You can show them that this responsibility is paramount. Stop giving them your data.
> It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.
But if you click on the "related post" at the bottom of the page, "Taking Legal Action Against Data Scraping" (Oct 2020) , you'll see this sentence:
> Scraping is a form of data collection that relies on unauthorized automation for the purpose of extracting data from a website or app.
It would be interesting to hear Facebook PR team describe the difference between "Hacking" and "Unauthorized Automation", and why apparently the latter is nothing to worry about now, but was sufficient to generate lawsuits in October.
.. a couple paragraphs later ::
> We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019.
Gee, that sounds a lot like someone abused your contact importer tool to do something you didn't intend for it to do. Which is also the definition of other "hacks", like SQL injection
From the article it appears that the contact importer is an API endpoint which returns a set of Facebook profiles given a set of phone numbers. In that sense, it did exactly what the developer intended.
If I write a script to query google.com and get a response back you could say I'm not using google search as intended, but most software engineers would laugh at me if I claimed to have "hacked" Google in this way.
"Facebook confirmed to me that the vulnerability was genuine, that the exploit would enable a “bad actor” to connect phone numbers and user details, and that it has prompted changes to be made. They pointed out to me that the exploit process is “complex,” but nonetheless did leave the platform open to abuse and put users at risk."
Bug owned by FB either way.
I've just checked. My phone number is in the data set. I've never set my phone number public so no one should have been able to 'scrape' it.
On a side note, I remember learning about this feature, or maybe an earlier incarnation, a few years ago when a friend showed the the profile of a girl he just met at a bar. The girl had a pretty common name so I asked my friend how he looked her up, did they have friends in common. I was really just curious how FB would now which person to show. He said "no, she gave me her number and you can look them up like so and so". (I can't remember whether you could search for the number or had to create a contact, but it's besides the point.)
I was pretty baffled because it was obvious that you could just create a very powerful white pages type of db pretty easily. Which someone apparently did for half a billion people.
This also explains how someone managed to call me from a UK number a few weeks ago trying to sell me some news paper subscription. They said they were from the "Herald digest". And they did know my name (so it wasn't just dialling random numbers.)
Not sure they envisioned someone enumerating phone numbers and pulling all data. But that would be hilarious if they claim that's what they intended and that was a feature.
Scraping to me is what google does, exploring links, saving and parsing data.
The contact importer presumably sourced data from iOS, google, outlook or similar address books.
You shouldn’t normally get data out that way, was it returning unexpected results from partial matches?
Maybe you could view a profile page by uploading an address book with partial, stubbed data. This page that then normally wouldn’t have been accessible to the user then was and those and any connected profiles were then crawled and scraped?
It seems to me you used to be able to view an otherwise private profile if the person had extended a friend request.
Sort of like saying "people scraped publicly available information from our website" when someone grabs passwords from a public-facing MongoDB database without a password.
This was just an attacker abusing "Who can look you up using the phone number you provided?" for users where this was set to the default of "Everyone" and then scraping the public details for the profile that popped up.
Mark Zuckerberg's own phone number was included, and you can bet he would never intentionally release that nor is he likely to misconfigure his privacy settings and leak it due to user error
There's also the case of Google being ethically bankrupt as well (undisclosed DoubleClick tracking backdoor in Chrome).
I don't see the argument that FB is worse than Google. Google will snoop on your private messages for information that they can use to feed their advertising machine, and they have an entire browser dedicated to ad networks (they regularly implement insecure APIs that are immediately abused by DoubleClick customers, including on high profile sites).
If you work at Facebook and you feel compelled to tell me why your personal Faustian bargain was actually not such a bad thing, read Mistakes Were Made (But Not by Me).
Hmm, that's interesting. I read about a court case recently that seemed to say scraping was okay and also that companies shouldn't work to prohibit scraping.
Just speculation. There has to be a method to the madness that is Facebook press releases.
Any admission by Facebook can and will act against them in the [highly likely] class action that will be executed.
I'm sure their legal department checked every letter in this statement with a x100 magnifier.
As someone who has an account (begrudgingly for Messenger since you can't solely use a phone number anymore) but doesn't use it, can I just say:
Wait, what?! Since when does Facebook have health information!
I don't know conceptually what portion of Facebook they're referring to but that's news to me.
I am sorry but that ship has sailed. I have already received several spam messages at the unique email address I used only for Facebook login, so the data has been spread very wide at this point.
If you are an EU resident, this can be a GDPR violation so you should follow up.
It’s like a comedy.
Go to 41:18 in and listen to the story regarding Facebook and NYU's AdObserver project.
Facebook has no credibility.
Cool, should we assume everything else Facebook has was included?
But it may have just been a generic statement.