
Facebook Data Collected by Quiz App Included Private Messages - sethbannon
https://mobile.nytimes.com/2018/04/10/technology/facebook-cambridge-analytica-private-messages.html
======
downandout
Why is it surprising or even remotely controversial that an app that people
explicitly authorized to access their messages (informed consent) then
proceeded to access their messages? The app didn't have access to friends'
messages, so I don't see what the issue is here, other than yet another
clickbait headline.

~~~
monochromatic
Why is it even possible for an app to request your Facebook messages though?

~~~
paxys
There are a lot of valid uses. Why would it be better for your data to be
locked up and unexportable?

~~~
JetSpiegel
False equivalence. Exportable doesn't mean acessible to the world.

~~~
dsacco
The commenter didn’t make that “false equivalence.” Their point is that there
are valid reasons a user might want to allow an application to access their
messages.

For example, reddit’s API allows applications to access messages, which is
useful for third party clients.

------
ProAm
What's scary is that Cambridge Analytica is probably only one of hundreds,
maybe thousands, of companies that had access to this type of data from
Facebook. This is just the one we know about.

~~~
gtremper
Cambridge Analytica didn't pay to access this data. They got users to give it
to them for free though Facebook's developer platform.

~~~
ProAm
Thanks for the correction, I thought CA paid for access to the data the test
collected.

~~~
gtremper
My understanding is the "quiz app" was more of a phishing scheme to get users
to share their Facebook data with Cambridge Analytica (including data that
user had access to about their friends).

~~~
mwarkentin
I believe they also paid users a small fee to install the quiz app via
Mechanical Turk.

------
734786710934
The headline is misleading. The article isn't about Cambridge Analytica:

"Because of an editing error, an earlier version of a headline with this
article misidentified the entity that improperly harvested the personal
information of up to 87 million Facebook users. The information was collected
though a quiz app developed by the researcher Aleskandr Kogan, not by the
consulting firm Cambridge Analytica."

"It is not clear whether the direct messages were among the data eventually
provided to Cambridge Analytica. In an interview on Tuesday, Mr. Kogan told
The Times that the private messages were harvested from a limited number of
people, likely “a couple thousand,” as part of a separate academic research
project and never provided to Cambridge Analytica."

~~~
eterm
It's all part of the CA story:

"Aleksandr Kogan, a Moldovan-born researcher from Cambridge University, admits
harvesting the personal details of 30 million Facebook users via a personality
app he developed.

He then passed the data to Cambridge Analytica who assured him this was legal,
he said. "

From [https://www.theguardian.com/uk-news/2018/mar/21/facebook-
row...](https://www.theguardian.com/uk-news/2018/mar/21/facebook-row-i-am-
being-used-as-scapegoat-says-academic-aleksandr-kogan-cambridge-analytica)

------
simonswords82
Cynical me feels that it's a hell of a coincidence Facebook is acknowledging
this data leak just over a month before the GDPR legislation (and fines) drops
on 25th May.

~~~
pxeboot
This wasn't a leak, it was a feature that existed on Facebook for several
years before being removed.

------
gressquel
yet Zuckerberg is testifying as I write, denying, dodging the responsibility
and questions. I can't believe it, instead of laying down and confessing, he
is trying to justify and blame everyone but Facebook.

~~~
nsx147
He accepted blame for quite a bit, and apologized (as he usually does)

The part I don't understand about all of this is that, yes somewhere along the
line someone made the decision that giving developers access to that data was
ok...but they REMOVED access to it as soon as they realized what sharing that
data meant. That's how startups are trained to behave, shoot first ask
questions later.

They made a mistake and corrected on their own, what more is there to ask? I
guess it's more of an issue because of the nature of their business?

~~~
drewmol
>what more is there to ask?

(1) Make an ernest attempt to use ML, algorithms to identify _their_ customers
who are using those _leaked_ datasets Facebook _negligently_ exposed and help
devalue the data, instead of eagerly selling them targeted advertising
services? I don't know if they did this, but it sure seems doubtful.

(2) Quickly and openly disclose the extent of the _leaked_ data

(3) Stop using manipulative and deliberately opaque TOS to enable ever more
data collection

I'm not being sarcastic or insincere, this is my honest opinion of that they
_could_ have done. I am continually surprised at how many people making $$$ in
ad-tech/PII data mining and brokering seem niave to the fact that this type of
behavior would inevitably result in exponential growth of user outrage

~~~
hunt
> (1) Make an ernest attempt to use ML, algorithms to identify their customers
> who are using those leaked datasets Facebook negligently exposed and help
> devalue the data, instead of eagerly selling them targeted advertising
> services? I don't know if they did this, but it sure seems doubtful.

How could they do that? The cat is out of the bag and FB aren't going to have
any knowledge about where that data is now. Have there been reports of it
getting out from CA?

> (2) Quickly and openly disclose the extent of the leaked data

I think some caution is a good idea, they don't want to get the numbers wrong
- although they are making steps in the right direction with the message to 87
million on their news feeds.

~~~
drewmol
True, it's not easy to do, and maybe it's not feasable to determine who is
using the data. I don't know, maybe someone from Facebook will chime in on the
issue, or leak some more info about company behavior.

>I think some caution is a good idea, they don't want to get the numbers wrong
- although they are making steps in the right direction with the message to 87
million on their news feeds.

Totally agree with the second part, but ~4 years (only divulging the info when
forced to during PR damage control mode) is well past being cautious. It's
being cautious with the amount of damage the disclosure does to your profits,
Equifax doesn't even wait that long.

------
paulie_a
Facebook has already updated the numbers from from 47 million to 80 something
million. This is going going to go bigger than Yahoo scale: "all accounts and
all data" pretty quickly

~~~
734786710934
The data accessed here was from a smaller unrelated research study. The only
thing it has in common with the larger CA leak is that it was done by the same
researcher.

~~~
paulie_a
That's a pretty significant aspect. I'm sure he stole plenty more data in
other unrelated studies

~~~
cjhopman
This data wasn't stolen.

~~~
paulie_a
Just borrowed and used inappropriately. Not "stolen"

------
oh-kumudo
Private messages? There is ZERO excuse for such leak. It is either utterly
incompetence or intentionally malicious. Facebook needs to be hold
accountable, period.

~~~
thirdsun
By leak you mean people giving consent when presented with the list of
permissions the app / quiz requested?

I think the outrageous part is that app developers could get data of their
users' friends - those are the people that never used the app or agreed to its
permissions.

------
vowelless
It's amazing that FB is up 4.5 percent.

~~~
nhebb
He's not under oath, [from what I've read] the majority of the committee
members have received campaign donations from FB, and some committee members
own FB stock. In other words, the market knows that this is a charade.

~~~
joering2
Watching pretty much every hearing for last 8 years, it was shocking to me how
nice, friendly and understanding they were. Other than Cruz, they all turned
from daily wolves to sheep.

Either it is campaign contribution or perhaps without understanding
technology, most are afraid what Mark can learn about them running queries on
their personal messengers.

Never ever seen them so nice, including questions if he wants a break now to
which crowd laughed; they treated him like he is 8 years old. Incredible! No
wonder he shook his head smiling for more questions!

------
alexeckermann
Around 2011+ we saw not only quiz apps but also offerings such as "See who
views your profile" that would result in an OAuth authorisation. How long were
those authorisations active before being revoked? How much data was
exfiltrated, then and since, and to whom?

If it wasn't for recent changes to authorisations being suspended after a
period of time these tokens could be seemingly worth something to the right
person.

The root problem being, average users don't know what they're giving access to
and know why its important to be critical of such access.

------
malvosenior
How was this possible? I don't recall ever having access to private messages
in the FB API. Was this ever available to developers?

~~~
dranov
Apparently, v1.0 of the Facebook Graph API could access users' private
messages via the 'read_mailbox' API request [1]. This was deprecated when v2.0
launched.

" _Version 1.0 of the Graph API launched on April 21, 2010. It was deprecated
in April 2014 and closed completely to legacy apps (ie, existing apps that
used the API before April 2014) on April 30, 2015._ "

[1] [https://medium.com/tow-center/the-graph-api-key-points-in-
th...](https://medium.com/tow-center/the-graph-api-key-points-in-the-facebook-
and-cambridge-analytica-debacle-b69fe692d747)

~~~
b212
But why? Why would anyone set up an API access to PRIVATE messages. That's
crazy :o

~~~
spike021
On one hand it's actually a fairly reasonable API. Imagine using third-party
AIM clients a decade or more ago. Same kind of thing.

~~~
ex3ndr
They never provided ability to send messages. This is a useless thing for AIM
clients.

~~~
simcop2387
You used to be able to connect to facebook messenger via XMPP. Combined with
this permission, it would have let you retrieve historical messages and add
persistence among alternative clients.

[https://news.ycombinator.com/item?id=9266769](https://news.ycombinator.com/item?id=9266769)

------
JumpCrisscross
“Private messages” as in those sent via Facebook Messenger, right? Not Secret
Conversations, Facebook’s allegedly e2e messaging product [1]?

[1] [https://www.facebook.com/help/messenger-
app/1084673321594605...](https://www.facebook.com/help/messenger-
app/1084673321594605/)

~~~
airza
I don't think Facebook's e2e messenger existed at the time this took place.

------
lwansbrough
Title should be: "Whoops, looks like you gave that one quiz app all your
private messages too, you idiot!"

------
ivanhoe
Unfortunately for startups, I think that the only solution is to make it too
expensive and complicated for the businesses to collect any unnecessary data.
Like dealing with credit cards, no devs in their right mind would want to
process CCs by themselves because it's such a huge risk and pain in the ass to
be fully PCI compliant. We all outsource that part of the work to 3rd party
processors because of the regulations. Why not do the same for the personal
data, make it a very high risk for the business to process it directly and the
majority will avoid dealing with anything that is not absolutely needed by
their business model.

------
diasp
The alternative is open source and decentralised:
[https://diasporafoundation.org](https://diasporafoundation.org)

------
beau
Do they mean "wall posts" or "messages"? Did Facebook ever produce an API that
let any developer see private Messenger messages?

------
blattimwind
When it comes to "social media" I'm not easily stumped, but I had to do a
double take at that headline.

------
throw2016
A neutral discussion on surveillance and adtech cannot happen here because of
the makeup of the audience.

It's undeniable too many people from the SV tech community are deeply vested
in the business either as workers of Google, Facebook or part of the large
multi billion dollar ad ecosystem.

The fact is tech people made pompous claims about liberty and freedom and then
sold out the moment they had personal gain. This is not their fault, the
history of ethical posturing consistently plays out this way and capitalism
incentives leaves little room for ethics making regulation the only workable
option.

The default reaction is thus to minimize accountability, blame others,
apologism, hand waving or deny the issue altogether. Every discussion gets
mired in the same basic first principles of freedom and privacy.

If you can't behave ethically you have no basis to expect ethical behavior
from others, or for an ethical society. You make the bed, you lie in it.

------
bitrazor123
I am afraid the details and extent of breach may never come out

