
Facebook says one hundred API users may have improperly accessed user data - happy-go-lucky
https://www.nbcnews.com/tech/security/facebook-says-100-software-developers-may-have-improperly-accessed-user-n1076881
======
r721
Could this be related to upcoming release of internal documents?

>Big new leak of internal Facebook docs to be published Thursday. There’s been
extraordinary attempts by Facebook to suppress this including seeking
disclosure of emails sent to journalists & MPs

[https://twitter.com/carolecadwalla/status/119140241162292838...](https://twitter.com/carolecadwalla/status/1191402411622928384)

>At noon on Wednesday, Dublin time, I + others will publish full copies of
6,971 pages of Facebook confidential and legal documents, leaked in February.

[https://twitter.com/dcampbell_iptv/status/119139795858925977...](https://twitter.com/dcampbell_iptv/status/1191397958589259776)

~~~
claudeganon
Hadn’t heard about this. Certainly casts their recent cozying up to the
Republican establishment in a new light (i.e. avoiding further enforcement
actions).

------
r1nkgrl
This is referring to 100 external software developers that use Facebook's
APIs, not Facebook engineers as I initially assumed reading the title.

Source:
[https://developers.facebook.com/blog/post/2019/11/05/changes...](https://developers.facebook.com/blog/post/2019/11/05/changes-
groups-api-access/)

~~~
desdiv
To clarify further, the exact phrasing used was "roughly 100 partners", as in
roughly 100 external legal entities. Each legal entity could have any number
of software developers.

~~~
dang
Ok, we've put partners in the title above.

~~~
buboard
I use the facebook API but don't consider myself a facebook partner. I'm fine
with "API user"

~~~
lancewiggs
But other partners may have hundreds of users.

~~~
buboard
They 're all using my key, i get the data and i m responsible for it, not the
FB user.

------
tobr
Remember that Facebook PR has a habit of releasing a tiny number when they
break bad news. The actual number has been as much as 100 times larger[1], but
they get the smaller number into articles and the news cycle moves on. For
some strange reason their initial wrong estimates are always in favor of
Facebook.

Based on that, this “one hundred” may well turn out to be “ten thousand”.

1: [https://www.vox.com/2019/4/18/18485528/facebook-instagram-
pa...](https://www.vox.com/2019/4/18/18485528/facebook-instagram-passwords-
stored-unencrypted-security-issue)

------
jsnell
The Facebook blog post would probably be a better source, since it explains
the nature of the data:
[https://developers.facebook.com/blog/post/2019/11/05/changes...](https://developers.facebook.com/blog/post/2019/11/05/changes-
groups-api-access/)

I.e. apps added to a group by an admin could get some metadata about members
of the group.

(That blog post would also have been harder to mis-interpret than the NBC
article. Half the early comments seem to think that this was about Facebook
engineers improperly accessing data.)

~~~
dang
If we do that, people will say that we're trying to protect FB by replacing a
news article with a corporate press release. Is there a better third-party
article?

~~~
knzhou
Obviously there isn't!

I don't know what goes into running this site, but personally, if I know I'm
guaranteed to get a totally one-sided take, I'd rather have the one from the
people who actually know how to code.

~~~
randomb_1979
>>I don't know what goes into running this site, but personally, if I know I'm
guaranteed to get a totally one-sided take, I'd rather have the one from the
people who actually know how to code.

In other words, if you don't know how to code, you are probably not
intelligent enough to write about a technical topic?

~~~
knzhou
No, there are intelligent people everywhere. But intelligent people are often
catastrophically wrong when writing on a topic about which they know nothing.

~~~
randomb_1979
The key word, of course, is "often" and not "always".

How would you know the difference?

~~~
pellucidar
It’s not about knowing the difference; it’s about recognizing the pattern and
applying the appropriate measure of skepticism. It happens with complicated
topics in other fields as well.

------
sdan
Regardless of how many developers have "improperly accessed user data", you
can do a lot of stuff as a regular person such as tracking how long all your
friends sleep:

[https://github.com/sqren/fb-sleep-stats](https://github.com/sqren/fb-sleep-
stats)

After I found one of my friends doing this, I quit FB (this reason among
others).

~~~
knzhou
You could find much much more personal information about your friends before
social media, the old fashioned way -- stalking. Both stalking and this kind
of data scraping have the same response: get better friends.

~~~
pengstrom
Sitting in the comforts of your own home is very different from having to go
outside to reach the victims.

~~~
knzhou
And blocking social media stalkers is much much easier than stopping real
ones. It is indeed a different game, but I don't think it's qualitatively
worse.

~~~
crematoria
It can be automated and packaged into a solution for anyone to use. IRL
stalking is hard and dangerous, and it's going to be that way for the
foreseeable future. Is that "qualitatively" worse enough?

~~~
knzhou
No, because blocking people takes one click. You can completely solve the
problem in literally two seconds. For that reason, I’m more confident of my
privacy when on social media sites than in real life.

------
tobtoh
If past admissions are any indication, expect a 'revised' admission in a few
weeks where they 'discover' that the actual number is one thousand partners
who have improperly accessed data.

------
ben_jones
> “Although we’ve seen no evidence of abuse, we will ask them to delete any
> member data they may have retained and we will conduct audits to confirm
> that it has been deleted,” the company said in the blog post.

I wonder how these "audits" are done? Force the individuals into a legal
agreement through threat of a larger action?

~~~
jdoliner
They make them pinky promise. (Can't break a pinky promise.)

------
Joof
I may have heard of such a thing happening at another company. Certain
personalities just can't seem to help themselves.

~~~
matheusmoreira
Intelligence agency employees engage in LOVEINT.

------
octocode
Must've been the Gates of Galloo devs

------
newsbinator
100 is a number that raises my curiosity. Not 97 partners or 104 partners.
Exactly 100.

~~~
talonx
FB's post actually says "roughly 100 partners", not exactly 100.

------
tannhaeuser
How can it be that Facebook with all their engineering prowess can't even tell
who accessed what, let alone put adequate permission controls on their APIs?
Didn't they invent GraphQL and whatnot and aren't they bound to GDPR in EU
requiring them to list specifically and individually the external partner
companies they're sharing data with, and the kind of data shared?

~~~
netsharc
Probably laziness. A few years ago (before GDPR) third party "apps" on FB
could access many things, and FB just said "don't worry, the devs can't do
anything bad because they had to click a button that said they'll follow our
rules, or be banned!".

So many of my friends used stupid quiz apps, certainly leaking my data to
those 3rd parties too.

~~~
speedplane
>> How can it be that Facebook with all their engineering prowess can't even
tell who accessed what, let alone put adequate permission controls on their
APIs?

> Probably laziness

Facebook is a lot of things, but they're not lazy. As far as can be seen,
their decisions are largely intentional. If they didn't do something, it's
because they didn't want to or it would hurt their bottom line, not cause
they're lazy.

------
waheediqbal
So many controversies with facebook lately. It seems like there is something
wrong with facebook.

------
theelous3
What a surprise.

------
jdkee
We watched this documentary in the fake news class I taught this past summer.

[https://www.netflix.com/title/80117542](https://www.netflix.com/title/80117542)

While some of the assertions in the film are unsubstantiated, the resulting
classroom discussion on the role of social media and privacy were immensely
constructive.

~~~
forgingahead
Did your class cover any aspect of how the mainstream media, like cable and
broadcast TV news channels and the top printed newspapers in the country, also
practice heavy bias in their reporting, and how the members of your class
could become aware whenever those biases arose?

~~~
jdkee
Yes, we did. We cover the difference between journalism and its ethics for the
social good and the media, which is produced for consumption.

~~~
anongraddebt
A key problem is the dearth of actual journalism today. The Economist being
one of the few exceptions, along with Reuters (not sure how to classify them
though).

------
designium
For some reason, I don't think this is surprising.

Within the tech industry, specially Hacker News readers, we know that Facebook
does a lot of "growth hacks", "gorilla marketing", "Microsoft way of doing
things - Bill's era (remember Netscape vs. IE?)". So, even if FB Internal docs
are released, the real surprising fact will be that end users are not going to
simply stop using FB, IG, WhatsApp and we get mystified about "WHY"?! Or just
"accept" that's always the case.

At the end, the users are either not interested to follow what FB does nor
they have access to the truth. With those Billion of users, most of them are
outside the sphere of influence of American media. Each country shows its most
interesting news, a combination of top current world and local news. The
current ones would be "Climate Change", "Hong Kong Protests", "Trade war US
and China", "Something in the Middle East", "Something about US Stocks", and
maybe: something about FB.

If we imagine ourselves as news writers, it is not easy to convey the nuances,
calculated moves, and strategic choices that FB is doing to control its market
to the general population. Thus, there are many barriers to really use this
information to change FB behavior. Perhaps I'm pessimistic about it.

So at the end, it will only be surprising if the users understand and FB get
huge pushback from its user base.

