
Facebook Tries To Silence Blogger To Cover Up User Data Scandal - iProject
http://readwrite.com/2012/10/26/facebook-asked-blogger-who-purchased-user-data-to-keep-quiet
======
unreal37
I don't even trust the original blogger is being completely up-front and
honest with us. He was going for the sensationalist angle from the start, and
to have Facebook call him and ask for his help was just too rich for him to
handle.

Ack, coverup! Ack, censorship!

FB needs to find out which app did this. Give them a chance.

~~~
rjbond3rd
Is he not performing the functions of a journalist? And if so, should we not
encourage and admire someone's impulse to buck the system (without being
destructive or unreasonable)? Why side with Goliath?

~~~
unreal37
We should encourage reporting of the accurate truth, yes. We should discourage
link-bait, and over-hype, and sensationalism.

Even RWW should have done a better job looking into what happened, instead of
just finding an anti-FB story of the day to post.

~~~
rhizome
That wouldn't comport with RW's editorial policies, though.

------
louwrentius
Read nothing scandalous about Facebook's behavior. This HN headline doesn't
deliver.

There is nothing wrong with the request to keep this quiet for a bit so you
can investigate.

This is not uncommon in the security world where vendors get some time to get
their stuff together and release a fix. Depending on the severity of the issue
and the risk of abuse.

~~~
diego
_“Oh and by the way, you are not allowed to disclose any part of this
conversation; it is a secret that we are even having this conversation”_

If this is true, it's practically begging for the blogger to research the law,
and publish the whole conversation because FB has no right whatsoever to make
such demand. I wouldn't call it scandalous, but it would certainly be a pretty
dumb thing to say.

If I had to guess, I would imagine the conversation was slightly different.
Perhaps a polite request to keep quiet. Who knows, Facebook is still a
teenager in many respects so it's anybody's guess.

Edit: why would anyone downvote this comment? Curious.

~~~
beagle3
I have no specific knowledge of this case, but ...

> Perhaps a polite request to keep quiet. Who knows, Facebook is still a
> teenager in many respects so it's anybody's guess.

My experience with just about any company is that they would state their hopes
as facts, and expect you to accept that as a fact. And it works with the vast
majority of people.

Case (from outside the US): Credit card got a fraudulent charge. Called up the
credit card company, disputing the charge (After credit card company was
already paid by an automated payment service).

Credit card company: "Well, we're keeping your money, the law says we have 60
days to figure out if you are right or the merchant is right; if you are
right, we'll give you back the money".

Me: "Ahhm. The law says you have to give me back the money this instant, and
you have 60 days to figure out if you believe that the charge wasn't
fraudulent; and if you do, you can explain it to me, and if I still disagree
then there's a whole section in the law about that but you don't get any money
automatically either"

Credit company: "Oh, you're right. Here's your money back, we'll be in touch
in at most 6o days".

~~~
diego
I understand. However, this is a savvy blogger who is looking for publicity.
Facebook contacted him to defuse a potential PR situation, he didn't call
them. You'd imagine they would be smarter than that, after all they are the
world experts in virality and social media. Like I said, it's anybody's guess.

~~~
beagle3
> Facebook contacted him to defuse a potential PR situation, he didn't call
> them

From the description, it sounds like the security department called him, not
the PR department. And sounds like they're sort of OK as a security
department, but that they DID need to coordinate with the PR department in
this case, and they didn't.

> You'd imagine they would be smarter than that, after all they are the world
> experts in virality and social media

Their product people are experts in virality and social media. Their PR people
- I don't know, I guess they're ok. Their security people? Obviously not. They
just moved quickly and broke things for the PR department to fix.

If the blogger is lying, I'm sure facebook will shame them publicly - they
have a recording, after all.

------
stfu
I am fascinated by this. For most of us the situation, that some rogue web app
developer is selling his data, is not really news worthy. But somehow this got
magnified through the media-echo chamber into a massive "Facebook doesn't care
about your data" story. Not quite sure, maybe it is because it fits already
the existing narrative, but it is never the less fascinating to watch.

------
lignuist
Maybe Facebook should consult someone experienced:
<https://www.facebook.com/barbrastreisand>

------
biot
The title "Facebook Asks Rogue Blogger to Adhere to Responsible Disclosure
Policies" would present a completely different viewpoint while not requiring
that the body of the article change at all.

~~~
jrockway
"Responsible disclosure" is like the expression "digital rights": something
that makes the opposite meaning so ridiculous that you sound like a looney if
you dare disagree with it. ("Why would anyone want irresponsible disclosure?
Why would anyone not want rights?")

In this case, the original blogger did not follow "responsible disclosure"
practices (which means "don't tell anyone about this, we want our PR team to
spin the news first") but what he did was not irresponsible. He told the users
whose data has been compromised that they should be careful with Facebook
until the investigation is complete and details are disclosed. Now the user
has the ability to make a rational and data-driven decision rather than hope
Facebook will make the right one for them.

I'm not saying one way is right or wrong, but coverups rarely cover up good
news.

~~~
biot
I don't see how a warning in this instance is helpful. Knowing that the data
was likely scraped somehow from Facebook, what is the rational and data-driven
approach to take? Unless there is a specific set of actions known to mitigate
the risk of additional information leakage, saying "be careful with Facebook"
sounds nice but doesn't help anyone. So why not let Facebook's security team
do their due diligence first and then fully disclose the information later?

------
KalobT
This is an intriguing article, whether or not this true.

Now to be honest.. Facebook's platform is so open and easy to get information
from people and their friends, that a typical web developer could create an
App that requires the user's email address upon signing in via Facebook
Connect. Upon successful connection, the developer could write a script to
save that email address and post some article about the user using his/her
real name. This could get the users attention, attracting their friends. Once
they sign in, however, the script will store their email address as well. How
long will this work for? Until Facebook denies the rights to your application.

If you want to make $5, sell that list to this guy.. again. haha.

------
smoyer
The best part of the article is the irony of Facebook's statement: "Facebook
is vigilant about protecting our users from those who would try to expose any
form of user information. In this case, it appears someone has attempted to
scrape information from our site,".

I read this as "We don't want anyone to potentially profit from the data we're
profiting from ... let's squash the competition!"

------
hkon
There is nothing to investigate, from the screenshot of the excel file I can
deduce what has happened.

Someone put up a service/application/website which required facebook login.
The user logged in with his facebook account. The service/app/website may
request the email address to be part of the authentication information. The
user is informed about this before when he accepts the service/app/website
into his life. The provider of the service/app/website was dishonest and sold
basically the login info for $5. How do I know? I have developed applications
with facebook login.

------
timpeterson
facebook being shady, that's so 2003->forever

