Hacker News new | past | comments | ask | show | jobs | submit login
50M Facebook profiles harvested for Cambridge Analytica in major data breach (theguardian.com)
558 points by tsneed290 on Mar 17, 2018 | hide | past | web | favorite | 254 comments



My problem with this 'outing' of CA is that Facebook explicitly commercially exists to harvest user data for Procter & Gamble, Johnson & Johnson, Fidelity etc etc so they can profile us. A million dollars is chump change in the crazy US election game. This all seems overly selective - it's ok for some people to profile but not for others. I'm not in favor of any of it to be clear but there is a definite political bias going on here. Let's not forget FB itself has a formal political unit that exists to push propaganda in foreign elections, 'stifling opposition and stoking extremism'

https://www.bloomberg.com/news/features/2017-12-21/inside-th...


>This all seems overly selective - it's ok for some people to profile but not for others

What's the issue here? Selective information distribution is rooted in the society, people are O.K. with some information to be known to some people while kept secret from others due to implication differences.

I.E. I'm fine to be profiled for selling me chocolates but I'm not O.K. to be profiled to be manipulated to select public officials or to make my mind about controversial topics like the god, abortions, guns etc. I expect to be exposed in a proper way to these topics, i.e. proper journalism and discussions.


Sadly, the downside of the consumer data culture in which we live is that you don’t really get to make that call. It seems like data is really an all or nothing game at this point, regardless of how society feels about it. Not sure how to change that, either, and I don’t personally think legislation is the answer.


Sadly, the downside of the consumer data culture in which we live is that you don’t really get to make that call.

This can be changed, regardless of whether any of us is ready to throw up our hands about the whole situation as it stands.


Isn't the GDPR supposed to help with that?


I would love to see international privacy rights harmonization with GDPR the way we had the Berne Convention for copyright.


It’s really easy: you pass laws.

Look at health records. HIPAA is rather successful at keeping your health data narrowly confined to those that need it. There is nothing that prevents similar laws to work for financial data, location data, etc.

The only roadblock is people saying they “don’t personally think legislation is the answer”. Because there is literally nothing but law that can have an effect.


Good law is hard. HIPPA prevents gossip. That’s about it.

The sales director for a drug manufacturer knows that you’ve filled a prescription before the claim is filed.

Enfamil and Gerber knew the estimated due date of our baby — although the only interaction we had with anyone was a miscarriage at 8 weeks and a near fatal complication.


> HIPPA prevents gossip. That’s about it.

I agree that HIPPA is technically very weak.

But let's also agree that preventing gossip about private health info is a good thing -- a definite step in the right direction.

Laws are about building and reinforcing the culture we want to build. In that light, HIPPA is a long way from a failure: it sets the standard that "health care privacy is to be taken seriously, and as a society we believe it is important enough to legislate", if nothing else.


https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...

Are you sure it wasnt something like this?


That can be regulated. That the US chooses not to do so doesn't mean it cannot be done.

See, for example, GDPR.


[flagged]


What is the "leftist press"?


There is a big difference between sharing data with companies, and allowing companies to specify as targeting rules.

Facebook lets companies bid for ads to show you, based on Facebook’s data about your interests and demographics. If you never engage with the ads there is no information leakage.

It’s the difference between telling a random person “I’ll tell my gay friends about your party” and “Did you know that Bob is dating Steve?”.


I've heard a lot of people believe otherwise (including a sibling post), so probably best to bring in evidence/sources. Here's Facebook's statement on it: "No, we don't sell any of your information to anyone and we never will." From https://www.facebook.com/help/152637448140583

So if you believe Facebook sells your information, then you also believe that Facebook is directly lying about it on a help page about that specific topic. Sometimes conspiracy theories are true, so it's not impossible that that's what happening, but it's not like Facebook is openly selling your information.


No, it's worse, they just gave it away for free.

Until 2014 or so an app could request permission to view almost any data a user stores on Facebook. That's not great, but hey, you could argue it's not Facebook's fault that people don't understand permission prompts (I'd disagree with you, but...). But those same prompts allowed users to give away their friend's data, so absolutely anyone you're friends with could take some stupid personality test and give away your information in the process, and there was no way you'd even know.


You always need to parse statements like this very carefully. Pretty much any other company who isn't providing your information to others says "we do not share your data with unaffiliated entities..."

Facebook said that they don't sell your information. Which is true -- they aren't a data broker. But they implicitly state that your data is shared, subject to the limited controls available. You cannot stop Amazon and Facebook from sharing, for example.


> If you never engage with the ads there is no information leakage.

But what if you do?


> Facebook lets companies bid for ads to show you, based on Facebook’s data about your interests and demographics. If you never engage with the ads there is no information leakage.

That's not true.


Please provide evidence then.

I have never seen Facebook allowing large scale harvesting of their data.

And it would qualify as data breaches in places like EU which do not tolerate this sort of thing.


Well, they may not officially permit it in public, however they clearly allow it, otherwise we wouldn't be here.


do you understand how this data ended up in CA's hands? Regular facebook app asked persmission to get data to it's users, one by one. It then retained the data and shared without facebook or their users permission (and against FB terms). Then facebook realized this data was shared, required CA to delete all of it. CA agreed. CA didn't delete. That's how we are here

I'm no facebook fan by the way, but there's no reason for facebook to sell their most important asset when they can allow you to pay to use it, without ever seeing it


well, this seems to go deeper then I was anticipating. What I wrote above might not be accurate since the story is still evolving....


Fair play for saying.


>My problem with this 'outing' of CA is that Facebook explicitly commercially exists to harvest user data for Procter & Gamble, Johnson & Johnson, Fidelity etc etc so they can profile us.

Not only conglomerates but anyone with the money and know-how. Example P&G proxy fight:

https://www.reuters.com/article/us-procter-gamble-trian-inve...

Neubecker said he has seen several ads on his Facebook feed that link to Trian’s “Revitalize P&G” website and to videos of Peltz and former P&G Chief Financial Officer Clayton Daley, who is advising Trian.

The video of Peltz features him sitting in Trian’s Park Avenue, New York City headquarters, discussing P&G’s future, gripping a Trian-labeled coffee mug that reads “Sales up, expenses down.”

In response, P&G has called upon more than a century of product marketing experience with its own “Vote Blue” campaign.

One YouTube video begins with an image of P&G’s blue logo and a banner proclaiming “Every Single Vote Matters!”. A narrator and series of slick images offer step-by-step instructions, ending by asking viewers to vote for the blue proxy card and to throw Trian’s white card in the recycling bin.

Trian won this fight.


Sorry what are you talking about ?

Please provide some evidence that anyone with money and know how can harvest tens of millions of accounts from Facebook.

Your example does not address this and seems just like normal Facebook targeting to me.


Pardon my ignorance but what was Cambridge Analytica doing if not using advanced analytics for Facebook targeting?

I don't think Facebook has a section where someone can talk about what stocks they might hold. So, if the HF was able to target specific people who owned P&G stocks then I think it was an efficient targeting, maybe not as much of scale of US elections but enough to turn the voting in their favor.


What? You can scrape that kind of data with a simply Python application...


You are either lying or completely ignorant because this is not possible.

The data that this app obtained was far deeper than what Google can crawl e.g. what a person liked.


I could see a constitutional amendment barring psycho-graphic profiling from election advertising and intent. Not sure how it could be enforced because this is very technical.

Even so, there is a significant difference between Coke trying to sell me a flavored soft drink and a firm tweaking my emotions to get me to abstain from voting with false information or to vote against my best interests with false information.

There are definitely people who are susceptible to psycho-graphic warfare and we need to protect them in order to protect our democracy.


I don't think "false information" is the kicker here. Taking a cursory glance at Breitbart and Fox News, there isn't that much that is patently false. Furthermore, my observations of how propaganda works in general is that it doesn't usually rely information that is technically false. It relies on selective distribution of information, editorial spin, and other more subtle methods.

This makes "enforcement" basically impossible because you can't have a news outlet without editorial decisions. A better way to go about it would be to try incentivize media outlets to make a good faith effort at "both sides" journalism, but members of both political sides have been attacking the media for doing just that since the 2016 election season.


> Taking a cursory glance at Breitbart and Fox News, there isn't that much that is patently false.

Don't you think it would be better for you to take more than a cursory glance before commenting ?

Breitbart has had significant issues with fake news over its lifetime. Far more egregious and consistent than other any other news organisation not that I would necessarily call it one.

https://en.wikipedia.org/wiki/Breitbart_News#Notable_stories


In addition to Fox and Breitbart, the Washington Post, Buzzfeed, CNN, and even the New York Times have had to retract dozens of viral political articles over the last two years. The retractions were only seen by a fraction of the people who saw the original headlines. This is an inevitable result of journalism increasingly relying on rumor and catering to partisan audiences.

Where is this line that should be drawn, and who should draw it? Breitbart may have a higher frequency of “oops someone gave me bad info, or my reporter/editor made an unsubstantiated inference” events, but their audience is much smaller than the large outlets.


Sure, but the parent's point is that even if you got rid of the fake news, you'd still be able to spread plenty of propaganda and sway people. Going after the easy target of "fake news" might feel good, and even do something to help make propaganda less effective, but isn't going to make a huge dent in the problem.


You do it by making the activity costly. Mandatory opt-out for any persistence of data. Require regular re-enrollments for anyone who opted in.


European GDPR is going to help a lot when it kicks in this May


It’s not very likely for any US constitutional amendment to be passed ever again.


> and a firm tweaking my emotions to get me to abstain from voting with false information or to vote against my best interests with false information.

Better ban 24 hour news networks then. And any form of political advertising.


Agreed. This is marketing. The tone of the article makes it sound like some egregiously illegal scandal. The only wrongdoing is that one private entity breached the terms of service with another private entity. Innuendo.


You are being completely disingenuous here.

1. It is not normal marketing to have tens of millions of Facebook account data on your own private server. This isn't standard practice by any company large or small. Standard practice is to use Facebook's advertising system which does not reveal this data.

2. The wrongdoing wasn't just "breaching the terms of service" it was the transfer of account data from one party to another for the purposes of influencing an election.

3. It is not innuendo.


This is simply not true: There is NO indication that Facebook ever allows data on specific users to flow from their platform to advertisers.

Only apps have limited access to the data that you agree to share in the app install dialog.

The article you linked does not even mention any of the companies.


Please don't purposefully oversimplify things and engage in whataboutism in an effort to downplay their importance.

You should read this:

https://www.theguardian.com/news/2018/mar/17/data-war-whistl...

Three particularly important points:

The guy who was contracted by CA to steal the data is from Russia.

He had previously undisclosed funding from the Russian government.

CA later tried to do business from a Russian oligarch.

Choice quote:

"There are other dramatic documents in Wylie’s stash, including a pitch made by Cambridge Analytica to Lukoil, Russia’s second biggest oil producer. In an email dated 17 July 2014, about the US presidential primaries, Nix wrote to Wylie: “We have been asked to write a memo to Lukoil (the Russian oil and gas company) to explain to them how our services are going to apply to the petroleum business. Nix said that “they understand behavioural microtargeting in the context of elections” but that they were “failing to make the connection between voters and their consumers”. The work, he said, would be “shared with the CEO of the business”, a former Soviet oil minister and associate of Putin, Vagit Alekperov.

“It didn’t make any sense to me,” says Wylie. “I didn’t understand either the email or the pitch presentation we did. Why would a Russian oil company want to target information on American voters?”"


The thing about the relatively low cost of a million is that we know that many of the voters targeted by the Russians for influence on both sides were much cheaper than what your example commercial interests targeted for marketing services/products, so a million dollars on targeted campaign is much more effective than what that million dollars buys in a major media market TV ad equivalent or commercial Facebook targeted ad.


For 'Russians' I would suggest individual oligarchs over the nation state. Semion Mogilevich rather than politicians...


It's both. Very little goes on in Russia without the knowledge and/or support of Putin.


> Facebook explicitly commercially exists to harvest user data for Procter & Gamble, Johnson & Johnson, Fidelity etc etc

Sources on this?


https://www.wsj.com/articles/p-g-to-scale-back-targeted-face...

Not hard to find information, although it is typically couched as brand reach and advertising spots. The big data sales side of FB and other sites is more sensitive and less overt

https://www.facebook.com/help/494750870625830?helpref=uf_per...


Your links do not support the idea of “harvest[ing] user data”. They describe the usual Facebook ad platform, where you can set criteria to target users. But nowhere does it mention data on individual users flowing from Facebook to advertisers.


from my original Bloomberg link in post about FB

'Politicians running for office can be lucrative ad buyers. For those who spend enough, Facebook offers customized services to help them build effective campaigns, the same way it would Unilever NV or Coca-Cola Co. ahead of a product launch.

While Facebook declined to give the size of its politics unit, one executive said it can expand to include hundreds during the peak of an election, drawing in people from the company’s legal, information security and policy teams.'

It is harder to find information about FB's data sales policies (which are very opaque unless you speak to people high up in marketing large companies and their activities). FB's ad platform information is pretty transparent, but the quarterly numbers don't really add up for me based on spend by large firms like Procter & Gamble etc in those areas...



> It is harder to find information about FB's data sales policies

So you’re explicitly agreeing that you have no proof that Facebook is offering data for sale.

The quote you cite has nothing to do with the initial assertion: providing consultants that teach people how to use the ad manager is something completely different than selling PII.


Obviously you won't be finding a FB webpage providing details of where to buy user data by the thousands as I tried to explain above. FB"s role working with and for the Trump campaign provides some insights

Trump, Cambridge Analytica and how big data is reshaping politics - Gillian Tett in the FT https://www.ft.com/content/e66232e4-a30e-11e7-9e4f-7f5e6a7c9...


And obviously I won’t be admitting to murder, therefore I must be a murderer?

The linked article, once again, provides no proof (or even mention) of any data being sold by Facebook. I have no idea why you keep piling on irrelevant articles.


Cambridge Analytics just got banned for scraping data (stealing..) from Facebook.

That’s the exact opposite of Facebook selling them the data.


The Facebook page you refer to is interesting.

At the bottom it says to reach out to https://aboutthedata.com/ to see what data they have on you.

So I did. Then I scroll down to see "See and Edit Marketing Data about You. CLICK HERE" only to be redirected to a registration page that requires my US-based address and last 4 of SSN.

Talking about misled communication, or rather blunt deception, otherwise how the heck "click here to see data about you" lands me on registration page? I don't want to register, I want to see the data!


This simply isn’t true.

I’ve spent lots of time and money getting data out of FB.

You can pay to get anonymized topic data via DataSift and others, you can pay to run ads against users you have email addresses for (but you don’t get their data) or you can scrape (which is against the terms of service and they have an aggressive anti bot system to stop it - unlike Twitter).

Their political support systems are analytics support to ad buying.


People signed up to give it to Facebook, and whatever your views on that bargain, this wasn’t part of it.


I guess if P&G uses the data to push me to buy some soap, it's less sinister than using that to influence an election. Commercial vs Political.


In recent years America seems to be very eager to compromise. First it did for security after 9/11 and now for right thought after Trump.


[flagged]


> How much did Putin pay you to gas light articles?

That is an egregious violation of the guidelines and a bannable offense on HN. If the rest of the internet is losing its mind, that makes following HN's rules more important, not less.

> Let's not forget about that one time you

This also crosses into personal attack, which is not ok. Heated political arguments are bad enough without users trying to take each other out like this. Please don't do it on HN, regardless of how strongly you disagree.

https://news.ycombinator.com/newsguidelines.html

Edit: your account history unfortunately contains many examples of personal abuse. You've also broken the guideline against using HN primarily for political or ideological battle. We ban accounts that do these things, so would you please re-read the guidelines and use HN as intended from now on?


Something I have been noticing for quite some time now is an increasing tendency for people to seemingly believe they can read other people's minds &/or the future, or that they somehow have an omniscient insight into the world. You might expect this on Facebook or Reddit, and I know this will not please most people here, but it is becoming rather common on HN as well.

To those of you who disagree with me, keep this idea in the back of your mind for a while and remember it as you read comments. Make a serious effort to notice how many people know what other people's motives are for their beliefs, how they know the real reason for certain policy decisions, how they know what Putin or Trump are thinking and what they are going to do in the future, how they know China is going to fail now that they've gone full-on communist dictatorship (because history "guarantees" it), etc.

I honestly don't think I am imagining this, I think something very historically significant is happening to the psychology of the public.


There is a cult of ignorance in the United States, and there always has been. The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that "my ignorance is just as good as your knowledge."

Isaac Asimov, Column in Newsweek (21 January 1980)


True enough, but I believe what's different now is that there is significant it has taken serious root in the "informed" class as well, HN being no exception.


I remember when the Obama campaign hired data scientists and used targeted social networking tools to pursuade voters who were on the fence and it was heralded as brilliant and the future of politics.

I worked for a company crawling Facebook data by creating viral apps the year the original API came out. By now I am sure this is done by many companies.

Why is any of this news? My understanding is that companies harvesting social networking data via viral apps and then reselling it to perform targeted voter advertising is literally a 10 year old concept. Were any laws broken here? Were there any techniques used here that were novel or done by one political party and not the other? Why are we talking about this one firm and not the many others that surely exist that are trying to do the same thing for <insert political candidate of choice>


I am not shock by the facts that they are collecting data. The fact they are designing a psychological procedure to feed their narrative and agenda to you in an unconscious way, shaping and changing your world view, with that message only tailored to you, is very creepy to me. This doesn't sound like advertising to me, this is manipulation and brainwashing.


Explain the difference in semantics between the two because the mechanics sound the same, best I can tell this company was just running ads like everyone else. Creating psychological profiles of voters to craft messages to them to pursuade their vote I believe is the same thing as political advertising and is exactly what Obama's campaign were doing and had countless fawning articles written about them (just Google it.) Best I can tell the real facet here being used to paint this in a new light is the use of harvested data in a way that violated Facebook ToS but that is 100% nothing new and crawling FB via the API to do data science was a new idea like 10+ years ago (and it has since been locked down due to the prevalence of abuse I'd assume.)


Why is this hard to understand? The same technology can be used for both good and bad.

Obama used it to inform people about his polcies and get the out to vote. Trump used it to spread lies, falsehoods and half-truths. Essentially any media that was outlandish enough to become viral was promoted and promoted to hapless people who probably might have wondered why they were seeing so many distressing articles about America in "Carnage" (as Trump puts it).




Yep. So Obama is just "good" and Trump is just "bad". Way to view things boy.

At most this is your own political standards. Not anything that can be neutral and objective. Claiming one set of political ideas to be "right" is very dangerous.


So you are stating that the reverse interpretation where Obama spread lies and falsehoods, and smears his opponents while Trump was merely informing the public of truths is objectively just as valid as the opposite?

Just because something is political and not neutral does not mean that there are no facts associated with it. We may disagree on them, debate them, but to take the stance that there are none at all is the kind of tactic used by people who do not wish to debate the actual validity of their viewpoints.


Is it your view that all politicians roughly speak the same amount of lies vs. truth? That Trump's message is the same as Obama's message which is the same as any other political message?


That is Baizuo logic..


It comes down to motivation. Obama is a career politician, but Bannon is an ideologist. The former seeks to get elected, the latter seeks to plant ideas and change the society in a fundamental way. To me, Bannon is much more dangerous than Obama, because he is subversive.

Technically, there might be little difference, but Bannon clearly excels at using this tool to a greater effect, and the result is far more impactful and outreaching, even revolutionary. Guaranteed, other groups will take notice and trying to replicate their success, to feed their version of personalized agenda to your month.


The biggest difference is Bannon wants to break society to that it can be remade as he wants. Classic villain methodology, where the ends justify the means. Creating and exploiting divisions in society, damaging democratic institutions, so that the Government collapses and Democracy along with it. To be replaced with 'his' vision for this country. That is evil and treasonous.


And Obama did broken the society. Probably it's broken so badly, that it cannot be mended anymore...


I agree with your discomfort on Bannon's agenda, but aren't you conceptually backwards here? If Bannon is evil not because of his agenda but because he wants to bring societal change, isn't the same true for Abraham Lincoln?


Change via Destruction is much different than change via Cohesion.

And now we have the Chaotic President, thanks, Bannon.


> This doesn't sound like advertising to me, this is manipulation and brainwashing.

If advertising isn't manipulating and brainwashing, what is it? As far as I can tell, advertising is precisely that.


that is what they claim they are able to do. the reality is likely quite different.


I guess the other question is why this hasn't been any news yet. But the answer might be that 10 years ago Tech wasn't much in the news because it was just not interesting for most people.

This has changed a lot in the last few years though, which might explain why the news agency now have to work through (at least!) 10 years of tech news backlog. I'd definitely like to see coverage of these topic from 'traditional journalists' who then bring this stuff into context and link it with politics for instance. It's a little sad that we needed the politic right and their friends to bring these things to public attention.

> Were any laws broken here?

In Germany they would have broken it by that. At least here every website needed already 10 years ago not only Terms of Services but also a data privacy section/page. Such a page would be of no use if you could collect data from people before they even visit your website.


>I guess the other question is why this hasn't been any news yet. But the answer might be that 10 years ago Tech wasn't much in the news because it was just not interesting for most people.

This 100% untrue:

https://bits.blogs.nytimes.com/2008/11/07/how-obamas-interne...

https://www.theatlantic.com/politics/archive/2009/10/exclusi...

These are only two links but let me assure you if you're interested google is full of articles from the 2008 election talking about how vital the internet and data was to the Obama strategy.

I very clearly remember these articles and many others at the time talking about the new "big data" strategies utilized in both 2008 and 2012. To me that is what makes this whole "we scraped data and stole the election for trump" narrative seem extremely suspicious.


> To me that is what makes this whole "we scraped data and stole the election for trump" narrative seem extremely suspicious.

Suspicious of what? Be more clear about what you're trying to say here please.

Because I hope it's not that people didn't complain enough when Obama did it, and therefore now nobody can? (aside from the fact that I did complain, because I complain about all advertising, but that's not the point)


The first one links to NYTimes Blog though. I mean now you see on general news coverage about cellphone chip companies -- absolutely uninteresting 10 years ago. Apparently voters were already manipulated to some degree at that time. But now it got even more. But at the same time technology immersed to much into day to day life that everybody is also interested in pure technology news.

On the other hand all journalists become more technical at the same time, so they have to digest some stuff from the past. Obviously even older news...

I guess it's fair to say that Techcrunch or ZDNet are not exactly great sources for usage of Big Data in politics...


> I remember when the Obama campaign hired data scientists and used targeted social networking tools to pursuade voters who were on the fence and it was heralded as brilliant and the future of politics.

If you go back to 2008 election, the media was praising Obama as the first social media president. Remember how well obama used youtube, myspace, facebook, reddit and the burgeoning social space during his election? It's strange how the media is now attacking the social media space they loved so much because trump won the election.

> Why is any of this news?

I think it's because the media and the democrats and a large segment of the elites need something to blame for trump's win. They don't want to blame hillary or themselves for the loss, so they attack social media.

During the 2016 election, Trump was complaining about foreign interference in the elections. And Obama stated there was no foreigner interference and that Trump was whining because he was losing in the polls. Back then, the traditional media was backing obama and mocking trump. Now that trump has won, the traditional media is the one pushing the foreign interference narrative.

But I guess it is all conjecture. But ever since trump won the election, there has been a relentless propaganda campaign against social media by the establishment. You can't go a day without seeing a propaganda piece on traditional or social media about how bad social media is.


If you had read the article, you would have seen that it is the elites who are running these operations. The "liberals" are not the ones who are the elites, it's the ones with money funding this sort of thing. It very clearly names the contributors, I suggest reading it.

There is still no evidence that 2008 had any foreign influence. The tactics used in 2008 did not include the sort of misinformation information warfare now being conducted.

In contrast, in Brexit and Trump's wins this article is claiming that there is conclusive foreign interference.

Regarding the establishment, the only propaganda campaigns I can see being waged are against the mainstream news (the ongoing fake news propaganda) and against the tech companies who I suppose are "new money" and not in with the oil and finance czars funding this sort of thing.

The article is really interesting, you should read it. It basically suggests that democracy has largely failed in the age of information warfare. Targeted campaigns by rich elites and foreign governments can now influence votes and psychology on a massive scale. It's no longer about "my side and their side." All of us are on the losing side here.


Using Facebook to raise money, organize locally, fight smear campaigns and get out the vote is vastly different than harvesting data to build a surveillance machine


There are actual reasons to be worried about this kind of thing:

- The advertisements were not overt ("fake news") - It raises the barrier of entry to the political process - Filter bubble effects

Or you can believe a story about "elites" and "biased media".


> There are actual reasons to be worried about this kind of thing:

I suppose. Why weren't people worried about this during obama's campaign?

> - The advertisements were not overt ("fake news") - It raises the barrier of entry to the political process - Filter bubble effects

If filter bubble effects are a problem, then we should be looking into traditional media, not social media. I'd say there is more of a filter bubble issues in CNN, NYTimes, WashingtonPost, Foxnews, etc than in social media. When nearly 100% of the largest media organizations are endorsing one candidate and/or espousing one type of ideology, maybe we should be looking at that.

> Or you can believe a story about "elites" and "biased media".

It's not a matter of believing. It's a matter of fact. Foxnews and the right wing were also whining about social media when obama won. Now it's the media and the left wing whining about social media because trump won. The only difference is that the leftwing has a much greater media presence.

It's so funny how both sides are the same. When it looked like trump was losing, he was blaming foreign interference and biased media and fake news. And the media/leftwing was mocking him for being paranoid and a sore loser. Now that trump won, it's the media/leftwing whining about foreign interference and biased social media and fake news. The hypocrisy displayed by every side is rather disheartening.


1. Obama's use of social media was reported.

2. Why is whatever Obama did relevant to this story? Do two wrongs make a right?

3. Where in the linked article does the journalist inject their own opinion? I couldn't find any instances. The opinions came from the interview subjects, and are reported by the journalist as they should be.


Isn’t harvesting data prohibited by Facebook TOS? (Not to say that people don’t still do it). Also, could you elaborate on what kind of data you get access to by doing this data harvesting versus just using Facebook targeting data that Facebook explicitly gives advertisers access to? I’m curious because fb gives a lot of targeting criteria, so I’m wondering what kinds of things this harvesting unlocks. Sentiment analysis on post language or something?


> Isn’t harvesting data prohibited by Facebook TOS?

This should be the main takeaway from this article--that Facebook relies on the honor system for protecting user data.

Breaking a company's TOS isn't a crime in and of itself, and social media data has been used for political targeting for years now. Insinuating that Trump won because of a nefarious brain control operation fueled by data from a "data breach" is irresponsible.


> Isn’t harvesting data prohibited by Facebook TOS?

Facebook gives companies access to the data (e.g., "for research") but they're not allowed to sell or provide that data to third parties (which is what these people did).


> Where any laws broken here ? Yes. The article mentions "British data protection laws were probably broken". NB Facebook lawyers have been trying to push the Guardian around. - https://twitter.com/carolecadwalla/status/974995682124804099

IMHO, but I am not a lawyer - clearly the law was broken, Data Protection Act.


>Why is any of this news?

I think the clue is in the article:

> ... Russians ... had used the platform to perpetrate “information warfare” against the US


They harvested personal info of people. Something against FB policy and against the law. That is why it is news.

I understand that Hacker News has been accused of turning into reddit since reddit became a thing, but when the top most comment is from a guy who didn't even bother to read the article linked, there is a very little in the way distinction between the two sites.


And do you think the so-called "Russian influence" and the special counsel investigation have much substance to them anyways? Everybody can see from a mile how charged everything has become in American politics. They drum up the rhetoric on this one simply because they perceive Trump as their enemy and want him down no matter what, even though their "own" candidate might well have done the same thing or at least very similar things.

If this incident helps protect user privacy further it would be great. However I doubt it would happen at all. Most likely they'd just take this opportunity to aim another round of barrage at Trump instead of talking any substance about the issue itself. The purpose of this reportage is political attack against Trump instead of any concern for privacy in the first place.


Every advertisement should be ostensive

Using fb to advertise for Obama, Trump, etc, is ok

However that's not what has been done, but the a) use of shills and fake personas to pump up opinion b) creation of fake "grassroots movements" and "news articles" with a divisive purpose

https://thinkprogress.org/russia-facebook-pages-sophisticate...

https://www.reddit.com/r/RussiaLago/comments/7y6ola/there_ha...


How easily or willfully we forget the past:

3/14/2008

>The Obama campaign's chief strategist is a master of "Astroturfing" and has a second firm that shapes public opinion for corporations

https://www.bloomberg.com/news/articles/2008-03-14/the-secre...


Correct, doesn't make it right (and Hillary did some of this as well)


I agree. So why keep up this naive and demonstrably false act that 2016 was the year persuasion and behavioral psychology was put to practical use in politics to manipulate voters.

Every presidential election cycle I can remember was full of rhetoric and outright lies persuade voters. Does no one remember all of the hilariously terrible chain letters from past elections that claimed all sorts of nonsense? I just don't understand why people are running away with this idea that somehow facebook/twitter have changed the game when it comes to brainwashing people to vote conservative.

Politics is and always has been a no holds barred competition where anything goes that isn't straight up illegal. History books praise JFK for utilizing the television in 1960 to win his presidential election. I'm starting to think that if they had today's political climate he would be remembered as a manipulator rather than being savvy.


The difference is a lot of people never imagined Trump could be elected and many people for the first time are shocked to see what the other half of the country thinks. Imagining that they were manipulated by superior technology not previously available lets people hold to the idea that half the country really didn't vote for trump deep down - if only they hadn't been duped and knew what he really was.


Did you really link to russianlago, an actual shill subreddit? Also thinkprogress is a shill advocacy organization.

> However that's not what has been done, but the a) use of shills and fake personas to pump up opinion b) creation of fake "grassroots movements" and "news articles" with a divisive purpose

This has been done since forever. People supporting Obama did in 2008. Those supporting Ron Paul did it. Bernie sanders supporters did it and so did hillary supporters.


Ad-Hominem and Whataboutism on the same comment, congrats


I was directly responding to your point. You said shilling is bad. I agree. But it doesn't do your argument any favor when you use two shill sites to defend your position. Russianlago is a shill subreddit. Everyone knows this. Thinkprogress is a shill advocacy group. It's in their mission statement.

Also, "Ad-Hominem and Whataboutism" is the easiest way to spot shilling. The fact that it is capitalized makes me believe it was copied and pasted from a list of talking points.

If you truly believed shilling was bad, you wouldn't support russianlago or thinkprogress. But the fact that you linked to those two makes me believe you actually support shilling. Just the shilling you agree with. Just an observation.


> But it doesn't do your argument any favor when you use two shill sites to defend your position

And it doesn't help your point that you conveniently ignored the point these two websites are making, and that have been reported by others as well.

"Everybody knows this" is a cop-out.

Shilling is bad, but water is still wet regardless if it's reported by TP or FoxNews or Breitbart, as opposed to you who prefers to shoot the messenger and has a 32 day old account. Just an observation


E X A C T L Y

See my post: https://www.facebook.com/mstefanow/posts/10156280067194886

Since when NO NEWS is NEWS?

"Why is any of this news? My understanding is that companies harvesting social networking data via viral apps and then reselling it to perform targeted voter advertising is literally a 10 year old concept."

Other team didn't realize such thing as the internet exists?

(I'm outraged that this thing hit the news, as if it wasn't something already known)


Did you not read the article? Millions of users took a personality test that had nothing to do with politics, and that data was sold to the Trump campaign for targeting.

When did Obama’s campaign ever do that?


I think a lot of commenters did not read the article at all and are misunderstanding the “issue” to be use of big data, versus the fact that this specific data was obtained on tens of millions of people in what appears to be a very unethical manner.



270.000 users.


... and all of their ‘friends’, totaling over 50 million


Nope. It was not technical possible to share your friends' data in 2014.


>Did you not read the article?

No he didn't. On purpose


I used to make fb apps, any app gets full access to fb's user graph as long as they request the relevant permissions.

Users don't comprehend what permissions they are giving to apps they run. A quiz site getting full access is not surprising.

Once an app has any amount of access the only thing stopping them from harvesting their own clone of your data is an agreement in the ToS that you won't store PII for more than x hours.

These rules are like the bare minimum to stop good actors. If you're a bad actor fb does not do a single thing to protect users from you. As evident in this report fb is also not above blaming the users for the hostile environment fb created and placed them in.

There must be countless copies of harvested fb data out there. My employer at the time once realized we were accidentally storing some PII permanently in a derived field. If good actors can't even keep above the law what do you think the ecosystem looks like in the shadows?

IMO we aren't having the right conversation with fb over how they mistreat our PII and we should loosen the definition of that term when companies like the one in the article can infer our political preferences from the innocuous bits of our lives we tag on facebook.

We should be asking why even an authorized API that can't stop you from copying the data doesn't count as a systemetized data breach.


> We should be asking why even an authorized API that can't stop you from copying the data doesn't count as a systemetized data breach.

Is your argument that no company should offer any developer APIs at all? It's impossible to stop apps from storing data that they have access to, given malicious intent.

This is like saying that the existence of the Google Calendar API is a "systemetized data breach" because an app could copy data from it once authorized by a user.


It's one thing to use the friend graph to show in your app who else uses it. That's pretty legit. The other use case is to store it to some database and keep it there.

FB provides since ~10 years widgets for showing who else is liking xy. I know these Social Widgets are not so customizable and thus not pretty enough to match some custom design but at least they provide some safety nets.

Maybe Facebook could just provide more Social Widgets/CSS customizability instead of letting people write their own "Facebook Extensions".


I'm not sure how we draw the line. But it should at least feel ethically itchy if ppl can use data you collected to statistically infer things normally considered private information.

This puts Google on the wrong side of the line, wherever it is, next to other big offenders - fb, twitter, linkedin.

To waffle less, I would absolutely be very cautious with who you give access to your gcal. You can tell a lot about a person knowing their schedule, who they meet with, where they meet, when they fly, etc. Lots on a calendar


They stopped most data access via apps in the 2014 clean up they did.

But yes, you are right that I’m sure lots of apps kept that data and sold it.


I was curious how the figure leaped from the 270k cited in the Facebook press release to this 50M figure.

It sounds like they never had full access to the Facebook profiles beyond the 270k who installed the app, but just harvested the friend lists of those 270k. This doesn't give the app developer full access to the friends' profile data, but I guess once you have the network of friend connections you can use other public data sources to fill in or infer the gaps. And of course some of those 50M will have FB profiles that are fully public open books ready for anyone to harvest.

I will say as someone who has developed Facebook apps, the whole ecosystem is pretty much on the honor system for protecting user data. There are some seemingly random and capricious (and often erroneous) abuse detection algorithms, but once an app has access to user data who knows what they do with it and whether it was kept secure -- surely Facebook has no idea unless they perform invasive manual physical audits.


You could get access to the full friends‘ user profile data in Graph API earlier than v2.0. If you had 500 friends, and granted friends_* OAuth permissions to an app, the app had access to 501 user profiles.


You know where you read this?


At $dayjob-1 we relied on this to pull in your Facebook friends as contacts. Eventually FB limited the scope of this to friends who also had the app.


This was post-v2.0 afaik.


I can confirm this, at least generally. Given access by a user, you had access to all the data the user could access, including the user’s friends’. There may have been exceptions, but, for example, friends’ likes were accessible.


It’s gone from the FB Graph API docs, but the wayback machine still has it:

https://web.archive.org/web/20130911191323/https://developer...

I was possible to use the v1.0 API until Q2/2015 if I remember correctly (only if you had a v1.0 app though)


it was in TFA, btw


From the very beginning there has been a rule that you were not allowed to persist data more than a few days in your own dB. But it was obvious there was no way for fb to verify what you did or did not keep.

There has never been substantial control on profile data harvest on fb. It was whatever you could get users to okay, which was a lot given the value your app had to appear to provide.


A substantial percentage of the US population installed that "cow clicker" app at some point, and who knows what data they harvested. Even if they did not access your full profile, they could probably learn a lot about you based on when and how often you were clicking on cows.


While your point stands, Cow Clicker itself was unlikely to be doing something nefarious. It was created specifically as a criticism of similar game mechanics, and got viral mostly by accident.

https://en.m.wikipedia.org/wiki/Cow_Clicker

Hence why the researcher who created it decided to kill it.


From the interview, the architect of the system says Facebook detected the download of data (50 million users' data might crush smaller companies.) and asked what was going on and he just told them it was for academic purposes so Facebook let it pass. Also when Facebook told them to delete it later, CA said they did but didn't.


> It sounds like they never had full access to the Facebook profiles beyond the 270k who installed the app

That's completely speculative, and we don't need more speculative information ... I'd much prefer to wait for evidence.


Minor point of confusion -- this article refers multiple times to a "data breach". ("...one of the largest-ever breaches of Facebook data...", "At the time of the data breach...", "...first reported the breach...")

As far as I can tell, there is no data breach, right? It sounds like CA got facebook data through an app they wrote, thisisyourdigitallife, which did some shady things.

Also, "The New York Times is reporting that copies of the data harvested for Cambridge Analytica could still be found online".

The link is: https://www.nytimes.com/2018/03/17/us/politics/cambridge-ana...

Anyone know what they're talking about? I haven't heard of any 50-million-profile data dump, and I really like collecting corpora...


It wasn't a breach as we know it.

Basically FB gave the data away. Apps have access to the data but they're not allowed to give/sell it to third parties. In this case the rules were ignored. Probably many other companies with API access have also ignored the rules. In this case FB didn't make much of an effort at all to prevent it from happening so it's reasonable to assume the practice is rampant. There's likely many copies of large parts of FB data out there (left on laptops on trains or on unprotected FTP/HTTP servers, etc.).

It's a 'breach' from the users' perspective.


Exactly it's confusing how they're using the word data breach like something wrong happened.


One thing other commenters haven't mentioned is that Facebook asked the other parties to delete the data and promise never to use it again and the other parties even certified that they had done so, but the whistleblower is alleging they lied to Facebook.

Maybe that's legally actionable.


OK, this feels like it will bring about the end. Of something. Facebook? Massive use of data for political campaigns? Anything?

If we keep consuming news like this, and do nothing, it's going to scalate massively. Same way as when Snowden told people they were spyed on and they collectively shrugged and continued with their lives as if nothing had happened.

We, people in tech, have a massive moral burden to educate 'normals' on the meaning of news like this!


To a certain degree, this is a problem that Facebook has already taken steps against in the last years.

Remember that Facebook gives you zero access to users’ data just for being an advertiser. This scheme relied on users granting access to an app.

Data access by apps was curtailed two or three years ago to no longer include friends’ data. The permissions dialog has also become far more granular. From my observation, apps seem to mostly respect facebook’s rules on data scarcity, i. e. asking only for the data they actually need.

GDPR will enshrine this principle in law at least for European citizen, and it’s somewhat likely that it will have some effect far beyond the borders of Europe.

Regarding elections, first steps will likely align the law with that for TV advertisement. Clear information about an ad’s sponsor should be required, as well as the selectors used to target you. I’ve also heard some chatter about requiring a public repository for all ads. Right now, there might be waves of, for example, racists ads that never get reported in the news because the targeting never hits those people that would consider the ad problematic. The Atlantic is running a pilot program with a chrome extensions that records all advertisement you see on Facebook for such a repository.

In the current political climate, it’s unfortunately unlikely that the US will lead with new regulation. But there are a few decent agencies in the US that can squeeze a lot of mileage out of laws already on the books (the special prosecutor, and even the FEC). Social media companies are also quite scared, both because they fear a hit to their business, and because most of their excecutive do retain some humanity. You can also expect individual European companies to get out the big guns, seeing Trump and other Russia-backed populists rattling the core of the current consensus on liberal, open, civil societies.


> Remember that Facebook gives you zero access to users’ data just for being an advertiser.

As an advertiser you can target users based on very specific details, and track any user that responds to your advertisement campaign.

You get all the access (AKA, you know which part of your customer base resulted from targeted ad campaigns, so anything you can target on, you can attribute to that subset).

Regarding elections and digital platforms, a Dutch policy advisory states that the government should disallow non-transparent political advertisements (all advertisements should clearly state who sponsored them and to promote which political cause, if any), and to ensure that political parties can not hide their trade-offs, they shouldn't be able to micro-target people with a different message (increase taxes vs. decrease taxes, depending on what makes the user more likely to vote for you).


We are on a technical forum, thus I expect you to come up with a technical description on how can I use fb ads targeting to find out who is white and likes Arsenal in my neighborhood.

Arguing that only some advertisers get access to the tools required is bullshit: this is saying that Facebook won't tell you directly who is such and such, but will give you access to tools to bypass their own rules. I hope you see how idiotic arguing for such a case is.


FB has known all of this since it happened two years ago and only admitted it when a journalist asked them about it.


Yes. But the method that was used to siphon the data out of Facebook is no longer available.


Correct, and we now know the issue is that someone who had legit access sold the data.


The IETF's BCP#188 document is one of many consequences of Snowden, its title is "Pervasive Monitoring Is an Attack", and the text begins "Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible".

Almost literally right now, IETF 101 is starting in London, and one of the things presented will be a series of proposals by people who claim they (or organisations they work for, the IETF is only for people, corporations can't participate they can just send people to it) have a legitimate reason to snoop on TLS traffic. TLS 1.3 is designed, following BCP#188, to make such snooping impossible without ongoing assistance from one of the endpoints (if the endpoint is co-operating with the snooping there's mathematically nothing anybody can do) and they would dearly like to return to an era when they could snoop with just a little one time assistance. Now, maybe this would have been stiffly resisted anyway, but BCP#188 means anybody who isn't sure has an existing IETF document telling them exactly why this is a terrible idea.


The first Ad Sales pitch deck for TheFacebook.com included a slide showing how advertisers can target students based on their sexual orientation, political bend, dating interests, gender, age, education, and social graph. All of which can be used to discriminate based on protected variables, like gender, sexuality, age, mental disability, and race.

This will not be the end, and has been like this from the very beginning. If foreign companies can get access to this information, then intelligence agencies certainly can too.


The problem is that regular people no longer have a place to communicate. It used to be that the workplace, church, neighborhood or union meetings were the place to socialize and discuss these issues and take collective action. Now we have nowhere to turn to. Modern nomadic culture alongside temporary jobs, low trust and personalized news all make sure that we cannot take collective action on anything.

We need to find a new way to communicate before this cancer becomes so widespread that the last bastillions are lost.


> It used to be that the workplace, church, neighborhood or union meetings were the place to socialize and discuss these issues and take collective action

People still socialize and discuss issues in the real world. Having a Facebook group for a church or neighborhood doesn't preclude anyone from going to church or physically interacting with their neighbors. People also still take collective action in the real world - Antifa, BLM and the Tea Party are three modern examples, but there are countless others which simply don't get media attention.

And, all else aside, social media is still perfectly adequate for enabling communication between most people.

I'm sorry, but your comment seems more rooted in hyperbole than reality.


If you include the word “privately” then some of the criticism you’re receiving may fall away. “Regular people no longer have a place to communicate privately”.

This is increasingly true. Actions are increasingly recorded. Privacy is increasingly undermined. We have a big problem on our hands.


> The problem is that regular people no longer have a place to communicate.

Have email, chat, forums, physical letters, meetings, etc gone away for some reason?


This wasn't a data breach, it was a misuse of data by a third party.


I think a better source for this is a related story from Guardian on how all of this worked

https://www.theguardian.com/technology/2018/mar/17/facebook-...

It was extremely attractive. It could also be deemed illicit, primarily because Kogan did not have permission to collect or use data for commercial purposes. His permission from Facebook to harvest profiles in large quantities was specifically restricted to academic use. And although the company at the time allowed apps to collect friend data, it was only for use in the context of Facebook itself, to encourage interaction. Selling data on, or putting it to other purposes, – including Cambridge Analytica’s political marketing – was strictly barred.

It also appears likely the project was breaking British data protection laws, which ban sale or use of personal data without consent. That includes cases where consent is given for one purpose but data is used for another.


Facebook?

Yeah

So I, like, need to collect some data, lol

Sorry, can't do that

But I'm like, uh, an academic, this is for great science, see my Cambridge page here, lol

Ah, ok, just don't share it, k?

Yeah, yeah, no prb

kthxby


Technically perhaps correct, but for the victims it seems rather irrelevant to me.

In a data breach, someone would have used a technical vulnerability or some other (e.g. social engineering) vulnerability of Facebook to get illegitimate access to the data.

In this case Facebook simply gave them access to the data and took their word that they won't misuse it.

Now maybe the latter situation might not be a data breach in the classical sense, but I don't see how it makes it any better for the victims. If anything it seems worse -- Facebook didn't even try to protect their data.


Facebook isn't the victim here, it's voters who may have been specifically targeted at a "physchographic" level and had their opinions unduly influenced. Further, every person who's a member of a democracy that was targeted by Cambridge Anayltica and is now being run by corrupted politicians (or in the case of Brexit by misinformed voters) is a victim.


Nobody’s saying FB’s the victim. It’s their fault, if anything. People are „unduly” influenced all the time, and by everybody. Saying CA somehow worse than anybody else just because they worked for people you don’t like is disingenuous. It’s FB that should be held accountable here; they gave away people’s personal data to a third party.


Yes, sorry, if that wasn't clear. By victims I mean the people whose data was harvested of course.


Why are you calling it Target by CA? Its such a great advancement in technology.


Don't you think that it can be a breach in the same sense of a breach by phishing? After all, both of the cases are about people giving their "secrets" for one reason but the info being used for something else.

I mean, in the case of traditional phishing the user is tricked to provide the password by impersonating a banking site, getting their funds stolen and in the case in question, the users are tricked to provide personal information by being promised some kind of personality analysis but their data is used for political propaganda that they didn't asked for resulting in life-changing consequences du to politics.


Interesting comparison.


Right. They basically just made an app on FB then had users accept the permissions. The horribly beautiful thing about FB permissions is that almost every single app will request EVERYTHING, and if you deny even a single permission that the app doesn't even seem to need, then the app will break or won't let you use it. So every user is indoctrinated into just clicking accept regardless of the supposed "granular" permissions. They are granular as in granulated sand, falls right through your fingers.


As of 4 years ago every app needs to be whitelisted by Facebook for every permission they want to request: https://developers.facebook.com/docs/facebook-login/review/w...


And you can remove individual ones! It was actually far better than the Android model at the time.

Many apps didn't get updated to work with the new API though (most hilariously, the NYT refused to let me create an account without my friend list in early 2015).


This wasn’t the case for Graph API v1.0, which I‘d suspect was used to gather the data. It was active until 2015...


It's not a secret that FB's business is profiting off your personal data. You could choose to stop using it.


However in this situation we are talking about 3rd parties having an all or nothing policy on your data. If you don’t let some apps you login with Facebook have access to everything you can’t use their app.


...and have everyone else who knows you stop, and block their widgets and buttons that track you, and block any org that might leak, sell, or just share some of your info with them. I can’t stop a friend or just some rando at a party from uploading a photo of me. I can’t stop friends from using FB and getting me into their system. In 2018, privacy isn’t just about what we choose to do.


I agree. But you should take that first step, and then start lobbying your friends to stop posting pictures of you. Personally, I also excuse myself at gatherings when the cameras come out, because I know it's all going straight to FB. The shaming has already started to decrease; now I'm usually not alone in popping out of the room.


I instead, always asked everyone be tagged as someone else. Typically, people are relatively okay with this because no one notices.

It totally breaks the CNNs for face detection.


That is a great idea. Personally I have tried to serve bad data to google captchas for many years. The text capthas were really easy, but the newer image captchas are much more obstinate. Or maybe my shadow profile just got tagged as an unreliable captcha form-filler.


This is a great idea, thanks! I've been asking not to be tagged, but this is better.

I worry that "not tagging" is somehow adding sparse data which can later on be filled in.


Smart, I think I’d have more success trying this than just leaving the situation entirely. This is going to be a lot easier to pull off with non tech oriented friends than a speech about privacy and why I have to leave the room.


I would be seriously impressed and surprised if they managed to get any information based on photos uploaded that happened to include people who weren't tagged and weren't on Facebook. Aside from the all-or-nothing nature of specific apps, privacy is more about what you choose to do than that - most people just choose to not do much for privacy. At least as far as most private corporations using the Internet goes.


https://news.ycombinator.com/item?id=16474938 https://gizmodo.com/how-facebook-figures-out-everyone-youve-...

The fact that 90% of your friends upload contacts/emails is plenty of information about you.


Yes, per https://mobile.twitter.com/alexstamos/status/975044091393187... this (headline) seems like quite a sensationalisation. Nonetheless good to repeatedly raise people’s awareness of what they agreed/are agreeing to.


If that third party wasn't sanctioned or authorized by the contract binding it with facebook then it's a breach.

(not sure if you meant /s)


It’s a data breach in the same way “social engineering” can still be considered hacking


I.e., prosecutors aren't really interested in the distinction.


Every single definition I find classifies this as a data breach.

> A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.


Possibly, but remember it starts with the user authorizing a company (FB) to release his/her data to a third-party. If the user doesn't trust the third-party then it shouldn't authorize the data sharing. The question I guess is that FB then agrees to share the data under certain conditions (that the third party only uses the data for an agreed purpose), and if this agreement between FB and the third party isn't honoured, shouldn't FB then sue for damages on behalf of the user?


But they were authorized to access the data, weren't they? The problem wasn't that they accessed it, it was that they used it for things they weren't allowed to.


Everybody with an FB app key is "authorized to access [the] data," but the API TOU says you can't save anything.

I'm imagining the crux of the CA issue is that they saved stuff.


Yes indeed, we need to redefine "data breach" to include "against terms of service" to make it easier to go after all the future Aaron Swartz's.

If you redefine a concept and use it against your political enemies don't be all that surprised when they turn around and use it against your political allies.


You are nitpicking a small part of an article (incorrectly) and it distracts from the main point: A foreign power is working with American billionaires to subvert democracy and install a dictator. This is a serious issue and one of the biggest news stories of our time.

> This wasn't a data breach

Yes it was.

> it was a misuse of data by a third party.

So a bank robber who gets into the vault just misused the locks? Or the security guard misused his eyes? This was a data breach. Your language makes it sound less serious than it is, and you are wrong. This was a data breach.

Edit: Less than 30 seconds in, this post is already downvoted. I won't complain about downvotes of course, but it's insane that no conversation is actually allowed to happen on this site without burying one side. I spoke with a neutral tone, didn't do any name calling, I'm not looking for a fight. But downvotes within seconds! You can't silence me HN. I'll keep commenting my opinions and facts no matter how much you don't like what I'm saying. Nitpicking breach or misuse is silly and distracts from the actual substance of the article. It was a breach, by the way.


> A foreign power is working with American billionaires to subvert democracy and install a dictator.

Seriously?

I'm no fan of any politician (or really of "tyranny of the majority") but I was kind of impressed at how well it all worked out last time. An "unpopular" candidate won and the ruling elite turned over the reigns just like they're supposed to do trusting the checks and balances in the system to work.

The quickest way to get a dictatorship is to go against the legal results of an election because the unpopular candidate won based on some metric of "unpopular" like "kids rioting in the streets".


That was not a peaceful transition. Trump said in plain language that he would not accept the results if he lost. He called on gun owners to shoot and kill his political opponents who he has also been trying to jail for the past many years.

If you are impressed with the level of functional elections and government in the US since the last election, I'm shocked. It is not a functional system. It is clearly disfunctional.


> That was not a peaceful transition.

Indeed, it was the only election since I've been alive that the losing side rioted in the streets calling for the overturning of the election results.

> He called on gun owners to shoot and kill his political opponents who he has also been trying to jail for the past many years.

Fake news much?


You're downvoted because you're technically not correct.

The case is more like the bank manager allowing the robber into the vault, with full knowledge that the robber wants to and could easily make off with all the valuables, then asking the robber to please not do that before heading back to work, leaving the thief unattended in the vault.

Edit: it's a breach of contract, maybe; but not a "data breach" which I think everyone understands to be more like the case where the vault is forcibly broken into.


I was completely technically correct. It's a data breach. Plain and simple.

> A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.


A data breach, yes, but I believe by GSR not FB? It seems like users did authorized FB to share data with GSR?


This is a stupid discussion. So I’ll continue it:

Facebook was authorized to have the data. CA was not authorized, at least not to retain the data. Therefor, it is a data breach. Facebook was the breachee, CA was the breacher. And Billy-Ray was a preacher's son.


I really don’t get your point. Bikeshedding on what to call it makes it seem like the actions of the company, the Bond villains behind it, and Facebook are just fine. FB’s actions show that they knew CA was not just pushing the envelope of the consumer preference and false identity manipulation that makes them their billions but totes aware it was being done together with a foreign adversary to subvert our democracy.


Words mean things. Don't assume that because someone nitpicks a technically incorrect use of a word/term that they are shooting down the entire argument. In fact, we're often trying to help; because we do agree with you; but can't get behind what you're saying 100% because part of it is not actually correct.

I'm definitely not disputing the fact that FB is an evil entity that only cares about making profits off your personal information. But, they haven't suffered a data breach in the same way as, say, Equifax; and it seems to me that choosing to use the word "breach" here must be in an effort to get more clicks; because "breach in the Equifax sense" is what the author knows most people will assume is meant.


Bikeshedding what to call a crime can be useful and important.

The democracy we are concerned about protecting presupposes rule of law, and precision when discussing laws and crimes.


I think I finally understand what the point of Facebook apps is and why they've always felt in some way dodgy. It's been clear for years that Facebook apps can get your user data, and that of your friends, and that Facebook designed them that way and were aware of that. The Guardian article even mentions that one of the apps used by GSR to gather data for Cambridge Analytica triggered Facebook security protocols trying to pull too much data.

What I didn't understand is why Facebook would grant this - maybe at some point they needed viral apps on the platform and giving user data away encouraged people to make them - but why did it still work a few years ago? But this article made it click: all you can really do to monetise or use millions of profiles of Facebook users is target them with ads, and Facebook is the only place you can target those ads effectively given Facebook user data, and the more data you have the more effective those ads are, the more you pay Facebook.

Facebook don't sell user data, they've long said that - and it's true. They sell the ability to target advertising to their users, and you can do that a whole lot better if you have their user data. So they don't sell it, they give an API for their users to freely give it away, knowing that once you've done all your analysis on it you'll conclude that you should spend money paying Facebook to actually deliver your messages to those users.


> Facebook denies that the harvesting of tens of millions of profiles by GSR and Cambridge Analytica was a data breach. It said in a statement that Kogan “gained access to this information in a legitimate way and through the proper channels” but “did not subsequently abide by our rules” because he passed the information on to third parties.

This is exactly how Facebook was designed. You get a stupid quiz or photo frame in exchange for a copy of your friends list. It's always worked that way, and it's why Facebook OAuth was more popular than Google+ and other Oauth since 5+ years ago -- because app devs can make more money from Facebook OAuth since it comes with a copy of your friends list, so they prefer to integrate Facebook.


As of ~4 years ago when graph api 2.0 was released that’s not true.

The /friends endpoint only returns friends of the user who have also already installed your application.


As of April 2016 wasn't it limited to 50 "close friends"? IIRC it was also possible to abuse iOS webview and the FB library by modifying some private methods and injecting some JS to get the info of more than 50 friends. I don't remember the details, but I saw it in the wild in a high growth top 10 iOS app (reverse engineered to see how they were getting so many users so quickly).


Facebook: "no-one herds our sheep but us, mmmkay?"


So... If I were in Cambridge Analytica's position, employed to influence the US election, one of the first things I'd do is match this data with any data I could find on voting patterns. Which reminds me, didn't some of the Russian APTs hack into state voter databases?


You don't need to hack into voter databases - most people register for the party they vote for and that is public information(along with their home address, phone number, and whether they voted in past elections).


You may not even need to cross-reference it, Facebook asks you what your political affiliation is and displays it on your profile (or did, at one point)


I think it is much more important to focus on an investigation to make clear to the public how this data was used. That i think will lead into a much more interesting story. No one seems to want to go there and i don't understand why. Maybe because a lot of its clients are political parties/political individuals around the world and they do not want to be ousted for using "public opinion manipulation technology" on a wide scale.


Any investigation would be about as thorough as the Russian bots "investigation".


Think about all those apps where you connect your bank account via your online banking creds that have full access to everything you buy.


Do people do that?


Yes, I know Mint does it and most credit unions offer FinanceWorks. Intuit gets the data from both.


have you used robinhood?


I wonder how many of the "see what you'll look like when you're 80" and "find out how you'll die" quiz apps are doing this behind the scenes.


I once told a sales rep from my ISP to stop trying to sell me on a phone subscription to which he replied that "I probably signed up for a Facebook competition or something" as if that justified it. (I don't have a Facebook account.)

One of the worst things Facebook did was to just destroy any expectation of privacy.


If I am reading the paper which started all of this correctly, you don't even need the quiz apps if you have the correct permissions:

http://www.pnas.org/content/110/15/5802


The quiz apps are how you get the permissions.

Require the user to "connect with Facebook" to see their result. Give them the result, but quietly siphon off every bit of data you can with the access token.


All of them. That's the only reason the apps exist.


That’s a ridiculous statement.

I still run several games on Facebook platform. It’s much easier to acquire and retain users than on mobile and it’s much more profitable because there seems to be a higher propensity for users to pay.



This kind of work combining propaganda and disinformation with AI models and feedback into them to get a progressive change of belief is fascinating. I think of this as the first of many wars democracy will fight against AI and we are currently loosing.

This comment is from the “Duped” article that has a different headline and more detail.


For example, "Weev" got 3 years for downloading ATT user data. I wonder whether Bannon&Co would get anything ... So far it doesn't look like FB makes any push for CFAA case here. I wonder what would FB do if instead of Bannon it were a nobody like the above mentioned "weev".


50M doesn't strike much in FB scale, that's until...

  At the time, more than 50 million profiles represented around a third of active North American Facebook users, and nearly a quarter of potential US voters.


Sorry for the crappy formatting, can't edit now, so here's pprint version:

  At the time, more than 50 million profiles represented around 
  a third of active North American Facebook users, and nearly 
  a quarter of potential US voters.


Nothing new about Campaign Data companies. In fact knew of a South San Francisco company called 'Campaign Data' in the '90s that ran a SAS on DECUnix. They collected voter registrar data from counties for targeted voting campaigns. Usually for passing more restrictive laws or raising taxes. Like raise property taxes for schools; send flyers to renters with kids and send nothing to homeowners with no kids. It was always in a way, unfair and evil.


Let's be realistic here. This headline is nothing but partisanship. The only reason this is exaggerated as a "data breech" is because of the connection to the Trump campaign.

The real scandal is that such data is so easily harvested and freely available.

I'd be interested in seeing how much of facebook's data repository was used in targeted political ads by all parties. Including Russian agitators who have been shown playing both sides.


There are at least 25 scandals surrounding the Trump administration currently that are each worse than the two pseudo-scandals surrounding HRC that Conservatives managed to drum up, I. e. E-Mails and “Benghazi”. And ts not like FOX and the entire US Congress have less power than the Guardian.

So, no: “They are all the same” isn’t just cynical and useless. It’s also wrong.


So, in your opinion, this justifies the false headline of the article, and is reason to turn a blind eye to the same potential data abuse when committed by the other party?

>They are all the same” isn’t just cynical and useless. It’s also wrong.

Please do not put words in my mouth. All I am asking for is journalistic integrity. Media in the U.S. has proven repeatedly to be partisan, which, to a rational person, makes it very difficult to separate fact from propaganda. This article is a case in my point.

Unethical politicking is not an excuse for spread of misinformation.


> There are at least 25 scandals surrounding the Trump administration

https://rationalwiki.org/wiki/Gish_Gallop

https://en.wikipedia.org/wiki/Argumentum_ad_populum

I'd argue that this article pretty well encapsulates all of the various "scandals" the Trump administration is being bombarded with: breathlessly exaggerated so that people whose mind is already made up can scan over it and add another tickmark to their list of "scandals"


It's essential to hold the President publicly accountable for his actions, especially when illicit actions pervert the foundation of the United States, the democratic process. That's not partisan; that's normal, healthy democracy; that's the primary public good provided by journalism.


Sure. But it is unethical to exaggerate and hold only part of the political system accountable for shady or illegal practices.

This is part of a consistent pattern. Our media has become as hopelessly partisan as our unfortunate two party system, and unethical behavior on one front does not justify the same on another in response.


Can you explain why it's unethical to hold people accountable for their actions or actions others took on their behalf?


From my post, again:

>But it is unethical to exaggerate and hold only part of the political system accountable

Please consider what I wrote in sum. Partisanship and exaggeration are antithetical to trust.


Don't think the intent of my question was communicated clearly. Let's try again.

From your original post:

> The only reason this is exaggerated as a "data breech" is because of the connection to the Trump campaign.

You have provided no evidence of this, and until you do, your comment is read as a case of whataboutism[0]. Because we are not shoehorned into the pursuit of a unilateral solution, we can both [A] call out Trump's unethical engagement of Cambridge Analytica (CA) and [B] lobby for more stringent privacy regulations, like the EU is doing.

Given the, as a prior commenter said, 25 scandals, along with string of accusations of indecent conduct, collusion, etc. that Trump is clouded with, the conclusion being made is that his engagement is not the unknowing of an unethical actor acting on his behalf, rather the turning of a blind eye.

So given the inflammatory nature of the original comment:

> Let's be realistic here. This headline is nothing but partisanship.

So in sum, on first glance your comment leads me to assume you have an agenda.

Assuming that this isn't true, lets talk about main issue here: the micro targeting of ads, and the usage of this "data breach" in the Trump campaign.

Frankly, this scares me. The power this data provides and the way that it can be wielded should scare people - who wants to live in a world where the government/corporations/people can induce people into certain behaviors? Whether Trump or Clinton uses this information would result in people bringing up their pitchforks.

I don't think that we're exaggerating here calling it a data breach - it is a gross misuse of personal information, however gained. And while I'll admit the term data breach is a bit of a stretch, the connotation of the word fits perfectly with the situation. People downloaded an app for a survey, had their entire social network scraped, and then had that information used for an ulterior motive, without them knowing at all. We should be holding them accountable for their scummy behavior. Facebook already is starting to.

We've already seen the GOP bring up the email campaign and Benghazi for the entire length of the Clinton campaign. Note the irony here as the GOP is almost completely silent over America's current president's daily antics. It is the lack of response from the GOP toward any of the recent political events that is characterizing HN's response toward CA as overblown.

So with that said, why do you believe that it's unethical to call out Trump and by extension CA's actions.

[0] https://en.wikipedia.org/wiki/Whataboutism


>So with that said, why do you believe that it's unethical to call out Trump and by extension CA's actions

Nothing in that wall of text justifies your twisting of my words.

>I don't think that we're exaggerating here calling it a data breach...And while I'll admit the term data breach is a bit of a stretch

If you weren't in such a desperate rush to misconstrue my argument, perhaps you would be able to maintain consistency in your own.

Once again, I am speaking of the ethics of exaggeration and selective accountability in journalism. My point is not that it is unethical to call attention to this misuse of data, but that the post title likely deliberately misleading because of enablers like yourself, who selectively turn a blind eye to such embellishment at any mention of Trump or the GOP.


I hadn’t thought of it like this before, but from a political POV everyone’s vote, whether they are a dole bludger or a quantum physiscist, are worth the same. So really, to win an election .. take that as you will. Identifying these people is a very profitable area.

Interesting side note .. in Australia we assign school funding based on the highest education received or wage class of the parent (classes A, B ... E or such).


1) Facebook collects and builds a profile about you 2) Facebook allows third parties to target advertisements based on the profile 3) Advertisements are tracked 4) Browsing habits and advertisement tracking reconstructs who was targeted


ITT: people who did not read the link Astrotrufing and conservative martyrs bleeding all over the site.


Why bother protecting any data, if you can put a footnote in your ToS.


I don’t understand the use of the word “breach” in this headline.


Can't wait for Sheryl Sandberg to write a new book now on garden soil or something.


Any reason to attack the one woman among the Facebook leadership and not, say, Mark Zuckerberg?


Because the others among the Facebook leadership are not going around writing and promoting books?

Also, do you genuinely not find it disconcerting that Facebook leadership go to great lengths to avoid discussing the privacy implications of their service? And the only person in that group who puts herself "out there", so to speak, is instead writing "success literature"?


Is there some specific evilness to writing books? Because I don’t see how her writing books is reason to single her out for criticism.

> Also, do you genuinely not find it disconcerting that Facebook leadership go to great lengths to avoid discussing the privacy implications of their service? And the only person in that group who puts herself "out there", so to speak, is instead writing "success literature"?

So you’re angry because they don’t talk about privacy. And you’re especially angry at her because ...she doesn’t talk about privacy?

That argument also doesn’t make much sense when comparing her to Zuckerberg explicitly, who’s at least as “out there” as she is. Didn’t he go on a “50 states listening tour” last year?


I guess she likes money and success literature earns more then privacy literature.

If there would be someone in Facebook leadership that writes about privacy and political implications for it, it would absolutely make sense to single out that person. Success literature is irrelevant to topic.

But, I think she was single out, because she is only name besides Zuckenberg the parent knows. Never underestimate ignorance on discussion forum.


This is hardly news... Facebook ads cannot target specific users, they only target audience segments.

It's actually far easier to create ads targeted at segments with likely political beliefs, and Marketers have access to aggregate numbers of niche segments today.

There's no need to scrape people's profiles or get down to the individual level.


EDIT: As more is revealed about Cambridge Analytica, this clearly is "news" that requires more investigation.

My original comment was more in response to user vs segment level targeting.


China has more. They have enough that this is a drop in the bucket. While they might be as blatant and ineffective as Russia by interfering with an election, they want a low profile and to maximize capture of revenue, so they are more about making money than trying to put feces on the face of the American political process.

You people should pick your battles. It would help if you knew the battlefield first.


> You people should pick your battles. It would help if you knew the battlefield first.

I am so glad you know more than the UK, EU, US etc governments who have identified Russia as the primary source of instability for elections.

And since when has this been an either/or scenario. You can focus on both Russia and China.


How about this idea: what if the Russian bots aren't actually Russian? How has no one considered this possibility?


Yes they have considered it. And they have identified they are Russian.

You really think governments wouldn't have checked this ?


I thought the public might be a bit more skeptical.

How did they identify with certainty that they are Russian? Is there any way for someone without top secret clearance to verify this?


How - the special counsel Mueller has subpoena authority. First link from indictments in list form. The one I saw on TV was that guy with Hillary in a cage in parades - he was paid by Russians to make it. I also remember reading about the pro and anti gun rallies at that Texas state park - the Russians made the Facebook page for both sides in that little incident. https://mashable.com/2018/02/16/indictment-russian-trolls-in...

Presumably Mueller used that subpoena on Facebook and internet providers and the Russians didn't try to hide very hard and used mostly Russian ip addresses.

There's also the fact Facebook admitted it sold ads and post promotion to Russian agencies and told Congress the reach of those ads and posts. Recently Facebook revealed to all users in North America whether or not they had interacted with those ads/posts. Several news organizations have independently found the data from other sources including actual interviews with the people working in Russia.

One technique the Russians used was to impersonate Americans of some extreme view to stow discord and inflame the other side of some debate. https://www.thedailybeast.com/exclusive-russians-impersonate...

There was also several different Facebook campaigns where they got Africans with pidgin English to pretend to be Americans and try to inflame white nationalists and latent racists fears.


I've heard all sorts of the juicy details, it makes a great story there's no doubt. What I'm looking for is some substantial, verifiable evidence to overcome my suspicions at how perfect of a story it is, as well as some of the inconsistencies.

For example:

> Presumably Mueller used that subpoena on Facebook and internet providers and the Russians didn't try to hide very hard and used mostly Russian ip addresses.

So on one hand, article after article tells us how sophisticated these hackers are, yet these very same hackers didn't hide their ip addresses, and also openly posted links on twitter that were supportive of Russia. Doesn't something about that seem a little off to you? If it does, you'll be the first person I've encountered who think it does, everyone else is completely confident that this is an open and shut case. Yet, none of these same people can point to any specific evidence that could convince me. Sure, everyone has some articles full of juicy stories, usually containing confident statements from high ranking government officials assuring us crimes have been committed and they have proof, but I've never been able to find a person who could point me directly to any proof.

1/3 of the way through https://www.justice.gov/file/1035477/download, rather than having my mind changed, my skepticism is stronger than before.

This feels a bit like some things we've experienced in the past, where the "facts" about an enemy, that we're are assured are 100% completely true and verified, trust us turn out to not be true several years down the road. But by then, we've already spent trillions of dollars and waged a war killing thousands of innocent people.

I'd rather not go down that path again, so I'm sorry if I can't join in the party vilifying the evil Russians, because based on the information I have so far, it seems like classic misdirection with the primary beneficiary once again being military budgets, and everyone is just a bit too enthusiastic to believe anything they're told.

EDIT: There is no shortage of internet downvotes for people like me who aren't willing to go along with this story, but there is a severe shortage of people who will put me in my place with actual content. You can probably imagine the effect this might have on the certainty I feel in the correctness of my stance. Unlike others, I'm open to having my mind change, but for some reason no one can muster any effort beyond a condescending and intellectually lazy "let me google that for you".


The leader of Cambridge Analytica bragged about breaking US and UK law by reporters posing as prospective clients. I guess that could be faked ala deepfakes or whatever but it looks pretty definitive. https://www.channel4.com/news/cambridge-analytica-revealed-t...


They have some of the Russians who worked for the RIA interviewed for newspapers and admitting what they did, which kind of blew my mind. I guess one could claim those were faked, like the moon landing conspiracy theorists.

From your own example which I presume is about the Iraq war, there is nothing that an ordinary citizen can do to prove that powers in the US, UK, and Kuwaiti governments (and Iraqi agents working in favor of an attack on Iraq) falsified the evidence they presented to the public for a compelling argument for invading Iraq without relying on sources that cannot be verified by an ordinary citizen without access to the journalists/non proliferation experts/government agents responsible and nothing an ordinary citizen can do to prove US claims that Iraq had an active WMD program and mistreated Kuwaiti babies as claimed at the time (by what we know now was a state actor who lied for Kuwait) in congressional testimony after the Iraq invasion of Kuwait. Even the New York Times and that one reporter famously lied flat out about Iraqi weapons programs and abuses in the build up to the war. But there were plenty of people who were investigating the claims of Iraqi WMD who said there was nothing there and that led to a lot of people protesting against the war. I don't see any investigators for the FBI or NSA coming out and being a whistle blower and saying this Russian thing is faked, on the contrary, the only whistle blower who came out so far, actually showed the internal NSA documents that said the USA elections was under cyberattack by Russia. The most reputable guy who came out for the Iraq WMD was possibly Colin Powell. Less well know is that he was also the first US Army investigator who looked into the My Lai massacre and he found that nothing was done wrong, so he was kind of used to this type of thing by then. It took a second Army investigator to reveal what happened there.

Or more contemporaneously there is nothing a citizen can do to prove that the recent Russian spy who was released to the UK and attacked was poisoned with a Russian only sourced nerve agent. And if it was the Russian nerve agent (that the Russians offically proclaimed to have destroyed all stockpiles of), there's no way for a citizen to prove it was Russian government behind it or that some other power was responsible for usage of it. I didn't vote either way on your comment, it just seems like an impossible standard.


I honestly don't think wanting to see verifiable evidence before forming a decisive opinion on something is anything near an impossible standard, especially since as you've noted, our governments and newspapers are known to lie to citizens. Anyone who's done any reading on the topic outside of the mainstream knows what you see on TV in the west is a slanted version of the truth at best. And yet, look how absolutely certain people are about their beliefs, but when asked to provide some of the hard-factual content they read to form this rock solid opinion, almost no one has anything other than a downvote. To me, this looks like some sort of a classic mania, and it's quite concerning.


> Russians didn't try to hide very hard and used mostly Russian ip addresses.

This is incorrect. The indictment explains it. They routed their connections through US-based VPNs to appear as if they were American users.


As they should, but I read another Authoritative Proof that many people assured me I should take Very Seriously that used the posting of pro-Russian propaganda as the proof that Twitter bots that interfered with the election were Russian.

I don't doubt at all that there is a government sponsored organization in Russia that promotes Russian interests via cyber operations, as I'm sure there is in the United States. I'm looking for proof that:

a) this isn't a 3rd party posing as Russians

b) The harm or danger of this meddling is proportional to the airtime and Very Serious Tones of Voice we've been subjected to 24x7 for the last year.

Do you know of any compelling (and verifiable by a civilian) evidence that could help me with that?


How much reading are you willing to make time for? I've collected a very large number of links to source, research, & analysis material on Russia's ongoing active measures campaign over the last 14 months (though ironically, I still haven't gotten around to reading the recent indictment). This is a complex issue, and my perception is that a full proof of all the claims alleged about Russia's operation will require much more detail and logical inferences than most people who keep harping about "where's the proof? where's the smoking gun?" really expect. But if you want to keep the scope limited to just your a) and b), then I can probably dig up some compelling and hopefully verifiable public evidence in support of them (at least in support of your point a - for b, the only people who have metrics & data on how effective and impactful this operation has been on our country are probably the IRA, Russian intelligence services, and Cambridge Analytica. So point b is tougher for me, but I could at least point you to proof of the dark seriousness of their intent and goals). It might still be a lot of material to go over, though. Fair warning.


a) Feel free to read the indictment, some detail there. I assume there will be far more at a later point.

b) I have no idea what effect it had. I personally am not sure it did have any effect that made a difference. Coverage is still warranted because attacks from foreign nations are newsworthy regardless of success.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: