
Facebook pauses app reviews, disables new user authorizations - humanfromearth
https://developers.facebook.com/blog/post/2018/03/26/facebook-platform-changes/
======
miracle2k
The so-called "data breach" was always in reality a by-product of an open
platform that hundreds of thousands of developers could easily build apps on
top. You may err on the side of "more reviews" or "less powerful API", but in
the end, those ideals are in tension. The more open the platform, the more
open to this kind of "breach".

People who believe in the idea in this kind of platform having an API should
have long ago spoken up in Facebooks defense. This is exactly what I was
afraid would happen, and I expect worse to come from this "platform review".
Given the kind of media coverage here, Facebook seems to have more to lose
than to gain from letting random Hacker News kids build on their platform. And
if so, they won't in the future.

~~~
IBM
Apple got this right from the beginning despite years of criticism about the
"walled garden". They took arrows for years: all the "open always wins" from
the FOSS types, all the press coverage of some app developer crying about App
Store rejections or onerous rules.

They didn't get it wrong because they know who butters their bread: customers.
Developers are rightly prioritized last.

Fun to give this Paul Graham essay a read again [1].

[1]
[http://www.paulgraham.com/apple.html](http://www.paulgraham.com/apple.html)

~~~
headsoup
You're comparing Apples to oranges (I'm sorry)

Apple doesn't have a social network. They also don't rely on advertising and
3rd party data brokering.

It's easy for Apple to be the 'good guys' here when they have physical
products as their profit generators.

FOSS would have worked better in the Facebook case too as people and
developers would know/discover a) where their data is and b) what risks it
faces

~~~
thinkloop
I swear there is some kind of downvote bot on HN - reasonable posts are often
down-voted grey within the first few minutes (like this one's parent), and
then eventually climb up to a reasonable place, when, what feels like, the
humans have had time to see it - has this been noticed or discussed before?
I'd be curious to know if some accounts are serial downvoters, especially as
soon as comments go up - does HN look for that kind of stuff?

Of course part of the answer is that new comments have no votes so a quick
downvote will make them grey, but there are frequent strange cases.

One thing for sure is that a lot of people downvote based on disagreement
rather than a comment's quality - which in my opinion is not right (and I
think against the intent of a downvote), but that's a different issue.

~~~
jnbiche
I'm fairly sure there are multiple downvote bots operating on HN. Frequently,
certain comments to topics considered by some as "political" on HN will get an
_immediate_ 2 or 3 downvotes in the first 30 seconds, and then over the course
of the next 2 or 3 hours, be upvoted back up to black.

Although it's possible that there's some confounding happening here, such as
the handful of people who hit refresh on HN hundreds of times a day are also
ones who can't stand certain political viewpoints. But it seems unlikely. Far
more likely is that there are a handful of downvote bots in operation on a
keyword basis.

It's not a huge deal to me, but it does seem kind of obvious.

~~~
mistermann
I get downvoted on agreeable comments on 4 day old conversations....there's
definitely bots or something going on.

~~~
jnbiche
A downvote on a 4-day-old comment is unlikely to be a bot, since it's likely
that no one will even see it. If you're seeing agreeable comments being
downvoted after several days, it's probably just a grouchy misanthrope or two
catching up on HN on their day off.

~~~
DoreenMichele
_A downvote on a 4-day-old comment_...

Is not possible since they turn downvotes off after 24 hours.

/pedant

As someone who incessantly refreshes HN and spends a fair amount of time on
the Comments page, I see no reason why it wouldn't be people seeing new
comments to older discussions via the Comments section rather than bots.
Although I am a demographic outlier in multiple ways, I cannot possibly be the
only person routinely cruising the new comments section.

~~~
grzm
Good point about the new comments feed. I think your parent either misspoke or
misunderstood their parent's "[downvoted] comments on 4 day old
conversations", which would mean a new (down votable) comment on a thread that
started 4 days earlier.

~~~
mistermann
Correct.....old conversation, new comment.

The giveaway, imho, is a downvote on a completely inoffensive comment,
combined with certain other increasingly common patterns.

------
downandout
The Facebook API has been useless since 2014 when most access to friend data
was cutoff. Since then, if your objective was data collection, that could be
easily achieved by scraping publicly available information (many friends lists
are public, there are many public posts, etc. - certainly enough to use in
aggregate to formulate campaign strategies etc.). I suspect that will be the
next “scandal,” since in 2018, people can’t possibly take personal
responsibility for the things they post and allow to be public.

Ironically, the “scandal” that caused this whole thing is a non-issue.
Pre-2014 Facebook apps could collect a lot of information about you and your
friends, along with their Facebook user IDs, and that was scary because there
was a time when you could simply submit a list of user ID’s that you wanted to
show a specific ad to. But since Facebook advertising cannot be targeted by
user ID anymore, and this policy was in place well before the 2016 election,
all of that data was essentially useless to any participant in the 2016
election other than for aggregate things like general campaign strategies. I
am intimately familiar with the advertise by ID issue - I was awarded a $2k
Facebook bug bounty for spotting an exploit in the Custom Audiences feature
that allowed an equivalent version of targeting by ID after they disallowed
it.

So while it’s possible that Obama used his special access to the entire US
social graph to successfully influence his elections, it is impossible for
Trump or Hillary to have done it _even if they had the data_ because of the
changes in the FB ad platform in between 2012 and 2016. This entire “scandal”
was created and promoted by people that don’t understand, or actively ignored,
this concept. If you ask everyone that has read the recent headlines,
including reporters that wrote the stories, I’ll bet 99%+ will tell you that
they believe they could be specifically targeted with ads.

It would be interesting to see if the executives at any of the media companies
that have managed to sell this scandal to the public took unusually large
short positions in Facebook stock before releasing the story. Since the story
is effectively fraudulent (it was not possible for the election to have been
influenced in the way that the stories imply), I assume that would be
securities fraud.

~~~
alasdair_
>Facebook advertising cannot be targeted by user ID anymore

This doesn't matter much if you can do essentially the same thing by targeting
with extremely specific location and demographic data.

~~~
downandout
You can’t “essentially do the same thing” in the way you mention though. You
are bringing up a second issue, that is also not allowed. You cannot, for
example, use specific GPS coordinates to target a house or even a group of
houses. Anything less specific than that and the effect gets watered down
significantly, and the platform simply doesn’t allow anything close to that
kind of “extremely specific” location targeting. Same with demographic data
(which can easily be obtained through other places, where the data is much
more accurate than you would get from Facebook - see Acxiom).

~~~
IAmEveryone
The idea is this:

given the complete graph and add some external data, you can identify those
users you should advertise to, i. e. jane@test.com.

BUT: what is still possible, and what Cambridge Analytica was actually
building, is slightly different: with a statistical sample of maybe a few ten
thousand complete profiles, you can build a statistical model that targets
your advertisement not to a user, but a set of criteria: "Males between the
ages of 35 and 40 living in a mid-sized town in Texas who liked curling and
Star Wars Episode I, but has never traveled to Australia". This is still
perfectly possible.

It's likely the latter model performs at least 90% as well as the former, with
an upward trajectory as methods are improved. Note that CA probably didn't get
this working terribly well. But someone else definitely will.

Intuitively, I am far more uncomfortable with the first. But practically, I
can't really think of a reason why.

~~~
downandout
Agreed that it’s scary if someone actually manages to get it working. CA did
not, nor did Obama who was given access to far more data. But the issue is the
false narrative being sold by these news stories. If you ask an average person
right now what happened based upon these news stories, they’ll tell you that
Trump hired someone to hack their Facebook data and then used it to target
Facebook ads to them, and that this was so effective that he was able to steal
the election from Hillary. That’s what I take issue with - it’s a provably
false narrative.

~~~
brazzledazzle
I’m actually not opposed to this. In fact I wouldn’t mind if a similar
narrative started about Clinton and how she used it to steal the popular vote.
Then both major parties would be pushing for privacy in the US. Digital
privacy is complex and I’d rather people have a misinformed motivation for it
than apathy. It’s not unlike geopolitics or economics in that you almost need
to have egregiously simplified propaganda to get people onboard because the
reality is so complex and nuanced that most people's eyes glaze over at the
thought of it. The truth and depth of understanding is available to anyone
that wants it but my parents are never really going to get it the way I do.
They don't have my understanding of how data, applications and the web
actually work to make it all click so they think Facebook spies on them using
their microphone when the reality is so much more insidious.

------
humanfromearth
Pausing app reviews is annoying for sure, but not allowing new users to
authorize their app is really bad.

Meaning that new customers can't connect with facebook anymore to access their
own data using OAuth! We don't need permissions about your friends, your
photos, or whatever. Just accessing their own messages and posts (which is
what our customers want to see in our app and pay for).

I know they are shell-shocked after #deletefacebook stuff, but this
overreaction is ridiculous.

So glad it's not our only channel of communication through. Times like this
you appreciate email - crazy huh?

~~~
olliepop
Drastic action and outcry from developers may be necessary to attain enough
media coverage.

The spin from Zuckerberg as a result will be along the lines of "We're really
glad you asked that question, and it's one that's really important to all of
us. We are prioritising the safety and privacy of our users, and unfortunately
that might upset some over-reaching applications."

------
Mc_Big_G
Reading Facebook's PR as they try to fix "problems" that they previously
leveraged to profit massively is like someone purposely tripping you and as
you stand back up they spit in your face and say "Oh, sorry. I'll try not to
do it again" in a condescending tone. [edited to remove things HN can't
handle]

~~~
negamax
Wow man that's some top level hate. You do realize that Zuck has pledged away
99% of his wealth? Providing third party apps access to friends list was a
strange permission. I have never used an app that asked for it. But there are
plenty of dating, games and social apps that could only work with a permission
like that.

I think people are reading too much into this fiasco. We are better off fixing
Facebook. It serves its purpose well.

~~~
ucaetano
> You do realize that Zuck has pledged away 99% of his wealth?

He hasn't. He has pledged to donate 99% of his wealth to a private, for-profit
organization that he owns.

I also pledge to donate 99% of my wealth to my bank account.

~~~
niij
>He hasn't. He has pledged to donate 99% of his wealth to a private, for-
profit organization that he owns.

I initially thought you were being overly critical here. It looks like you're
right, the "Initiative" he created is an LLC and not a non-profit.

[https://en.wikipedia.org/wiki/Chan_Zuckerberg_Initiative#Com...](https://en.wikipedia.org/wiki/Chan_Zuckerberg_Initiative#Company_form_and_taxation)

~~~
734786710934
If you read higher up in that wiki it lists all of the money the initiative
has given away so far. I'm not sure why people think that the LLC doesn't give
away money.

~~~
mistermann
That's called influence, changing people's minds with relatively small amounts
of money. And it works.

~~~
mistermann
Changing people's minds is no longer considered influential?

------
ihuman
Where does it say that facebook is disabling new user authorizations? I don't
see it on the page OP linked.

~~~
humanfromearth
It's not mentioned in the post specifically, but this is what you get when a
new user tries to login with Facebook:
[https://imgur.com/a/iAf6r](https://imgur.com/a/iAf6r)

~~~
BillinghamJ
It sounds like this might only affect apps requesting the "pages_messaging"
scope...
[https://twitter.com/search?f=tweets&vertical=default&q=platf...](https://twitter.com/search?f=tweets&vertical=default&q=platform%20access%20disabled&src=typd)

------
madrox
This is a bit out of left field, but since the height of Farmville I've argued
that Facebook should offer cloud services. I know these days everyone wants
you to build on their cloud and it's a bit oversaturated, but a very easy way
for Facebook to make data available to developers while maintaining security
is to run the code that operates on that data on their servers. Seems like
such a no-brainer I'm surprised they haven't done it.

But maybe I'm missing something obvious.

~~~
ryanwaggoner
Ben Thompson from Stratechery has convinced me that Facebook _wanted_ to be a
platform, but changed their mind. They realized that making the world's most
valuable consumer dataset available to developers (and competitors) was dumb,
as was letting those companies all pollute the core FB experience (like
Farmville), and they would make far more money in the long run by letting
advertisers target with that data.

This lines up with my experience. I did a ton of (painful) Facebook platform
development from 2007-2009 or so, but I haven't followed it as closely since.
My sense back then was that there was this huge build-up of activity around
the FB platform; they were creating all these new APIs and ways for developers
to build super social experiences and deeply integrate with the core FB
experience, there were huge companies like Zynga that were entirely dependent
on Facebook and also were responsible for tons of FB revenue, etc. And then it
all seemed to fizzle? It doesn't seem like there's really hardly any activity
any more in terms of deep integration with Facebook as a platform, other than
FB login. I never see anything on my news feed any more from weird apps, or
get invites to take some dumb quiz, or whatever. I mean, I'm sure that stuff
is there somewhere, but not anything like it was. That could be wrong though!

------
siquick
Our app which has only `email` permissions is still allowing new users to sign
up.

~~~
rocky1138
Do you have an alternate means of signup available for those that don't have
Facebook?

~~~
siquick
Yep, users can sign up by email too.

------
thinkloop
I wonder if it's all still a net benefit for fb. I remember back in the day
while doing heavy fb dev, being flabbergasted at what we were able to get. It
solidified our decision to invest heavily in their platform. We were able to
get millions of likes and other data by simply having a few thousand signups.
At one point I thought it was a bug and had to ask around about it. We had to
consider whether it is something that will be "discovered" and shutdown or
not. The power of it cannot be understated, and without a doubt a major
catalyst for the success of their platform. It's possible that they would be
worth less today, including the $100B loss, without it.

------
timthimmaiah
Not sure if this headline is 100% accurate. oAuth for apps that have already
passed Login Submission is still functioning. For example, new users to an app
that is already in the FB app ecosystem can still create accounts via oAuth.

However, apps that request scopes like "user_friends" or "pages_messaging" [1]
may error out during authentication.

[1] [https://messenger.fb.com/newsroom/messenger-platform-
changes...](https://messenger.fb.com/newsroom/messenger-platform-changes-in-
development/)

------
dworts
Seems kind of late for this kind of thing doesn't it?

~~~
aylmao
As in, a week late? No. Changes like this take time; some of these Facebook
devs and managers are probably already working around the clock on this and
related changes.

Or as in many years late? In that case yes. A bit more privacy from the start
would've been nice.

------
seem_2211
Interesting how it's all about "sharing" and "community" when they want you to
get on Facebook and all about "well you know you signed your privacy away"
when you ask any questions. It's so disingenuous - I'm loving Facebook's self-
created troubles.

------
drnex
facebook privacy through restricting the api is an illusion, a lot of content
can be extracted with scrappers

~~~
aylmao
You have to be someone's friend to extract that same info with scraper though,
no?

~~~
anigbrowl
It depends on their privacy settings. Some people expose a lot of information,
and you can (if you're pateitnt) put together a great deal of information
about a person with their privacy settings locked down if you study enough of
their friends.

Of course, FB could just resort to making everyone's info private. But then it
would suffer a serious loss of utility, as many friendships and social
connections are validated by the existence of mutual acquaintances. Most of
the time this is completely innocent and desirable for all parties, which is
what allowed FB to become so popular in the first place.

------
Animats
Just turn off all Facebook apps. I never turned them on, and don't seem to be
missing anything.

~~~
Fnoord
Or how about: "Don't use Facebook. I never seem to miss anything."

------
Zarath
How does one even pause app reviews? They don't own the app stores do they?

~~~
yourarm
I think this means that they're not allowing new apps into the app store.

~~~
aylmao
Close, but no (: They don't own any app stores, this refers to apps that use
Facebook login or data.

------
paulsutter
Can anyone think of a useful Facebook app? I can’t think of one. They’re not
as intrusive/awful as they were in the FarmVille era, but are any actually
useful for users, not marketers?

~~~
jnmandal
I mean just having a Facebook login on your own website can be useful. I
believe even that qualifies as a Facebook app.

------
thomble
Is it possible to create an app that can easily remove personal info, and
delete all posted content that is, say older than n days old? If so, is there
a new demand for this kind of app?

------
egypturnash
"people have noticed that a lot of horses get stolen from our barn, we guess
it's maybe time to finally close the barn door"

------
foota
Seems like the right answer here is analyzing usage of the API and looking for
malicious patterns

