I don’t think there was any exploit. My understanding is that a third-party app asked for access, and people gave consent, and CA mined data.
I’m the last person you’d see defending FB, but this just seems like the same thing everyone has been doing on FB as a platform since FarmVille launched years ago?
A major part of Facebook's culpability here is that they knew for 2 years that tens of millions of their users were being profiled as part of a political propaganda war on their platform and their response was practically nothing.
Edit: FB also knew the data was collected under an academic license and was being processed, outside that license, for financial gain.
> "Facebook was surprised we were able to suck out the whole social graph, but they didn’t stop us once they realized that was what we were doing."
> "They came to office in the days following election recruiting & were very candid that they allowed us to do things they wouldn’t have allowed someone else to do because they were on our side."
I guess my question is from a security standpoint, how do you prevent something like this if you were facebook? Do you ask any company who does a huge number of API requests requesting peoples friends lists? To verify how they are using the data? How do you actually confirm they are doing what they said?
According to the article only ~200k people installed the app and consented. Unless there was an exploit, you get a minimal version of the data in their friend list (user id, name, that is all i really see) not a full profile. So didn't they only really get the names of 49.8 million people?
Is the solution to just not allow allow a third party token to access a friend list, and only your personal information?
I am not trying to defend what is going on, i am just struggling to see how they were able to use the extremely minimal amount of information the friend list api returns to make a full profile on 50 million people.
This might be an interesting read if you haven't already, still doesn't go into too much tech detail unfortunately.
> What the email correspondence between Cambridge Analytica employees and Kogan shows is that Kogan had collected millions of profiles in a matter of weeks. But neither Wylie nor anyone else at Cambridge Analytica had checked that it was legal. It certainly wasn’t authorised. Kogan did have permission to pull Facebook data, but for academic purposes only. What’s more, under British data protection laws, it’s illegal for personal data to be sold to a third party without consent.
> “Facebook could see it was happening,” says Wylie. “Their security protocols were triggered because Kogan’s apps were pulling this enormous amount of data, but apparently Kogan told them it was for academic use. So they were like, ‘Fine’.”
As I understand it, originally the Facebook API allowed you to access friends of friends - hence the millions of records. They changed this a couple of years ago (but apparently after CA had accessed the data).
It was also against the terms of service to download and store the information retrieved from the API. They also changed this many years ago, in the name of developer convenience.
Is political propaganda against their TOS? I don’t like it, but I don’t like all the other propaganda (re “ads”).
I don’t see how this is worse than a targeted ad trying to get me to invest with Schwab. Also a pretty coordinated campaign. Or just Doubleclick in general.
This comes down to people wanting to limit some ads. There are already laws for political ads. Should we change them? I think they currently apply to Facebook ads.
This prompted me to research UK political advertising regulations, or rather the fact that there are none at all for non-broadcast content. That is insane.
I believe that's correct. People gave concent to X but Y used the data. Perhaps that's a violation of FB's ToS for apps?
That said, (personal) data gets brokered all the time. And, btw, sometimes the buyers are gov agencies. Who needs surveillance when people willing hand it all over, often in public.
Perhaps not the public will finally begin to understand why the phone meta data "intrusion" was so bad.
> My understanding is that a third-party app asked for access, and people gave consent
Did people consent to use their data to be mined for a political campaign? Currently, consents are meaningless and vaguely worded that can include anything under the sun. Sooner or later, we are going to go the "Informed Consent" way [0].
I’m the last person you’d see defending FB, but this just seems like the same thing everyone has been doing on FB as a platform since FarmVille launched years ago?