I don't even trust the original blogger is being completely up-front and honest with us. He was going for the sensationalist angle from the start, and to have Facebook call him and ask for his help was just too rich for him to handle.
Ack, coverup! Ack, censorship!
FB needs to find out which app did this. Give them a chance.
Is he not performing the functions of a journalist? And if so, should we not encourage and admire someone's impulse to buck the system (without being destructive or unreasonable)? Why side with Goliath?
I completely agree with you. From the getgo, he said things like the Facebook "policy" department is basically the "police." Yes, there is a tasty similarity in spelling and overlapping meaning there, but if that's not sensationalist, I don't know what is. The guy sure knows now to write something that will get to the front of HN though!
Facebook didn't ask him for help. Facebook demanded his full submission and demanded him to behave like they want to, even though he has absolutely no obligation to protect the interests of Facebook in this matter or help them hide the fact that it happened. He might choose to do it if they ask nicely, but he has absolutely zero obligation to do it. And from what I read, they did not ask nicely at all.
I'm assuming that approach is working very well in the US where everybody is scared shitless by the threat of very costly litigation that can be unleashed on anybody just by the virtue of Facebook having tons of money and ability to unleash a team of lawyers on anybody and mess up their life, even if they have done nothing wrong.
Read nothing scandalous about Facebook's behavior. This HN headline doesn't deliver.
There is nothing wrong with the request to keep this quiet for a bit so you can investigate.
This is not uncommon in the security world where vendors get some time to get their stuff together and release a fix. Depending on the severity of the issue and the risk of abuse.
“Oh and by the way, you are not allowed to disclose any part of this conversation; it is a secret that we are even having this conversation”
If this is true, it's practically begging for the blogger to research the law, and publish the whole conversation because FB has no right whatsoever to make such demand. I wouldn't call it scandalous, but it would certainly be a pretty dumb thing to say.
If I had to guess, I would imagine the conversation was slightly different. Perhaps a polite request to keep quiet. Who knows, Facebook is still a teenager in many respects so it's anybody's guess.
Edit: why would anyone downvote this comment? Curious.
I have no specific knowledge of this case, but ...
> Perhaps a polite request to keep quiet. Who knows, Facebook is still a teenager in many respects so it's anybody's guess.
My experience with just about any company is that they would state their hopes as facts, and expect you to accept that as a fact. And it works with the vast majority of people.
Case (from outside the US): Credit card got a fraudulent charge. Called up the credit card company, disputing the charge (After credit card company was already paid by an automated payment service).
Credit card company: "Well, we're keeping your money, the law says we have 60 days to figure out if you are right or the merchant is right; if you are right, we'll give you back the money".
Me: "Ahhm. The law says you have to give me back the money this instant, and you have 60 days to figure out if you believe that the charge wasn't fraudulent; and if you do, you can explain it to me, and if I still disagree then there's a whole section in the law about that but you don't get any money automatically either"
Credit company: "Oh, you're right. Here's your money back, we'll be in touch in at most 6o days".
I understand. However, this is a savvy blogger who is looking for publicity. Facebook contacted him to defuse a potential PR situation, he didn't call them. You'd imagine they would be smarter than that, after all they are the world experts in virality and social media. Like I said, it's anybody's guess.
> Facebook contacted him to defuse a potential PR situation, he didn't call them
From the description, it sounds like the security department called him, not the PR department. And sounds like they're sort of OK as a security department, but that they DID need to coordinate with the PR department in this case, and they didn't.
> You'd imagine they would be smarter than that, after all they are the world experts in virality and social media
Their product people are experts in virality and social media. Their PR people - I don't know, I guess they're ok. Their security people? Obviously not. They just moved quickly and broke things for the PR department to fix.
If the blogger is lying, I'm sure facebook will shame them publicly - they have a recording, after all.
> My experience with just about any company is that they would state their hopes as facts, and expect you to accept that as a fact. And it works with the vast majority of people.
You're right but it also backfires with others, like this guy.
I did not read the 'mixed feelings' blogpost with that quote.
If that quote is genuine, it still reeks of a stupid statement of an individual working for Facebook than a deliberate policy of Facebook to silence such people who find security issues. It's such an obvious dumb request. Don't attribute to malice what can be attributed to incompetence. Facebook is not incompetent, but it's not infallible either.
I'm withholding judgement here. I'm not sure all info is available.
The reason security researches follow "responsible disclosure" is because publicizing the flaw or existence of the flaw could allow innocent customers to be hacked and suffer security breaches.
However in this case, Facebook users can't be affected. We know the root cause of this 'breech' a dodgy Facebook app. If the original blog post actually contained the details of the users affected, it would be a different matter.
I am fascinated by this. For most of us the situation, that some rogue web app developer is selling his data, is not really news worthy. But somehow this got magnified through the media-echo chamber into a massive "Facebook doesn't care about your data" story. Not quite sure, maybe it is because it fits already the existing narrative, but it is never the less fascinating to watch.
The title "Facebook Asks Rogue Blogger to Adhere to Responsible Disclosure Policies" would present a completely different viewpoint while not requiring that the body of the article change at all.
"Responsible disclosure" is like the expression "digital rights": something that makes the opposite meaning so ridiculous that you sound like a looney if you dare disagree with it. ("Why would anyone want irresponsible disclosure? Why would anyone not want rights?")
In this case, the original blogger did not follow "responsible disclosure" practices (which means "don't tell anyone about this, we want our PR team to spin the news first") but what he did was not irresponsible. He told the users whose data has been compromised that they should be careful with Facebook until the investigation is complete and details are disclosed. Now the user has the ability to make a rational and data-driven decision rather than hope Facebook will make the right one for them.
I'm not saying one way is right or wrong, but coverups rarely cover up good news.
I don't see how a warning in this instance is helpful. Knowing that the data was likely scraped somehow from Facebook, what is the rational and data-driven approach to take? Unless there is a specific set of actions known to mitigate the risk of additional information leakage, saying "be careful with Facebook" sounds nice but doesn't help anyone. So why not let Facebook's security team do their due diligence first and then fully disclose the information later?
This is an intriguing article, whether or not this true.
Now to be honest.. Facebook's platform is so open and easy to get information from people and their friends, that a typical web developer could create an App that requires the user's email address upon signing in via Facebook Connect. Upon successful connection, the developer could write a script to save that email address and post some article about the user using his/her real name. This could get the users attention, attracting their friends. Once they sign in, however, the script will store their email address as well.
How long will this work for? Until Facebook denies the rights to your application.
If you want to make $5, sell that list to this guy.. again. haha.
The best part of the article is the irony of Facebook's statement: "Facebook is vigilant about protecting our users from those who would try to expose any form of user information. In this case, it appears someone has attempted to scrape information from our site,".
I read this as "We don't want anyone to potentially profit from the data we're profiting from ... let's squash the competition!"
There is nothing to investigate, from the screenshot of the excel file I can deduce what has happened.
Someone put up a service/application/website which required facebook login. The user logged in with his facebook account. The service/app/website may request the email address to be part of the authentication information. The user is informed about this before when he accepts the service/app/website into his life. The provider of the service/app/website was dishonest and sold basically the login info for $5. How do I know? I have developed applications with facebook login.
Ack, coverup! Ack, censorship!
FB needs to find out which app did this. Give them a chance.