
Facebook was warned about app permissions in 2011 - domevent
https://techcrunch.com/2018/03/24/facebook-was-warned-about-app-permissions-in-2011/
======
kareemm
I built apps on FB back in 2011-2012 and was gobsmacked at how much data we
got about the friends of our users. I also knew of several shady people
building apps. Because I saw how much data we got without consent, I realized
other shady people could get that data about _me_ via my friends.

Which is why I severely curtailed my FB use around that time.

~~~
whitepoplar
Any chance you can expand on this? What data, in particular, did you obtain
that would make people feel uneasy?

~~~
liveoneggs
I also worked on a quasi-popular facebook app in a similar time period and you
got a lot of data but the specifics would change from month to month so it was
sometimes more and sometimes less.

The worst, for me, was posting on behalf of other people and getting replies
to your app like "I'm so glad to hear from my favorite grandson after so
long!".

~~~
lawnchair_larry
Why would you post on behalf of other people?

~~~
goldenkey
Because it was allowed and it is an easy way to spread an app virally? "John
Doe via ViralApp: [This app is great! Get your own Virus today by clicking
here!]"?

------
barell
I was also working on Facebook apps from 2011 to 2013 using Facebook APIs.

At this time whenever we have released any app, useres could login to it using
OAuth which means they were presented with a list of privileges our app needs
from them (eg. Friends list, photos, posts etc). Once user has authorised the
app we could fetch all of this data.

This was how Facebook worked at this time, you can’t say it is a leak of data
because we explicitly ask user for permission. You basically say, I want to
use your app, here is my profile if you need it. I don’t really understand why
people are so mad about their data privacy. If you publish your photos, list
of friends, what you like, where you live and work, who are you merry to, then
it shouldn’t be a surprise this data can be viewed by not only your neighbour
but also a dodgy automated scripts. Once the data is fetched then you can only
imagine what people can do with it. It’s not really Facebook fault. It’s
people who thinks when they publish things on the Internet, it’s safe and can
be only viewed by other people.

Maybe Facebook only role should be to make people more aware of all of this,
but is it in their interest? I don’t think so.

~~~
mercer
> I don’t really understand why people are so mad about their data privacy. If
> you publish your photos, list of friends, what you like, where you live and
> work, who are you merry to, then it shouldn’t be a surprise this data can be
> viewed by not only your neighbour but also a dodgy automated scripts.

I don't understand why I keep reading comments like this. One of the main
issues is that your data could be leaked to an app developer even if just ONE
of your friends installed said app. So even if you diligently made sure only
your friends, or even particular friends, could see your stuff, it'd still be
accessible to the app developer.

That is absolutely not something even a privacy conscious person would've
expected, and absolutely enough to get mad about.

~~~
barell
As I said I was developing Facebook apps back in 2011 and at this time as far
as I remember, your friends list was publicly available to any logged in user.
API was only making this easier for apps to fetch the data about you. There
was an explicit permission about accessing friends list and their data through
the API so yes, any of your friend at that time could just give away your
profile to a third party.

I stopped using Facebook back in 2011 (only used it to manage and test my
apps) as I was really concerned how easy is to collect personal data.

But I guess for me, as a developer, it is easy to imagine how things works and
when to get suspicious online.

On the other hand it makes me really happy, Facebook privacy issues like this
one with CA, got much attention and finally more people, hopefully, will
understand how things works.

~~~
mercer
It's not a matter of understanding. It's matter of, among other things, not
allowing a friend to give away _your_ data without your permission. I really
don't understand how you cannot see that this is not a matter of
'understanding how things work' and instead a matter we can and should be
pretty mad about...

~~~
kalkut
By being friend with someone on Facebook you already make your data available
to this friend. Your friend can show this data to anyone curious about you by
showing his screen or by talking about what he saw on your profile.

An app on Facebook is only an automated way to ask your friend to share data
he/she has access to. You cannot both share data with your friend and expect
him/her to not be able to share it with 3rd parties.

If you don't want your friends to be able to share your data you don't become
friends with them on a social network and/or you don't share data with them.

You don't tell to your acquaintances things you don't trust them to keep
secret. And you can't expect them to keep secret things you share with every
acquaintance

~~~
scoggs
What happens when it's your Mother or Father?

~~~
dapreja
I tell my relatives repeatedly to not take pictures of me if they're going to
share them on those platforms. This whole thing is a problem with people's
complatiency with technology and especially the coorporations taking advantage
of it.

~~~
domevent
You know what? I, and I’m pretty sure a majority of people, would rather just
regulate Facebook to death. You jump through hoops to maintain your privacy,
I’ll lobby for change to existing laws. Meanwhile you tell people how they’re
just not into computers enough, or not hard enough on friends and family.

Let’s see which prevails.

------
fareesh
I remember doing security work for a few companies at the time and discovered
some standard SQL injection vectors in databases with upwards of 50k access
tokens. It's unlikely, but entirely possible that someone could have stolen
access tokens from apps, and subsequently stole user data from Facebook too.

At the time, signing into apps with Facebook meant you were not only giving
the app access to your account, but also anyone clever enough to steal the
token. In some cases, "clever" even meant anyone who had a basic understanding
of sqlmap or other pentesting tools. In theory shady "analytics" firms could
have hired a low level security researcher and had him use shodan and sqlmap
all day to expand their databases.

Today it's pretty rare for apps to ask for intrusive permissions, and people
tend to be a bit more wary of apps that do. Facebook has also made an effort
to alert users when the permissions requested are more intrusive than the
usual email address and profile picture - often requiring explicit agreement
to these permissions.

Nonetheless, if Facebook's "audit" turns up apps that did a lot of suspicious
queries, what stops them from saying "oh we were hacked someone took our
tokens from our DB, we are conducting a full investigation". Sure it's still
bad press, but it's probably better PR to look incompetent than creepy.

~~~
philipwhiuk
> Facebook has also made an effort to alert users when the permissions
> requested are more intrusive than the usual email address and profile
> picture - often requiring explicit agreement to these permissions.

Facebook were required to do this by the FTC in 2011.

------
dschuetz
I think that the whole point about this Cambridge Analytica and Facebook
scandal is _not_ that Facebook collects all sorts of data, but that Facebook
shares that data to third party services via "Login With Facebook" without any
previous consent of users. The privacy settings of your Facebook account lose
their purpose when Facebook creates an advertising profile (which may or may
not be very accurate) which all said third party services may use to fuel
their own advertising strategies. The contents of said ad profiles include
your interests which also may reflect your ethnic background, sexual
preferences, political views, et cetera. All of which CA (mis)used for
analytics. But, (I checked today) users are able to disconnect ad profile
sharing or delete some data. So, there is no scandal here, yet I didn't know
until today that such settings even existed. So, it is convenient for Facebook
to say that users usually have full control over their data.

That Facebook now feels betrayed by CA because such data (generally available
to service providers) has been used inappropriately shows either that they
were complicit by enabling CA to do so and _knew_ about it all along, or they
_didn 't know_ what they were doing at all. I'm not sure which is worse. If a
third party says "trust me, I'll handle all the data responsibly" doesn't mean
anything, because there is no oversight whatsoever. Additional clauses in
contracts do not make Facebook a victim of contract breach. The product in
itself is flawed, because it handles the data irresponsibly.

------
downandout
_" [Facebook] systems were so laxly designed as to actively encourage vast
amounts of data to be sucked out, via API, without the check and balance of
those third parties having to gain individual level consent."_

That is a gross oversimplification of the issue. There were controls in place
to stop excessive data collection. In fact, the only app in this situation
that was allowed to "suck out" "vast amounts of data" was the Obama For
America app. According to Carol Davidsen, Obama's Former Campaign Director _"
We ingested the entire U.S. social graph"_ [1], despite the fact that less
than 1 million people actively authorized the app to access their data.
Approximately 99.5% of the hundreds of millions of people whose data Obama
took, with Facebook's blessings (actively allowing it to bypass its data
collection limits for apps), never knew about or authorized Obama to have or
use their data.

So only one app was "actively encouraged" to suck out vast amounts of data in
the history of the existence of the API. All the rest of them were subject to
relatively strict controls, requiring months or years to collect even a small
fraction of the data that the Obama app was allowed to collect. The API was
not a data free-for-all, except in one unique case with the explicit
authorization of Facebook.

[1] [https://www.washingtonpost.com/business/economy/facebooks-
ru...](https://www.washingtonpost.com/business/economy/facebooks-rules-for-
accessing-user-data-lured-more-than-just-cambridge-
analytica/2018/03/19/31f6979c-658e-43d6-a71f-afdd8bf1308b_story.html)

~~~
zzzeek
From the article you link:

"But thousands of other developers, including the makers of games such as
FarmVille and the dating app Tinder, as well as political consultants from
President Barack Obama’s 2012 presidential campaign, also siphoned huge
amounts of data about users and their friends, developing deep understandings
of people’s relationships and preferences."

Last I checked, Farmville was not associated with OFA. So you need to back up
your assertion "All the rest of them were subject to relatively strict
controls, requiring months or years to collect even a small fraction of the
data that the Obama app was allowed to collect. " and explain why this also
renders the entire dataset collected by CA to be completely harmless, in
contrast to the current narrative. Because it's not that interesting if a
relatively benign political organization got a little more data than another
which used it to impose the will of a foreign enemy upon the US electorate.

~~~
downandout
There’s a massive difference between Farmville et al and the OFA app. Facebook
had limits in place that constrained the ratio between the number of friend
profiles that were allowed to be accessed and the number of people that had
explicitly authorized the app. They were a black box on this issue, but for
example I had apps that were stopped from accessing deep profile information
of friends (likes, occupation, etc.) when I reached 10:1. OFA’s ratio was in
the _200:1_ neighborhood.

It was somewhat possible to overcome this by spreading the collection out of a
number of months or years, which is what I believe the Kogan app did. But even
in that case, with the data collection spread out over a long period of time,
they had nowhere near the data that the Obama campaign was allowed access to.
Finally, the CA data was years old, while the Obama data was allowed to stay
fresh right up to election day because they had no API limits.

So these apps with much larger install bases than Obama could have ever
dreamed of had access to _less_ data than OFA did because their ratio was not
allowed to be as ridiculously asymmetric as Obama’s was. They still had access
to large amounts of data, but only because of their massive _authorized_
install bases (which in all of the cases you mention were far larger than the
OFA install base). But none had the _entire_ US social graph - with the
exception of OFA.

~~~
MarkMc
Are you sure that Farmville didn't have a 200:1 ratio?

It certainly looks suspicious, but I don't think you can rule out the profit
motive. Perhaps in 2012 Facebook's position was, "If you pay us enough money
we'll remove the API limits"

~~~
downandout
Farmville had a massive install base. So they weren’t accessing that much data
relative to the number of people that had directly authorized their app. The
difference between it and the Obama app was the leverage that was allowed:
less than 1 million people gave them access to their data, and they were able
to use that to get deep profile data on nearly _every_ US Facebook user - ~200
million accounts. Their attempts to do this set off all kinds of alarms, but
Facebook went in and manually shut those alarms off and opened the floodgates
to the data. _Our_ data.

Considering that at least half of them - ~100 million people - would have
consciously objected to helping Obama do anything, much less get elected, that
should have been earth shatteringly scandalous and probably should have buried
Facebook right then and there. But instead, the press celebrated this
technique, right up until it helped create a result other than the one it
wanted.

~~~
MarkMc
There are two questions here:

(1) Was Facebook biased in favor of the Democratic party?

(2) Should the press have been more critical of the way personal data was used
for political purposes?

My answer to (1) is 'probably', but maybe Facebook would have been willing to
"manually shut those alarms off and open the floodgates to the data" for
anyone who gave them a million dollars?

------
thinkcomp
I'm just going to keep posting this.

I told Mark about this exact problem in ___2005_ __.

[https://twitter.com/AaronGreenspan/status/975957889767505920](https://twitter.com/AaronGreenspan/status/975957889767505920)

And I warned him about FTC liability if he ignored it.

[https://twitter.com/AaronGreenspan/status/976331044084264960](https://twitter.com/AaronGreenspan/status/976331044084264960)

After that, we stopped talking.

~~~
emmelaich
Where are those screenshots from?

Why is Zuckerberg's nick 02? Who is 01?

~~~
bmarquez
AOL Instant Messenger (which was super popular at the time) had this format.
You could choose your own screen name, maybe he wanted 02 instead of 01 for
whatever reason.

~~~
truj
Presumably because he registered his nick in 2002 (which was a popular "naming
scheme" at the time). thinkcomp should tweet someone like @pinboard,
@nitashatiku, @karaswisher etc.

------
methodover
People didn't seem to care back then, though. If you asked a random FB user
about app permissions in 2011, I suspect that person wouldn't think it was a
big deal.

Social mores are changing, becoming better developed.

The Internet, social networking, OAuth -- these are not exactly well-trodden
subjects in humanity's past. It's not like we have decades or centuries of
precedence to look back on.

The important thing is what FB does now.

~~~
mtgx
Again with this "not caring" comment.

In at least 90% of the cases people _don 't understand_ what the privacy
policies or permissions mean or what they could be used for. People trend to
trust others, in general. And many developers abuse that trust, especially
when they're allowed to do it _by design_ with the permissions they're given
by the platforms.

When an app asks me for "Access to media" I only give that access expecting
that maybe it needs that access for when I will open a media file with that
app or to download or create a media file inside the media folder.

I _do not_ expect the app to analyze my media for the type of content I have
in there, and I do not expect the app to upload those files to its servers, or
any other uses that developers may come up with for that particular
permission.

Yet, the permissions are set-up in such a way that they allow much more than
people expect them to allow.

Saying "well you shouldn't have given them access to media" or "you shouldn't
be using the Internet or a smartphone" is really a nonsense type of comment to
make. If it's a video player, of course I have to give it access to the media.
That's why I need a video player. But I didn't intend to give it access to
upload my media to its servers. That's what the _platform developer_ allowed
it to do, without me _knowing_ or _understanding_ that it can do that, not me
"not caring."

This is just an example, but it can apply to phone permissions, contact
permissions, and other types of permissions just as well.

~~~
methodover
Also, sorry for the double response, but I had one other thought.

I'm not sure that most people understand even now, after the CA story broke,
what the specific issue was with CA, FB, and app permissions. CBS news
characterized it just like any other data breach. Slate's Political gabfest
did the same. Most news articles near the tip of Reddit's front page were also
light on details. Channel Four's original report didn't even focus that
heavily on the FB/App problem. Friends in my FB news feed similiarly sound
confused about what specifically happened. Everyone is outraged, but few seem
to understand, even now.

------
Roritharr
I remember building very innocent Facebook Apps for Marketing purposes back in
2011-14 and being very annoyed at the privacy changes as they made our "cute"
usecases basically impossible. At the time I always imagined Facebook would
monitor their API usage to prevent aggressive mining as this would surely be
against their own interests, but as it seems they didn't care.

If only someone would have used this hole to seed something like Diaspora to
help break the critical mass problem for those kinds of projects.

~~~
makomk
Funnily enough, I vaguely remember there being articles on HN claiming that
Facebook's lockdown of access to their social graph was an anti-competitive
practice that needed to be stopped when it originally happened, though I can't
seem to find them again so might be misremembering.

~~~
dannyw
There are comments in this thread suggesting that FB made the OpenGraph
changes to preserve their competitive advantage. If they lock down their APIs
even more, I wouldn’t be surprised to see more accusations of these.

------
coding123
_" We also asked why Facebook users should trust Zuckerberg’s claim, also made
in the CNN interview, that it’s now ‘open to being regulated’ — when its
historical playbook is packed with examples of the polar opposite behavior, "_

It's like when Trump said he could shoot someone on the street and still
win... It's when your supporters start to back off that you start giving in to
demands, not before.

------
tcm19
The real problem with app permissions is that developers are allowed to even
REQUEST permissions that are not necessary for the functioning of their app.
This is not just an issue with apps on facebook. It's also an issue with
Android apps (and, I presume, iOS apps).

The fact is that the majority of users can not be expected to look out for
themselves. People hit install and then hit accept to whatever permissions
request pops up. It is like agreeing to the TOS that no one reads.

I tried to download an alarm clock app on Android. It wanted access to
virtually everything. Why do you need so much information for a fucking alarm
clock? My analog alarm clock doesn't know my name but it still wakes me up
each morning.

Platforms (Facebook, Mobile OS's, Desktop OS's) need to reject apps that
request unnecessary permissions.

~~~
shady-lady
Exactly this.

Part of the reason is pre-emptive cost cutting by these companies to remove
human review from these apps.

Google also played a massive part in this with their strategy for growing the
Android app store. (as did Facebook)

Favouring quantity over quality puts users at risk.

------
criddell
I don't understand why Facebook ever shared friend data. It's one thing for a
user to opt in to sharing things like their _likes_. But as soon as you share
friend lists, you are sharing stuff about other people.

~~~
methodover
There are non-evil uses of that data, of course. A custom-built news feed for
example. That would actually be pretty nice...

~~~
rootlocus
There are non-evil uses for anything. That doesn't mean we don't need
security.

~~~
methodover
Never said that there wasn't. I was responding to someone who couldn't fathom
a legitimate use of the friend data.

------
wellboy
I have to say, I have never seen so much bad press about facebook in such a
short time frame.

Seems like this is picking up a lot of steam.

~~~
methodover
It's astounding. And much of the reporting is really, really terrible. Like
just not describing things with any degree of accuracy at all.

------
beagle3
There is literally nothing new about facebooks invasive practices in all this
news (except that CA took their lunch money).

I have a feeling all this coverage is driven by quite a bit of schadenfraude
from the traditional media.

This coverage is well deserved, but I am sad that people are only taking
notice now.

~~~
roadbeats
Coverage is well deserved but only focused on one single case: Trump's
campaign.

Syrian Civil War began in social media first. The journalists criticising
Facebook nowadays used to run campaign for how social media helps protesters
organize. What if Arab spring wasn't an organic movement? Isn't it weird that
some "experts" suddenly changed their mind about social media after Trump's
election?

Also, why noone even talks about Google? It's much bigger weapon for
manipulating facts if you consider millions of people trusting its results for
their questions. People ask Google if Brexit is good, people ask Google if
Trump is doing good. And we don't even know how Google picks the best results.
What if there are some SEO tricks shared with only a few companies?

------
drawkbox
Facebook always required the initial user to give permissions including access
to friends. But for many years once that was granted all public/friend shared
friend data was available that others shared with their friends by design.
They closed that off with OpenGraph v2 where they even changed friend
ids/invites to be unique to the app so that data was not able to be correlated
easily across apps. They did it for privacy but mainly because other groups
were pulling in the social graph and maybe it became a competitive threat.

People that weren't developers or in marketing probably had the expectation
Facebook was a private walled garden where they were only sharing with their
friends but once one friend gave those permissions, many bad apps started to
see how they could pull down the entire social graph. This has since changed
with OpenGraph v2 in 2013-14 but it was exploited by nefarious groups for a
time.

I think most of the permissions model was fine before the bad apps and shady
groups that are using your data for targeting purposes beyond games, apps and
ads. Once it started to be used for aims beyond harmless fun like games that
is where people got angry especially in targeted politics.

------
mgkimsal
2011? I can't recall that far back with FB app perms, but I do remember
working on a few projects in ... 2013 IIRC? And one of the pieces of feedback
I got the most from people I'd asked to test was "why do you need all these
permissions?" They weren't all an overly tech-geek crowd, but many seemed to
question it.

"I can't _not_ ask for these permissions - even just for a basic login -
facebook _forces_ this information to be available to my systems. I'm not
using it for anything, and I don't _take_ much of the information I'm given,
but to connect via Facebook, they require me to have access to this
information". That became my standard-ish response, and it wasn't that
surprising why many people got miffed, especially if I was just doing basic
"login with facebook" stuff.

IIRC, FB has changed the minimum permissions a couple of times in the last
several years (or, at least it's seemed like it - maybe names or presentation
of the info has changed?)

------
dawhizkid
Any app developer will tell you that Android is much more invasive...you can
suck so much location/device data with no (or very standard) permissions.
Apple was bad too until a few years ago.

------
AHMagic
Delete and forget it existed. Ignore and move on. Give up the benefits and pay
the cost. Do you really want to live your days feeling dependent on this sort
of "service"? Do you really want to say, "but I need Facebook!".

In today's age, you need a phone number and e-mail. It's ok - they are
decentralized. Don't let a centralized platform of Facebook's evil nature
become necessary for you to live your life.

------
jsemrau
In the last couple of years the company I work for wanted to build social
scoring methodologies. In 2013, Facebook revised their privacy rules and we
were not allowed to collect the data we needed. However, there are paid
partner programs with different rules. Same as LinkedIn, afaik.

------
yorby
Did Facebook try to block this company from interacting with affected users
after this happened? or did they just let them target anyone with any ad?

------
elorant
The thing that never ceases to amaze me is just how easy it is to scrape
Facebook profiles. Every other social network has strict usage quota but with
FB you can scrape tens of thousands of profiles with a single ip. With a
thousand proxies you could scrape all profile pages of any given country. I
won't be surprised if there are companies out there doing exactly that as we
speak. And FB allows it, probably because it enhances the ecosystem by
providing useful insights to corporations.

------
philipwhiuk
They weren't just warned by Ireland. They had to agree to oversight following
an FTC decision in 2011.

------
feelin_googley
The article does not mention the issue FTC took with "Verified Apps" in 2011.1
This was before FBs IPO.

WSJ had reported several times about apps leaking FB IDs and about companies
such as RapLeaf linking them to users.2 They were apparently combining
Facebook data with some data from public sources to identify Facebook users,
in 2011.

Zuckerberg in his statements so far has used the term "derivative" data a
couple of times, as if the word derivative is significant. Does Facebook
believe this somehow takes it outside the scope of what they are responsible
for?

1\.
[https://www.wsj.com/amp/articles/SB1000142405270230477280457...](https://www.wsj.com/amp/articles/SB10001424052702304772804575558484075236968?tesla=y)

2\.
[https://www.wsj.com/amp/articles/SB1000142405270230441050457...](https://www.wsj.com/amp/articles/SB10001424052702304410504575560243259416072?tesla=y)

------
sAbakumoff
This story seems to be very carefully planned attack to Mr. Zuckerberg to oust
him from Facebook CEO. Recently they exposed some IM history from the past
decade where he calls user "dumb" [http://www.businessinsider.com/exclusive-
mark-zuckerbergs-se...](http://www.businessinsider.com/exclusive-mark-
zuckerbergs-secret-ims-from-college-2012-5) everything that they know about
me. Z to be revealed.

