Facebook, OAuth authorization protocol, user responsibility, Facebook responsibility

By: (plus.google.com) +David Herron; Date: March 20, 2018

Tags: Facebook » Social Media Warfare

The firestorm around data collection by Cambridge Analytica from Facebook users is about the OAuth protocol, the required notification of access requirements, and whether Facebook actually enforces those requirements. During the OAuth protocol it's required to present the user with a screen describing the level of access requested. Facebook signed an order with the Federal Trade Commission in which Facebook agreed to abide by policies about sharing user data. Facebook may have violated that agreement.

Most people don't pay attention to the notifications in the OAuth signup process. It's likely that the users abdicated their responsibility to make good decisions. Instead they, like lemmings, collectively have played the many zillions of viral games that are shared onto Facebook. It is through such games that marketers and political manipulators alike gather user preference information.

Let's take a look at that process.

Mozilla just sent out a fundraising letter calling for donations, saying:

The headlines speak for themselves: Up to 50 million Facebook users had their information used by Cambridge Analytica, a private company, without their knowledge or consent. That's not okay.

This wasn't a data breach, no one hacked into Facebook or stole passwords. It happened because Facebook allowed apps to access not just sensitive information of people who used those programs – but their friends as well.

Facebook said it’s taken steps to “limit developer access to detailed friend data”, but Facebook’s current default settings leave a lot of questions and a lot of data flying around. One thing is clear though: Facebook needs to step up and respect its users.

I don't think it's accurate to say that users were not notified. The OAuth protocol -- as we will see in a second -- includes a step in which the users ARE notified as to what's going on. The problem is that it's like click-through licenses that none of us ever read.

As we said in an earlier posting Cambridge Analyticas abuse of Facebooks data causing worldwide outrage at Facebook, Facebook and the FTC came to an agreement in 2011 about Facebook's practices in this area.

For example - data retention time-limits were ignored by Cambridge Analytica. Other Facebook policies were ignored by the company, and in fact the whole process of how Cambridge Analyitica got the data was in voliation of Facebook policies.

Cambridge Analytica had turned to a third party who did the data collection. Facebook noticed that this company was doing so, and the company responded its purpose was simple research. Facebook said 'Fine' and they all went about their business. What happened next is that company sold the collected data to Cambridge Analytica in violation of policies. But we're getting off track, which is to be looking at the OAuth protocol.

Examining the OAuth protocol

The process starts with a Facebook posting like this -- the face and name have been obscured to protect the identity. In this case someone was lured into this "game" by a posting they saw like this, and it clicked in them they wanted to see what their name would give.
The next step is this solicitation to take the quiz, the game, the whatever.
Clicking on the "Login with Facebook" button starts the OAuth protocol to cause the approval to be granted. This is the URL, and notice "oauth" is present.
This is the notification for the access request. The protocol is describing that the game is requesting access to your Profile, Photos and E-Mail Address. Why does this "Name Test" company require my e-mail address? What is the purpose for that? Think about what is being requested.

I've seen another request recently where it was "Facebook Profile and Friends". In the case of the Cambridge Analytica efforts, the request was for the full Facebook profile and the Full profile of FRIENDS.

Clicking Cancel on the request for access approval simply returns me to the solicitation page.

Facebook API for login

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login - Documentation overview

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login/overview/ -- Use cases and user experience. The basic idea is that a website author can use this to simplify their task of authenticating users. By having someone authenticate via their Facebook account, then the website author can rely on the fact Facebook has pre-authorized that person.

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login/review -- Reviewing the login process and the requirements

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login/review/requirements -- Requirements

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login/userexperience/ -- Presenting a great user experience.

That section focuses mostly on providing an enticing user experience that will tend to cause the user to follow through with the signup process. Down at the bottom a little is said about data policies and asking for permissions, but only after lots of information about creating an enticing process

This common-sense advice makes sense -- ask for minimal permissions -- be clear -- explain -- etc. But does the typical such game/quiz/etc follow such a process?

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login/permissions -- The permissions system. There is a wide range of granular permissions to request. Some app developers ask for full permissions.

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login/best-practices -- Best practices, which is more a simple review of the above.

« Cambridge Analyticas abuse of Facebooks data causing worldwide outrage at Facebook Cambridge Analytica illegally kept a massive trove user data from Facebook, worked with Russians »
2016 Election Acer C720 Ad block AkashaCMS Amazon Amazon Kindle Amazon Web Services America Amiga and Jon Pertwee Android Anti-Fascism AntiVirus Software Apple Apple Hardware History Apple iPhone Apple iPhone Hardware April 1st Arduino ARM Compilation Artificial Intelligence Astronomy Astrophotography Asynchronous Programming Authoritarianism Automated Social Posting AWS DynamoDB AWS Lambda Ayo.JS Bells Law Big Brother Big Finish Bitcoin Mining Black Holes Blade Runner Blockchain Blogger Blogging Books Botnets Cassette Tapes Cellphones China China Manufacturing Christopher Eccleston Chrome Chrome Apps Chromebook Chromebox ChromeOS CIA CitiCards Citizen Journalism Civil Liberties Clinton Cluster Computing Command Line Tools Comment Systems Computer Accessories Computer Hardware Computer Repair Computers Cross Compilation Crouton Cryptocurrency Curiosity Rover Currencies Cyber Security Cybermen Daleks Darth Vader Data backup Data Storage Database Database Backup Databases David Tenant DDoS Botnet Detect Adblocker Developers Editors Digital Photography Diskless Booting Disqus DIY DIY Repair DNP3 Do it yourself Docker Docker MAMP Docker Swarm Doctor Who Doctor Who Paradox Doctor Who Review Drobo Drupal Drupal Themes DVD E-Books E-Readers Early Computers Election Hacks Electric Bicycles Electric Vehicles Electron Emdebian Encabulators Energy Efficiency Enterprise Node EPUB ESP8266 Ethical Curation Eurovision Event Driven Asynchronous Express Face Recognition Facebook Fake News Fedora VirtualBox File transfer without iTunes FireFly Flickr Fraud Freedom of Speech Front-end Development Gallifrey git Github GitKraken Gitlab GMAIL Google Google Chrome Google Gnome Google+ Government Spying Great Britain Heat Loss Hibernate Hoax Science Home Automation HTTP Security HTTPS Human ID I2C Protocol Image Analysis Image Conversion Image Processing ImageMagick In-memory Computing InfluxDB Infrared Thermometers Insulation Internet Internet Advertising Internet Law Internet of Things Internet Policy Internet Privacy iOS Devices iPad iPhone iPhone hacking Iron Man iTunes Java JavaScript JavaScript Injection JDBC John Simms Journalism Joyent Kaspersky Labs Kindle Kindle Marketplace Lets Encrypt LibreOffice Linux Linux Hints Linux Single Board Computers Logging Mac Mini Mac OS Mac OS X Machine Learning Machine Readable ID macOS MacOS X setup Make Money Online March For Our Lives MariaDB Mars Mass Violence Matt Lucas MEADS Anti-Missile Mercurial MERN Stack Michele Gomez Micro Apartments Microsoft Military AI Military Hardware Minification Minimized CSS Minimized HTML Minimized JavaScript Missy Mobile Applications Mobile Computers MODBUS Mondas Monetary System MongoDB Mongoose Monty Python MQTT Music Player Music Streaming MySQL NanoPi Nardole NASA Net Neutrality Network Attached Storage Node Web Development Node.js Node.js Database Node.js Testing Node.JS Web Development Node.x North Korea npm NVIDIA NY Times Online advertising Online Community Online Fraud Online Journalism Online Photography Online Video Open Media Vault Open Source Open Source Governance Open Source Licenses Open Source Software OpenAPI OpenVPN Palmtop PDA Patrick Troughton Paywalls Personal Flight Peter Capaldi Phishing Photography PHP Plex Plex Media Server Political Protest Postal Service Power Control Privacy Production use Public Violence Raspberry Pi Raspberry Pi 3 Raspberry Pi Zero ReactJS Recaptcha Recycling Refurbished Computers Remote Desktop Removable Storage Republicans Retro Computing Retro-Technology Reviews RFID Right to Repair River Song Robotics Rocket Ships RSS News Readers rsync Russia Russia Troll Factory Russian Hacking Rust SCADA Scheme Science Fiction SD Cards Search Engine Ranking Season 1 Season 10 Season 11 Security Security Cameras Server-side JavaScript Serverless Framework Servers Shell Scripts Silence Simsimi Skype SmugMug Social Media Social Media Warfare Social Network Management Social Networks Software Development Space Flight Space Ship Reuse Space Ships SpaceX Spear Phishing Spring Spring Boot Spy Satellites SQLite3 SSD Drives SSD upgrade SSH SSH Key SSL Stand For Truth Strange Parts Swagger Synchronizing Files Telescopes Terrorism The Cybermen The Daleks The Master Time-Series Database Tom Baker Torchwood Total Information Awareness Trump Trump Administration Trump Campaign Twitter Ubuntu Udemy UDOO US Department of Defense Virtual Private Networks VirtualBox VLC VNC VOIP Vue.js Web Applications Web Developer Resources Web Development Web Development Tools Web Marketing Webpack Website Advertising Weeping Angels WhatsApp William Hartnell Window Insulation Windows Windows Alternatives Wordpress World Wide Web Yahoo YouTube YouTube Monetization