I had an app "suspended" because I had largely sunset the app almost a year ago and thereby wasn't getting bug reports from users that the app was offline (when it had been initially put by Facebook into a weird quasi-suspended state) and hadn't been (and still haven't been) prioritizing checking or responding to e-mails back and forth from Facebook (which have been draconian: I have an application that literally only uses Facebook for its Login feature (there are no social aspects of the app where data from one user is shown to another user: it shows you your own name and profile picture while you are logged on, and that's it), and yet they sent me a pdf file with multiple pages of questions and a requirement that I not just answer them but somehow provide a signed affidavit--with a real signature on it, not just a digital one--that I answered them correctly). I thereby would guess that the vast majority of those "tens of thousands" of apps were apps that no one was even using anymore and which were suspended not because of misuse of data but because the developer was either no longer reachable or simply no longer cared (at which point this makes them either look like they are doing critical work on something important or that there was a rampant problem they caused that they had to fix, depending on your narrative slant, when I'd imagine "they aren't really doing anything and have just automatically suspended tens of thousands of dead apps" is more likely).
This is off topic and I hope I come off as constructive and not insensitive. Your comment structure with long sentences and lots of parentheses made it really really hard to hold your rather interesting thoughts in my head.
If they built in proper data access controls, one would think that suspending apps would not be necessary. The fact that the apps have the power to grab people's personal data at all is the problem. Why don't they just shut down the leaky APIs, disable all the apps that require those APIs, and make the app devs update them? On the assumption of course that Facebook gives a single lick about actually protecting people's personal data.
They don't, that's the entire point. From the day they created the API it was with the understanding that people would farm the data. FB only asked politely that companies not collect so that they could tell the public what they are telling them now (We had no idea!), but no developer ever took that seriously.
Then they should get absolutely no praise or even acknowledgement for suspending these apps. They made the fence with no gate, saying they've kicked out a few of the foxes isn't praiseworthy.
Actually allowing access is not criminal provided they tell you they are going to do so in the TOS.
That's why we need a law to make it explicitly illegal to share any such information at all for commercial purposes. I don't really care if it destroys business models. Maybe some of those business models deserve to be destroyed.
Facebook has a couple dozen contractors that employ thousands of people. These contractors fall out of the scope of Facebook’s Bug Bounty in most cases, and the contractors do not have a way to contact them about security vulnerabilities or a defined process.
It is an enormous legal arbitrage finance maneuver it seems. These contractors are awarded very large contracts in exchange for essentially assuming huge legal liability. They are gambling nothing bad will happen. It makes sense from a business perspective for both parties.
These contractors can be quickly identified via some searching online. From there if you have map their DNS infrastructure via common tools like https://dnsdumpster.com, you will very poorly (or at least quickly) set up AWS/Azure infrastructures running software behind on patching usually from 1-3 years, and having documented exploits that can be triggered remotely without previous auth.
The situation is very sad, and I would encourage the engineers at Facebook to at least ask their managers if they think this serves the company. The good news is of course it can be fixed quickly and dramatically. OS updates and a few L4 firewall rules for the host is often all that is needed.
Now that just makes too much sense, and would empower users to actually take action to protect themselves from people trying to snoop them. That's probably the reason FB would do something like that only as a last ditch act of desperation.
I had an app suspended. It was basically just a way of automating a FB Like widget on a specific website. I replaced it with a static field (the number was in the millions of likes and the display was only 2 significant digits).
I mean, good for them, I guess. I just made it a field and update it by hand.
A fun little app to make: "Would you rather trust <company A> with your <piece of information X> or <company B> with your <piece of information Y>?" Two lists. Issue a uniqueid cookie to filter duplicates. See what comes back. I bet the order comes out, roughly, Apple, Google, Amazon, a bunch of others, with Facebook somewhere down at the very bottom. But I could be very wrong.
> "Would you rather trust <company A> with your <piece of information X> or <company B> with your <piece of information Y>?" ... I bet the order comes out, roughly, Apple, Google, Amazon, a bunch of others, with Facebook somewhere down at the very bottom.
You'd be right if your survey was targeted to the HN crowd. But if you targeted the general public, it would just be confusion... "what do you mean these companies have my information?"
