
Ex-Facebook insider says covert data harvesting was routine - valanto
https://www.theguardian.com/news/2018/mar/20/facebook-data-cambridge-analytica-sandy-parakilas
======
jakelazaroff
Can we not let this become framed as a "breach"? No systems were compromised.
Nothing of Facebook's was accessed that wasn't supposed to be accessed. This
was data _intentionally exposed by Facebook_ , just exfiltrated and given to
an entity whom Facebook hadn't authorized.

This is simply the extent to which we've permitted these Internet giants to
collect information about us. It's business as usual.

Edit: To clarify, this is indeed worse than if the data were taken from
Facebook without consent. What it means is that not only does Facebook have
access to vast troves of personal information, but _so does everyone
tangentially connected to someone with a Facebook developer account_.

~~~
generalk

      >  Can we not let this become framed as a "breach"? No
      > systems were compromised. Nothing of Facebook's was
      > accessed that wasn't supposed to be accessed. This was
      > data intentionally exposed by Facebook, just exfiltrated
      > and given to an entity whom Facebook hadn't authorized.
    

This is similar to a HIPAA "breach" where the word doesn't imply that a
security system was compromised, but that protected data was accessed by folks
who shouldn't have had it. In this context, framing it as a breach is
perfectly accurate.

As an aside, a HIPAA-style law that protects and enforces portability for this
type of personal data might be a good first step to reforming our industry
here, which is currently completely unregulated in this regard.

~~~
verylittlemeat
>protected data

What data was being protected? The data was created when the user chose to
engage with the facebook apps. CA pays facebook to put something in front of
users faces and then CA gets back information on user engagement. How is that
different than any other kind of advertising on the web?

We can argue that there needs to be more transparency on facebook but a
breach? That's torturing the word.

~~~
JumpCrisscross
> _What data was being protected?_

Personally-identifiable information [1]. Many states require notification in
the event this data is found to have been accessed improperly. The definition
of a "breach" is not limited to technical malfunctions.

[1] [http://www.ncsl.org/research/telecommunications-and-
informat...](http://www.ncsl.org/research/telecommunications-and-information-
technology/security-breach-notification-laws.aspx)

~~~
closeparen
Personally-identifiable information that users chose to share with the world
as part of public profiles.

We might say that you can't sign away the secrecy of your PII, so user consent
is irrelevant. Then we had better get on YCombinator, Stack Overflow, Medium,
etc. for allowing prominent community members to use their real names on their
posts. Someone could [0] use them train statistical models to who-knows-what
purpose, after all.

[0] [https://www.kaggle.com/hacker-news/hacker-news-
corpus](https://www.kaggle.com/hacker-news/hacker-news-corpus)

------
scottmf
Oh man this is bad.

>the platform operations manager at Facebook responsible for policing data
breaches [...] warned senior executives at the company that its lax approach
to data protection risked a major breach

>One Facebook executive advised him against looking too deeply at how the data
was being used, warning him: “Do you really want to see what you’ll find?”

>They felt that it was better not to know. I found that utterly shocking and
horrifying.

~~~
txcwpalpha
Lol, "this is bad"? This is normal. I can give you an entire list of F500
companies I've worked at that have the same mindset. I've sat in meetings with
F100 CIOs where they were given the same warning and shrugged it off. I've
been asked before to turn off security monitoring systems because executives
prefer to not know about vulnerabilities rather than know about them and not
be able to fix them.

The only thing shocking and horrifying about this whole thing is how naive the
American public must be to find any of this shocking and horrifying.

~~~
peterwwillis
People love to pretend to be horrified by things they've assumed to be true.
"What? A politician is corrupt? Outrage!!" "What? They're tracking me to build
profiles on my use of all their advertising driven free services? Outrage!!"
I'm sure there's a word for it in German.

~~~
scottmf
Have you ever considered the possibility that many people actually _are_
shocked?

Why do “people love to pretend” that genuine outrage and the sincere desire to
stop immoral practices doesn’t exist?

Many people sincerely care about what’s right, even if they fall prey to human
flaws and cognitive biases from time to time.

Perhaps those who talk about how “everyone” just “loves to act like” x and
“virtue signal” y are merely projecting their own values on to the rest of us?

~~~
peterwwillis
That's even more sad. It would mean that even though they care deeply about
outcomes, they either willfully ignore the things that result in those
outcomes, or have amnesia, or are just incapable of doing anything about it.

Take Congress for example. Approval ratings are what, 20%? They're generally
seen to be corrupt, and they don't get anything done, right? So why aren't
they voted out of office? Why are people surprised when they end up having low
morals or corrupt? If people honestly cared, wouldn't they immediately demand
change? But the status quo remains.

So either the people have no power to change things, or they collectively
forget these things every day, or the real reason: they don't really care that
much, but like to seem like they do.

~~~
dragonwriter
> Take Congress for example. Approval ratings are what, 20%? They're generally
> seen to be corrupt, and they don't get anything done, right? So why aren't
> they voted out of office?

Because the average approval rating of individual members of Congress in their
own district (for the House) or state (for the Senate) is much higher. For
most people, it's (some large subset of) the 532 members of the Congress that
they don't get to vote for that are the problem.

------
camillomiller
The cool thing? This "whistleblower" already spoke publicly with an op-ed on
the NYT months ago. Again, this is just the top of the newscycle. Let's see
what happens in three months from now. My guess: Facebook revenue will go up.
This is a PR shitshow, and a great piece of advertising for Facebook's ad
department. A lot of marketers right now are thinking "wait, we could do that
with all that Facebook data we have?!"

~~~
sveme
GDPR can't come too soon. That would definitely put an end to these shady
practices, as the penalties of several individual infractions would endanger
any company.

~~~
camillomiller
It will offer a possibile solution in Europe, where Facebook has already been
under heavy scrutiny. It won't change anything in the US, South America, SE
Asia and developing countries where Facebook is already dangerously
synonimical to the whole online experience of the average user.

~~~
sveme
The hope is that Facebook will not have two different data handling strategies
for EU and non-EU users and we'll see some sort of regulatory encroachment
from the EU to the rest of the world. But obviously GDPR endangers so many of
Facebook's shady but lucrative practices that they will have financial
incentives to set up two different user silos.

~~~
Chaebixi
> The hope is that Facebook will not have two different data handling
> strategies for EU and non-EU users and we'll see some sort of regulatory
> encroachment from the EU to the rest of the world. But obviously GDPR
> endangers so many of Facebook's shady but lucrative practices that they will
> have financial incentives to set up two different user silos.

Facebook might be one of the few organizations with the motivation and ability
to set up two different regimes to contain the effects of GDPR on their
practices.

In that case, I would love to know what their selection criteria is.

------
bbarn
Attention everyone's smart friend or family member:

Now is not the time to scream "DUH!" or "I told you so!" to people who in the
past have not grasped just what they were agreeing to. Now is the time to help
your less tech-savvy friends understand the impact their data has in aggregate
(like swaying elections!), and how they have been used by this system. Take
advantage of all this bad press and help people you care about stop
contributing to this machine. If ever you were going to get someone to stop
using these services, these are the moments you capitalize on.

~~~
jjulius
Thank you!

I'm going to be using this thread as a perfect example when people think I'm
crazy for saying that SV often exists in its own bubble. The disconnect here,
and the failure of so many people to realize something so obvious, is
appalling.

------
arkh
How the fuck could people be surprised?

Open a software job board. 50% of offers are by companies trying to optimize
some data harvesting and analysis to better target some ads.

Ads, the direct child of propaganda. So to everyone working in those kind of
companies: you're not better ethically than people working on missile
software. I'd say you're worse because you can argue missiles can be used as
deterrent.

~~~
aylmao
> So to everyone working in those kind of companies: you're not better
> ethically than people working on missile software.

Yikes.

I agree with your points, don't get me wrong! Spot on-- this optimized data
harvesting is widespread and terrible, and ads are dangerous.

Yet, I think your analogy is a little bit much and takes away from your
argument. Missiles' purpose is to kill people, they tear apart families, bring
chaos to countries-- they are built with the explicit purpose of terrorizing
at best, and ending anyone not terrorized at worst.

Ads are meant to sell things. Sure, they are terrible when used as propaganda,
but they're still just meant to be an efficient way do deliver feelings+ideas,
and one that can be escaped with skepticism and critical thinking.

I personally don't think that a Google engineer working on Google Maps, a
Youtube intern helping with creator tools, or even a Facebook employee making
face filters for Instagram are in nearly the same ethical level.

~~~
aylmao
Also, you mention missiles at their best are used as a deterrent. That might
keep one nation safe, but is is still about spreading terror to others and
tends to just fuel arms races.

Ads at their best (aka, furthest removed from propaganda) are about informing
people of things they would otherwise not know about. Think, mom and pop sops,
some new organization, or a science fair.

It's easy to paint things black and white, and there's a line that can be
crossed in terms of tracking, optimization, and attempts to control the
population/public opinion. IMHO though, I really do think engineers working on
companies in the ad space are not as ethically removed as those working on
machines meant to kill.

------
tmalsburg2
It's important to realize that Facebook's lax attitude to data harvesting was
most likely one key to their success. If they had closely guarded user data,
there would soon have been stiff competition, but this way everyone could
benefit from Facebook's data treasure trove and Facebook's success was in many
other companies best interest. The current state of affairs should therefore
be seen not as the result of negligence but a desired outcome of Facebook's
core business strategy.

------
synchronist
I made a Facebook web scraper which opens 20 headless browsers. You provide a
list of unlimited usernames & proxies (you can buy them at
[https://buyaccs.com/en/](https://buyaccs.com/en/)). It will scrape every
ounce of public information available. I acquired a few million users worth.
The data is too easy to get.

~~~
aylmao
Which kinda throws me off. It's no secret Facebook, Twitter, your phone (if
you give permission to a 3rd party app) etc, are all harvestable. All CA is in
regards to a story that broke a couple months ago. Why is it catching fire
now?

------
simias
Is there any reason to believe that the situation isn't the same in, say, the
Android ecosystem? In my experience many 3rd party apps require ridiculous
amounts of permissions (contact list etc...) for something that's not core
functionality. Surely all these free-to-play crapware games on the Android
market have siphoned all the data they could and sold them to the highest
bidder? Does Google do a better job of monitoring these apps?

~~~
TeMPOraL
Wait until you see the video of these guys:

[https://www.sentiance.com/](https://www.sentiance.com/)

(via
[https://news.ycombinator.com/item?id=16626752](https://news.ycombinator.com/item?id=16626752))

~~~
simias
Yeah that's exactly the type of things I'm worried about. Smartphone apps have
potential access to an incredible amount of sensitive data and I always found
Android's permission system to be woefully inadequate.

------
mannykannot
All the self-serving memes are out on parade here: "This not news", "what did
you expect?", "anyone paying attention should have known", "it is the new
normal", "it could not be any other way", "everyone benefits"...

Actually, as of posting, the "Apple/Google/Microsoft are just as bad" version
has not yet put in an appearance.

~~~
freeone3000
One could argue that Apple and Microsoft are _not_ as bad, because Apple and
Microsoft sell products, not advertisements.

~~~
Applejinx
Apple wants to be a walled garden. Can't be a walled garden without walls:
their self-interest and marketing direction lies elsewhere. Also, in the case
of the iPhone, hardware is the product, and in the case of the app store, the
devs and apps are the product (some of the time, anyway).

------
lumberjack
Stallman is right once again. The response that we used to get is, "but
Facebook/Google would never give away their data, they will just use it for
targeted advertisement, the data is too valuable to just sell it wholesale to
other entities".

------
ams6110
> Asked what kind of control Facebook had over the data given to outside
> developers, he replied: “Zero. Absolutely none. Once the data left Facebook
> servers there was not any control, and there was no insight into what was
> going on.”

Um, well yeah. This is the case any time you give data to a third party. They
now have a copy, and you can't control what they do with it.

~~~
d_theorist
Exactly. What kind of controls could there possibly be?

Even doing an audit wouldn't necessarily reveal anything. If somebody has data
that they want to hide I'm not sure how much can really be done to force them
to reveal it.

~~~
checkyoursudo
The controls are agreements that make getting caught doing the unauthorized
act painful enough that it might be enough to deter the act in the first
place.

If the price is high enough, bad actors will be willing to breach
NDAs/CDAs/licensing agreements/etc, but at least then you can be seen as
having done _more than zero_.

Might have been prudent here.

------
belorn
It would be interesting to see someone analyze if the relationship between
government and Facebook got more news coverage this time than it did when
Snowden reported the exact same thing in 2013 or when other people reported it
back in 2012. In particular it would be interesting to see which new sites
write articles about it and if possible how negative they are.

For example we have CNN article in 2013:
[https://www.cnn.com/2013/09/30/us/nsa-social-
networks/](https://www.cnn.com/2013/09/30/us/nsa-social-networks/)

vs now in 2018: [http://money.cnn.com/2018/03/19/technology/facebook-data-
sca...](http://money.cnn.com/2018/03/19/technology/facebook-data-scandal-
explainer/index.html?iid=EL)

Maybe that would explain why we see so many that got surprised by this while
others has seen it for a long time and just got used to everyone not caring.

------
CptMauli
tell me again why you think the EU General Data Protection Regulation (GDPR)
is a bad idea?

~~~
IAmEveryone
I was actually surprised by the generally positive reaction the GDPR got in
recent threads here on HN. I guess the suspicion of data hoarding overcame
conspiracy theories about government regulation or EU protectionism.

BUT it’s important to note that GDPR would probably not have had an effect on
the specific situation with Cambridge Analytica. CA is obviously toast if not
by law then by the attention alone. Facebook, however, is likely allowed to
share data under GDPR as they did with CA: they got the users’ permission
initially, and there isn’t much you can do to protect yourself against
malicious actors.

~~~
lumberjack
>they got the users’ permission initially, and there isn’t much you can do to
protect yourself against malicious actors.

The EU is clearly moving against that blatant circumvention. I don't know
exactly what they are going to do, but the whole, "just sign all your rights
to privacy way with one click" is something they want to change.

I think the mostly likely situation will be one where each specific instance
of use of your data would need explicit approval. Moreover the prompt cannot
be disingenuous legalese. It needs to be clear and concise. I fear it might
just become another Cookie's Law. But it might still be useful. For example,
imagine if you get something like:

"Facebook discovered that you have Chronic Illness 1. Facebook requests
permission to share this information with Insurance Company in your State. Do
you approve?"

I think people would suddenly care about that.

~~~
Applejinx
I think the insurance company would care a whole lot!

Facebook's big data is getting to where they can predict things like
pregnancies, illnesses based on parsing minor changes in behavior and
correlating it against the big data set. This is of course super interesting,
but it also gives you results like 'suddenly this guy is 42% more likely to
die in the next 6 months and doesn't know it'. There are no certainties, but
to an actuarial entity like an insurance company?

That's more than worth getting your lobbyists to repeal any shred of
requirement that you have to keep faith with such a person. Insurance combined
with big data and stripped regulations makes such an industry purely a
financial play: handled properly they can, for a time, collect money and never
pay any of it out, until it becomes obvious that's what they're doing.

Those are the entities most interested in having Facebook tell them you're
probably getting sick. And why would Facebook ever tell you? That's their
inference. You never said a thing about it, and indeed they could be wrong.
But don't bet on it.

------
mstade
From the article:

> He said one Facebook executive advised him against looking too deeply at how
> the data was being used, warning him: “Do you really want to see what you’ll
> find?” Parakilas said he interpreted the comment to mean that “Facebook was
> in a stronger legal position if it didn’t know about the abuse that was
> happening”.

If this is true – would this constitute willful blindness, and is that not
illegal?

------
smpetrey
Well of course this was routine. Facebook prides itself on it's data
collection and ad targeting. I'm not discounting The Guardian's reporting, but
I thought this was known.

I mean you can download your data here and see what endpoints/interests you
can be targeted on:
[https://www.facebook.com/help/302796099745838](https://www.facebook.com/help/302796099745838)

Sadly, the world will continue to use Facebook and users will continue to be
exploited.

~~~
robterrell
That URL doesn't tell me what I really want to know -- what parties used the
graph API to download data from me.

------
zitterbewegung
So the greatest achievement of big data and ML right now is the manipulation
of elections a true shock and awe.

And yes, everyone on HN and RMS will say “why is everyone surprised ?” Well
it’s because normal people don’t have that perspective and think Facebook is
the internet for them.

Data is the new oil but now everyone knows this except just us on HN.

------
d_theorist
One thing I can't quite find a straight answer to: is there any suggestion
that either FB or CA broke the law here?

Note that I'm not saying that any of this is ok just because there was no
illegality.

~~~
IshKebab
Unlikely, I've managed to work out what was happening (the news never really
explains it - just a "data breach"). In the past if you gave it permission, a
Facebook app could access information about your friends, e.g. their photos,
name, gender, etc. I'm not sure exactly how much data.

Some sketchy apps harvested this data (which was against Facebook's terms and
conditions _for those apps_ ). So the _apps_ may have broken the law. I guess
there is the question "should Facebook have protected the data better" but I
doubt they broke the law exactly.

Anyway the stupid thing about this is that it was obvious that's what all
these sketchy apps were doing at the time. Facebook app developers knew they
could get this data, and the only thing stopping its exploitation was
Facebook's app T&C's - i.e. "please don't do bad things".

There was even a setting to prevent third party apps accessing your data when
given permission by friends. That's how obvious this issue was. (I doubt
anyone used this option).

[https://nakedsecurity.sophos.com/2013/04/03/how-to-stop-
your...](https://nakedsecurity.sophos.com/2013/04/03/how-to-stop-your-friends-
facebook-apps-from-accessing-your-private-information/)

Facebook removed the friends API in 2014 so this is all about historical data
"breaches".

------
intended
Does anyone else have the wild speculation that Rupert Murdoch is opening a
bottle of champagne today?

The interest in FB and privacy, while gratifying, also seems focused through a
particularly yellow lens.

People on HN have also pointed out that it’s very likely that CA’a analytical
prowess may well be overstated as part of submarine marketing efforts.

I suppose many people are just surprised that this is taking off now, without
any truly new or novel fuel driving it - when the same articles and worse, had
no effect earlier.

~~~
cryptoz
There is new fuel. Did you miss the video of the CEO of Cambridge Analytica
bragging about how his company stole 200 elections around the world by lying
and cheating and deceiving the public? With illegal methods abound?

Lots of new fuel.

~~~
aylmao
But specifically the way Facebook is being dragged to the center of the fire,
even though there isn't really any new fuel on Facebook's side.

There's good reason for the media to be tense against Facebook right now,
since Facebook has changed the news feed algorithm:

"traffic in the news category, which includes major news publishers The New
York Times, Washington Post, CNN and BuzzFeed, was down 14 percent after a
sharper drop in the months prior"

I do think Facebook should audit its 3rd party developers more closely and
that this leak of data is terrible. Yet, imagine CA instead had built an app
for a personality quiz and asked for a ton of permissions from your phone to
track your location, harvest your contacts, etc. What else could Google/Apple
have done?

[1]: [https://digiday.com/media/promised-facebook-traffic-news-
pub...](https://digiday.com/media/promised-facebook-traffic-news-publishers-
declines-post-news-free-change/)

------
ahmetkun
>Parakilas, 38, who now works as a product manager for Uber

a company known for their respect of privacy and exemplary business ethics.
good that he left facebook.

------
Khaine
I'm glad that a light is finally being shined on the sliminess of facebook's
business model and that the public are starting to understand what an ugly
company facebook is.

I am dismayed at the state of journalism that it took until there was a trump
connection until they seriously reported on this

------
petilon
From the story: > _They seemed to be entirely focused on limiting their
liability and exposure rather than helping the country address a national
security issue._

This is a national security issue. That seems like the most pertinent issue,
and yet there is no mention of it in the discussions here. Facebook has
amassed huge amounts of data about all citizens, and adversary nations are
leveraging this data to manipulate the nation, including by helping elect a
president who will be friendlier towards them.

Facebook is Russia's biggest cyberweapon. Just as private companies would not
be allowed to stockpile WMDs, private companies should not be allowed to
stockpile so much digital information either. This is a national security
issue.

------
api
Are we really that ahead of the curve here? Did the general public not realize
that a free service that collects tons of information from you might be _gasp_
using that information to make money?

I know some people who work in SEO and marketing and the stuff CA was doing
was a more sophisticated version of what every free Facebook game or 'survey'
vendor is doing. This is literally the business model of the free/popular
Internet. Of course it's going to be used for political campaigns-- why not?
It's used for every other kind of marketing.

I'm not saying it's good. I think it's terrible. It's a plague. I'm just
shocked that people are shocked by what's been happening in the open now for
years.

------
peterwwillis
This has literally been de rigeur at any company that does advertising for a
decade. Even _sports websites_ have been doing this since forever.

Excuse me if I'm not really horrified by political groups using personal data
to craft strategies.

------
avoutthere
How long before it comes out that Google does the same thing with search
history, Amazon with product browsing, Apple with phone usage, and Microsoft
with Windows 10 usage?

~~~
amrx101
They are already doing it mate.

~~~
kimdcmason
Citation needed.

------
mroll
> ...terms and conditions people did not read or understand.

The article acts like this is unprecedented. No one reads terms and
conditions. It's not as if people fork over intimate details of their personal
lives to Facebook with the defense that "oh the terms and conditions say they
can't use this in a way I don't like"

People fork over intimate details of their personal life to companies like fb
because they haven't thought about it very hard

------
4684499
I'm OK with data harvesting, but, it has to be transparent and ask for
permissions every time they want to use my data, allow me to delete the data I
generated. It should always be opt-in.

I use google maps a lot. I search a place, it provides me lots of useful
information. Yes, I find it helpful, but also terrifying, especially with the
"Popular times" section, which is "based on visits to this place."

Where are the eyes? :/

------
whiddershins
I still don’t understand the breach part. It just seems like Facebook app
developers used Facebook exactly as it was set up, and then resold the data.

~~~
xtracto
It is more of misuse than a breach. The data was provided to a guy for
academic research, but the guy sold it to a third party. That is where the
'breach happened.

------
mollusc
What kind of data are we talking about here?

I'm sure there are all kinds of metrics and analytics available but I'm
interested:

    
    
      What are the "rawest" forms of user interaction that Facebook makes available to these companies?
    

I'm not in the business of using this data and neither I suspect are most of
the Guardian readership so it would be nice to see this elucidated.

------
arkona3
> utterly horrifying

This has been common knowledge for years. Is the general population not aware
of Facebook’s business model?

------
jypepin
I've been thinking more and more recently of deleting my facebook profile.

1\. I barely add stuff on it 2\. 99% of my news feed is irrelevant and I
really don't care (there maybe 1 post/day from a friend that is interesting to
me) 3\. Starting to be more and more concerned about all this data

But I'm scared for multiple reasons:

1\. connections needed from a lot of friends, family etc. that I would not
keep contact with otherwise 2\. It does a great job at keeping my contact list
updated (no later than yesterday I searched for friends/coworker to make sure
I don't forget anyone on my farewell email) 3\. Messenger. I use it a lot
(almost as much as iMessage) and again, a lot of people I talk to on facebook
I don't have their info for telegram/whatsapp/etc.

~~~
swyx
you dont have to delete it, you can just not be an MAU

~~~
orthecreedence
Yeah exactly. My Facebook is pretty much read-only at this point, except for a
few "likes" to show support for friends or if I get invited to a personal
event or something.

------
ismail
Wow. “react only when the press or regulators make something an issue, and
avoid any changes that would hurt the business of collecting and selling
data.”

From:

[https://mobile.nytimes.com/2017/11/19/opinion/facebook-
regul...](https://mobile.nytimes.com/2017/11/19/opinion/facebook-regulation-
incentive.html?referer=https://www.theguardian.com/news/2018/mar/20/facebook-
data-cambridge-analytica-sandy-parakilas)

The scary part is the cat is already out of the bag if you authorised any app.
They could have a wealth of your data that is being sold.

~~~
Applejinx
You are assuming these same people, with everything to gain through just this
behavior, have been utterly and scrupulously well-behaved this entire time all
while nobody really questioned them.

'If you authorized any app'? I'm sure there are workarounds for that. If you
touch them or pages where their invisible Facebook gif is present, they've
probably got all your data that's gettable.

------
Invictus0
Ethics can't be a side hustle.

[https://deardesignstudent.com/ethics-cant-be-a-side-
hustle-b...](https://deardesignstudent.com/ethics-cant-be-a-side-
hustle-b9e78c090aee)

------
bogomipz
>"Academic research from 2010, based on an analysis of 1,800 Facebooks apps,
concluded that around 11% of third-party developers requested data belonging
to friends of users.

If those figures were extrapolated, tens of thousands of apps, if not more,
were likely to have systematically culled “private and personally
identifiable” data belonging to hundreds of millions of users, Parakilas
said."

So it's quite possible that there are more than a few third parties holders of
FB user data who have now been alerted to the potential profitability of their
old "research data."

------
xixi77
Do we actually know what data has been leaked/illegitimately retained/whatever
you call it?

A lot of the discussion revolves around friends data -- was all friends data
accessible regardless of the friends' own privacy setting (this would be
deeply troubling), or was it the data that friends shared with the app users
(a bit less troubling, but still very questionable), or was it friends' data
that was openly available on their public profiles open to any internet user?

------
dwighttk
A Tangent:

What is the deal with those videos in news stories these days that are just
moving* pull quotes with music and maybe some pictures? It's like a really
short article in video form.

*I mean literally, not emotionally

------
skc
I still think FB is a useful tool, but it puts things into perspective when
people try and argue that Microsoft of the 90's is/was evil.

------
kelvin0
Of course, nothing is going to change since everyone has known this for years,
and still use FB.

In the upcoming weeks users will be more 'careful' but since they have
'nothing to hide' it's 'Okay' to use FB in a 'responsible' way.

'Everyone' is shocked but no one feels threatened individually, so the circus
and clown show can continue.

------
squozzer
I have a feeling this is less about what was done and more about who was doing
it.

[https://www.investors.com/politics/editorials/facebook-
data-...](https://www.investors.com/politics/editorials/facebook-data-scandal-
trump-election-obama-2012/)

------
yread
I'm starting to feel like all this is just a PR campaign for GDPR cause I'm
sure looking forward to it

------
KevanM
Remember folks, if you've got nothing to hide, you don't have anything to
worry about.

------
discordance
So the Cambridge Analytica stuff had been public for a while, as has
Facebook's responsibilty in the matter.

The cynicist in me wonders if this is all lighting up intentionally before
GDPR is enacted to reduce potential financial liability. Too conspiratorial?

------
panchicore3
Sorry for this stupid question: how does Facebook to prevent kamikazes
developers/sysadmins data dump and run away? It's there some framework to
manage data loss prevention in this way?

------
thrownaway954
the platform was designed to entice and integrate into every aspect of
people's lives and then ENCOURAGED you to get your friends to participate by
inviting them to the platform. it was a data harvesting, advertising mongrel
from the start and everyone KNEW it, but no one cared.

like all things in life... people cry foul when things come back to bite them
in ass.

like i said yesterday in a comment... delete ALL forms of social media cause
this goes on with ALL platforms out there, it isn't just limited to FB.

~~~
CaptSpify
Would you not consider HN Social Media? I personally don't think it's the same
as FB, but there are some strong similarities. Maybe "Social News" is a better
term?

Where do you draw the line for Social Media?

~~~
thrownaway954
no... it's a glorified comment chain. no different then posting a comment on
an open wordpress blog where everyone can submit a post.

------
sol_remmy
Ongoing discussion at:
[https://news.ycombinator.com/item?id=16626318](https://news.ycombinator.com/item?id=16626318)

------
pcarolan
Are there any liability laws that hold those in the chain of custody
accountable for third party misuse? Seems like it is an obvious burden of
responsibility.

------
username223
This article sums it up for me. FB makes the short-sighted decision to allow
apps to scrape friend-of-friend info, because it would encourage more app
developers, from which they get a 30% cut. When this guy asks a question about
scraping, his boss replies "better not to know." The company continues not to
give a shit about distributing PII until they realize that someone might use
that data to create a rival social network. Then they shut it down and treat
the fallout as a PR exercise.

Utter scum.

------
CodeSheikh
I see a lot of Facebook sympathizers here. Is this what devs do at Facebook?
Browse HN and defend the reputation of Facebook at any cost? Yes we all knew
what we were in for when we signed up for Facebook and Instagram. Yes, they
can sell our data to show us ads about what coals to buy for July 4th bbq
party and we are OK with that. But not to turn blind eye to foreign entities
which in return use it against us and jeopardize the American democracy and
social fabric.

~~~
verylittlemeat
I don't work for facebook. I don't have a facebook. I don't like facebook.

What I do like is honesty.

[https://en.wikipedia.org/wiki/Data_breach](https://en.wikipedia.org/wiki/Data_breach)

Look at this very robust list of data breaches and tell me how the CA/Facebook
incident this week looks anything like any of them.

~~~
lightbyte
2006 - AOL search data scandal [1]

>The release was intentional and intended for research purposes;

Sounds pretty damn close to this event with Facebook

[1]:
[https://en.wikipedia.org/wiki/AOL_search_data_leak](https://en.wikipedia.org/wiki/AOL_search_data_leak)

~~~
verylittlemeat
An analogous example would be if the CA/FB breach had access to private
facebook messages or information that was never intended for public
consumption.

In the CA/FB case the information was either public (and could be scraped as
such) or was collected in the form of facebook apps.

~~~
ahakki
This is not true. The old Facebook API gave access to all data the user had
access to. This included information (posts, photos…) by “friends” which was
not public.

------
malikNF
What's utterly horrifying about this whole thing is how the media is acting as
if this is some sort of surprise. Like what did you think was happening at a
company collecting data about billions of people? Especially at a company that
has a CEO who is famous for calling its own users dumb fu * * s? A company
that experimented on at risk teens. Like come on.

\--edit---

Or lordy, didn't expect this comment to blow up this much. Do forgive me if it
sounded a bit smug, that was not my intention. But the fact of the matter is
this was something we were all warned about, we were shown countless examples
of exactly this, not just us nerds, everyone, people like Edward Snowden
risked their lives telling us about how all this data was being used against
all of us. and yet everyone kept giving more and more, you were looked at like
a tin foil wearing nutter when you told people not to give away so much
information about themselves so easily.

At the end of the day, this is not really 100% facebook's fault, this is our
fault, the fault of everyone who so readily made their information available
without giving much thought to who sees it and what happens to it. And no just
because you are not a techie you are not off the hook for not caring enough
about your own privacy. I mean what level of technical knowledge is needed to
know that once you post something online others can see it?

Funny thing is, this would all blow over after a few months, and everyone will
go back to the usual habbits.

~~~
flexie
"Parakilas, 38, who now works as a product manager for Uber, ..."

So from one reckless company that doesn't give a damn about the law to the
next. Who teaches developers that it's okay to work for anyone as long as the
tech is cool and the salary is great?

~~~
zbentley
> Who teaches developers that it's okay to work for anyone as long as the tech
> is cool and the salary is great?

Who teaches them otherwise?

Absent parental/primary-school-instilled ethics, rather a lot of engineers
operate in a bubble of like-minded (and similarly-employed) people, making
large amounts of money, and are often insulated (voluntarily, deliberately, or
accidentally) from the impact of their work.

What could be changed to improve on that situation? I've heard simplistic
suggestions to "sue the C-class until they learn/abandon the incredibly
lucrative profit motive", "fire/imprison engineers whose changes harm people",
and "make the bridge-builder stand under bridge they built" (whatever that
means in a software context). Those seem utopian. What tangible, plausible
changes can be made to improve on developer accountability (for their work)
and discernment (about prospective employers)?

~~~
JabavuAdams
Make your new hires watch the multiple camera feeds and lidar of that woman
being run over again and again until they really really understand that
they're working on life-critical systems.

~~~
zbentley
That might help if you're making something that, if broken/misused, can
directly physically harm people.

What about if you're making a social media app, and the ethics are less clear-
cut? It's not like you can show every new hire footage of Trump and drive home
the negative impact of data mining/sharing--the causal link is tenuous, the
viewer might sympathize politically, or they just might not care about
politics.

Ethics in the abstract is very hard to teach; object lessons are easy.

~~~
hinkley
Even nerds understand that one painful social experience can have lasting
negative effects.

It’s blinders. Plain and simple. I’ve worked with too many developers who will
pander for money. A few that tried to shame me for not being on board (my life
skills tell me calling someone a whore in a team meeting is a bad career move
but it doesn’t stop me from staring at them and thinking it). When enough
money is on the line principles get set aside. We like to think our cohort are
above this sort of thing but the evidence clearly doesn’t support it.

------
paulie_a
Isn't that their business model?

------
mithoon
This was 6 years ago, and we wonder they would be no where 6 years down the
line ?

------
ggm
Regulator asleep at the wheel.

------
Mc_Big_G
Delete your Facebook/Instagram/Whatsapp accounts.

~~~
SaturateDK
I say wipe them. I have been deleting data for the last couple of days, I
don't need old comments and likes - even pictures as I have them myself.

This was I can slowly phase it out, this has been my plan all along, but I
need some time to make all logins work without facebook ect.

My intent is to delete it eventually. Until then no new content, and wiping
the old content.

------
antr
"Move fast and break things." Sigh...

------
deevolution
Im honestly not surprised by this news at all.

------
YCode
I take this to mean anything private or sensitive said on Facebook Messenger
should be considered breached?

~~~
CaptSpify
Those were never _actually_ private in the first place.

------
nkkollaw
Can someone do an ELI5? I have no idea what's going on...

EDIT: I guess not.

------
KasianFranks
We knew it facebook was going to be the next friendster+AOL+myspace but I
never suspected it would disintegrate to these levels. Expect employees to
start jumping ship left and right.

~~~
drpgq
I suppose stock option values will plummet, but I guess most get stock grants
now.

------
matte_black
What’s the worst that could really happen from any of this?

You’re shown a highly targeted ad that you don’t even look at anyway? Give me
a break.

Manipulating elections? Elections already have tons of opportunities for
manipulation across all mediums.

