opinion, Google, but 90% of these "security audits" are about box checking and ass-covering. It's the technology equivalent of all of the silliest parts of the TSA process, meaning that it contributes nothing to security while employing a lot of people to do valueless work at the expense of those doing useful work.
Facebook provided a general API for apps, not some kind of data feed. The API required user consent from the app user, though almost certainly not informed consent.
The API also provided too much data, in particular on the user's social graph, which is why a single user giving uninformed consent would lead to data being extracted for multiple others. But even if the app had informed users about intending to steal the social graph, most users would still have consented. They would not have read the text, or not cared. Just click ok until the computer lets you do what you wanted.
So we really do know that the only way to safeguard the data is to design safe scoped APIs for the typical use cases, and keep dangerous unscoped APIs around only as an escape hatch with much stricter security and safety requirements.
Facebook users shared data with their friends. Those friends gave access to the data to CA. So like if you share a document with me and I then give CA access to my GDrive.
In the same sense that if someone uses a third-party Google Drive client, the input of other collaborators on shared documents is exposed without their consent. (It was data about friends of users who authorized the application in Facebook's case).
IIRC the way Facebook's "platform" stuff worked was that when one user authorized an application, it got to see all their friends' data. Farmville had to be able to access your friends list to see who you could send a sheep to, you see.
Nowerdays this seems like an incredibly dumb idea, sure, and personally I disabled it entirely the moment it came out. But we can cut them some slack, because back in ~2006 facebook was a new thing, for young people - and nobody was sure where this new "social media" thing was going to go.
On top of that I believe Cambridge Analytica did the usual "personality test" trickery where you fill out a survey, then it won't show your result until you hand over your details and accept some legal mumbo-jumbo.
So your Great Uncle wanted to know what harry potter character he was, clicked a consent button, and Cambridge Analytica got your PII.
xp84|1 year ago
jsnell|1 year ago
Facebook provided a general API for apps, not some kind of data feed. The API required user consent from the app user, though almost certainly not informed consent.
The API also provided too much data, in particular on the user's social graph, which is why a single user giving uninformed consent would lead to data being extracted for multiple others. But even if the app had informed users about intending to steal the social graph, most users would still have consented. They would not have read the text, or not cared. Just click ok until the computer lets you do what you wanted.
So we really do know that the only way to safeguard the data is to design safe scoped APIs for the typical use cases, and keep dangerous unscoped APIs around only as an escape hatch with much stricter security and safety requirements.
ensignavenger|1 year ago
closeparen|1 year ago
michaelt|1 year ago
Nowerdays this seems like an incredibly dumb idea, sure, and personally I disabled it entirely the moment it came out. But we can cut them some slack, because back in ~2006 facebook was a new thing, for young people - and nobody was sure where this new "social media" thing was going to go.
On top of that I believe Cambridge Analytica did the usual "personality test" trickery where you fill out a survey, then it won't show your result until you hand over your details and accept some legal mumbo-jumbo.
So your Great Uncle wanted to know what harry potter character he was, clicked a consent button, and Cambridge Analytica got your PII.