Facebook, OAuth authorization protocol, user responsibility, Facebook responsibility

; Date: Tue Mar 20 2018

Tags: Facebook »»»» Social Media Warfare

The firestorm around data collection by Cambridge Analytica from Facebook users is about the OAuth protocol, the required notification of access requirements, and whether Facebook actually enforces those requirements. During the OAuth protocol it's required to present the user with a screen describing the level of access requested. Facebook signed an order with the Federal Trade Commission in which Facebook agreed to abide by policies about sharing user data. Facebook may have violated that agreement.

Most people don't pay attention to the notifications in the OAuth signup process. It's likely that the users abdicated their responsibility to make good decisions. Instead they, like lemmings, collectively have played the many zillions of viral games that are shared onto Facebook. It is through such games that marketers and political manipulators alike gather user preference information.

Let's take a look at that process.

Mozilla just sent out a fundraising letter calling for donations, saying:

The headlines speak for themselves: Up to 50 million Facebook users had their information used by Cambridge Analytica, a private company, without their knowledge or consent. That's not okay.

This wasn't a data breach, no one hacked into Facebook or stole passwords. It happened because Facebook allowed apps to access not just sensitive information of people who used those programs – but their friends as well.

Facebook said it’s taken steps to “limit developer access to detailed friend data”, but Facebook’s current default settings leave a lot of questions and a lot of data flying around. One thing is clear though: Facebook needs to step up and respect its users.

I don't think it's accurate to say that users were not notified. The OAuth protocol -- as we will see in a second -- includes a step in which the users ARE notified as to what's going on. The problem is that it's like click-through licenses that none of us ever read.

As we said in an earlier posting Cambridge Analyticas abuse of Facebooks data causing worldwide outrage at Facebook, Facebook and the FTC came to an agreement in 2011 about Facebook's practices in this area.

For example - data retention time-limits were ignored by Cambridge Analytica. Other Facebook policies were ignored by the company, and in fact the whole process of how Cambridge Analyitica got the data was in voliation of Facebook policies.

Cambridge Analytica had turned to a third party who did the data collection. Facebook noticed that this company was doing so, and the company responded its purpose was simple research. Facebook said 'Fine' and they all went about their business. What happened next is that company sold the collected data to Cambridge Analytica in violation of policies. But we're getting off track, which is to be looking at the OAuth protocol.

Examining the OAuth protocol

The process starts with a Facebook posting like this -- the face and name have been obscured to protect the identity. In this case someone was lured into this "game" by a posting they saw like this, and it clicked in them they wanted to see what their name would give.
The next step is this solicitation to take the quiz, the game, the whatever.
Clicking on the "Login with Facebook" button starts the OAuth protocol to cause the approval to be granted. This is the URL, and notice "oauth" is present.
This is the notification for the access request. The protocol is describing that the game is requesting access to your Profile, Photos and E-Mail Address. Why does this "Name Test" company require my e-mail address? What is the purpose for that? Think about what is being requested.

I've seen another request recently where it was "Facebook Profile and Friends". In the case of the Cambridge Analytica efforts, the request was for the full Facebook profile and the Full profile of FRIENDS.

Clicking Cancel on the request for access approval simply returns me to the solicitation page.

Facebook API for login

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login - Documentation overview

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login/overview/ -- Use cases and user experience. The basic idea is that a website author can use this to simplify their task of authenticating users. By having someone authenticate via their Facebook account, then the website author can rely on the fact Facebook has pre-authorized that person.

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login/review -- Reviewing the login process and the requirements

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login/review/requirements -- Requirements

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login/userexperience/ -- Presenting a great user experience.

That section focuses mostly on providing an enticing user experience that will tend to cause the user to follow through with the signup process. Down at the bottom a little is said about data policies and asking for permissions, but only after lots of information about creating an enticing process

This common-sense advice makes sense -- ask for minimal permissions -- be clear -- explain -- etc. But does the typical such game/quiz/etc follow such a process?

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login/permissions -- The permissions system. There is a wide range of granular permissions to request. Some app developers ask for full permissions.

(developers.facebook.com) https://developers.facebook.com/docs/facebook-login/best-practices -- Best practices, which is more a simple review of the above.

About the Author(s)

(davidherron.com) David Herron : David Herron is a writer and software engineer focusing on the wise use of technology. He is especially interested in clean energy technologies like solar power, wind power, and electric cars. David worked for nearly 30 years in Silicon Valley on software ranging from electronic mail systems, to video streaming, to the Java programming language, and has published several books on Node.js programming and electric vehicles.