By: +David Herron; Date: April 4, 2018
Buried in an announcement of changes being made to tighten user data privacy, Facebook admitted most people on Facebook could have had their public profile scraped. Uh, do what? Why is such an admission buried towards the bottom of a jargon-filled blog post? The core failing is a default setting for an obscure search feature in Facebook that has been exploited by some to inappropriately access user data on a huge scale. It may actually be time to abandon Facebook - as one article published recently said, it's time to Replace Facebook not Fix it.
The admission came on March 4, 2018, as Facebook's Engineering team outlined An Update on Our Plans to Restrict Data Access on Facebook. The plans are reasonable, tightening access to a long list of API's which can be exploited to retrieve user data.
For example - the Events API conveniently allowed folks to add their events to online calendars. But the Events API also allowed access to the user data of others who've signed up for that Event.
Another type of change is that Facebook will require a higher level of scrutiny of any applications wishing to access certain Facebook API's. That's so Facebook can have tighter control over the types of applications, and not have a completely open door to any application to do anything it wishes.
While it's a good thing Facebook is looking to rein in which app's have access -- it means that for YEARS Facebook has not taken user privacy seriously.
The admission of a massive data leak came here:
Search and Account Recovery: Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name. In Bangladesh, for example, this feature makes up 7% of all searches. However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.
The feature in question arguably has some usefulness - making it easier for users to find each other. But it also let 3rd party miscreants gather information. It's not entirely clear just what data was available that way, but you can easily imagine some amount of data has leaked this way.
For that matter, all the other plans discussed in Facebook's Update also could well have leaked user data to miscreant 3rd parties.
Huge mistakes made by Facebook
Zuckerberg is now admitting he made huge mistakes with the design of Facebook. At times Facebooks people have said recently that for years Facebook has been struggling to keep up with the rapid growth rate - and therefore they hadn't thought through privacy policies as well as they should.
Um? That does nothing to make me feel better, how about you?
Zuckerberg is saying that while huge mistakes were made, he can fix them, that he started the place and he can fix it.
That's supposed to make us feel better?
Bottom line is that for years Facebook has been extremely lax about protecting user data. Instead Facebook has had a strong need for as many folks using the advertising platform as possible. Facebook's focus has been on serving corporations and others who want to exploit the user data collected by Facebook.
Therefore, Facebook needed those users to have as much flexibility in accessing/using this data as possible.
Therefore, to achieve those goals Facebook had to abdicate its responsibility to protect data about its users.
Therefore, Facebook deserves a huge punishment and even the death of Facebook.
In other news, Zuckerberg claimed that Facebook is not selling user data. But: Facebook is selling user data, even as Facebook does not sell user data