
Facebook Says It Has Suspended ‘Tens of Thousands’ of Apps - tysone
https://www.nytimes.com/2019/09/20/technology/facebook-data-privacy-suspension.html
======
saurik
I had an app "suspended" because I had largely sunset the app almost a year
ago and thereby wasn't getting bug reports from users that the app was offline
(when it had been initially put by Facebook into a weird quasi-suspended
state) and hadn't been (and still haven't been) prioritizing checking or
responding to e-mails back and forth from Facebook (which have been draconian:
I have an application that literally only uses Facebook for its Login feature
(there are no social aspects of the app where data from one user is shown to
another user: it shows you your own name and profile picture while you are
logged on, and that's it), and yet they sent me a pdf file with multiple pages
of questions and a requirement that I not just answer them but somehow provide
a signed affidavit--with a real signature on it, not just a digital one--that
I answered them correctly). I thereby would guess that the vast majority of
those "tens of thousands" of apps were apps that no one was even using anymore
and which were suspended not because of misuse of data but because the
developer was either no longer reachable or simply no longer cared (at which
point this makes them either look like they are doing critical work on
something important or that there was a rampant problem they caused that they
had to fix, depending on your narrative slant, when I'd imagine "they aren't
really doing anything and have just automatically suspended tens of thousands
of dead apps" is more likely).

~~~
cameronbrown
> provide a signed affidavit--with a real signature on it

They really are becoming desperate.

------
taurath
If they built in proper data access controls, one would think that suspending
apps would not be necessary. The fact that the apps have the power to grab
people's personal data at all is the problem. Why don't they just shut down
the leaky APIs, disable all the apps that require those APIs, and make the app
devs update them? On the assumption of course that Facebook gives a single
lick about actually protecting people's personal data.

~~~
behringer
They don't, that's the entire point. From the day they created the API it was
with the understanding that people would farm the data. FB only asked politely
that companies not collect so that they could tell the public what they are
telling them now (We had no idea!), but no developer ever took that seriously.

~~~
ipsum2
> From the day they created the API it was with the understanding that people
> would farm the data

This is a serious claim, do you have any evidence to support it?

~~~
behringer
They put in no safe guards. It was designed to give developers access to
personal information.

What more do you want?

Criminal negligence is still criminal.

~~~
bilbo0s
Actually allowing access is not criminal provided they tell you they are going
to do so in the TOS.

That's why we need a law to make it explicitly illegal to share any such
information at all for commercial purposes. I don't really care if it destroys
business models. Maybe some of those business models deserve to be destroyed.

------
rshnotsecure
Facebook has a couple dozen contractors that employ thousands of people. These
contractors fall out of the scope of Facebook’s Bug Bounty in most cases, and
the contractors do not have a way to contact them about security
vulnerabilities or a defined process.

It is an enormous legal arbitrage finance maneuver it seems. These contractors
are awarded very large contracts in exchange for essentially assuming huge
legal liability. They are gambling nothing bad will happen. It makes sense
from a business perspective for both parties.

These contractors can be quickly identified via some searching online. From
there if you have map their DNS infrastructure via common tools like
[https://dnsdumpster.com](https://dnsdumpster.com), you will very poorly (or
at least quickly) set up AWS/Azure infrastructures running software behind on
patching usually from 1-3 years, and having documented exploits that can be
triggered remotely without previous auth.

The situation is very sad, and I would encourage the engineers at Facebook to
at least ask their managers if they think this serves the company. The good
news is of course it can be fixed quickly and dramatically. OS updates and a
few L4 firewall rules for the host is often all that is needed.

EDIT: changed a plural

~~~
taurath
Move fast and break things definitely is definitely in contention with "hold
the most personal data of everyone on the planet".

~~~
shkkmo
I am not sure your use of "in contention" doesn't really make sense to me
here. Did you mean something like "incompatible" or "in conflict"?

------
orian
Yeah, but to be transparent, they should post a list of apps and the data they
were collecting.

~~~
bilbo0s
Now that just makes too much sense, and would empower users to actually take
action to protect themselves from people trying to snoop them. That's probably
the reason FB would do something like that only as a last ditch act of
desperation.

------
vuln
I wonder how much revenue Facebook made off these apps.

------
scarecrowbob
I had an app suspended. It was basically just a way of automating a FB Like
widget on a specific website. I replaced it with a static field (the number
was in the millions of likes and the display was only 2 significant digits).

I mean, good for them, I guess. I just made it a field and update it by hand.

------
killjoywashere
A fun little app to make: "Would you rather trust <company A> with your <piece
of information X> or <company B> with your <piece of information Y>?" Two
lists. Issue a uniqueid cookie to filter duplicates. See what comes back. I
bet the order comes out, roughly, Apple, Google, Amazon, a bunch of others,
with Facebook somewhere down at the very bottom. But I could be very wrong.

~~~
speedplane
> "Would you rather trust <company A> with your <piece of information X> or
> <company B> with your <piece of information Y>?" ... I bet the order comes
> out, roughly, Apple, Google, Amazon, a bunch of others, with Facebook
> somewhere down at the very bottom.

You'd be right if your survey was targeted to the HN crowd. But if you
targeted the general public, it would just be confusion... "what do you mean
these companies have my information?"

------
ReptileMan
Facebook still has apps? I thought that fad died circa 2012?

~~~
realusername
They consider "apps" websites which just uses the Facebook auth, they probably
just disabled thousands of website logins.

------
Mc_Big_G
Too little, too late. Delete FB/Whatsapp/Instagram.

