Facebook data "breach"

Facebook has been in the news a lot recently along with Cambridge Analytica for a rather interesting story about voter manipulation and targeted advertising.

Accessing your own data

It's an interesting story and on the face of it it seems quite bad and for their public relations it is but, when you look at what they did wrong, it's hard to identify anything tangible.

I have used the Facebook API quite a lot in the past and with one project I made use of friendships to delve down into user connections to cross-reference records and build a basic picture of a users friendship network in a rather basic attempt to make a website more appealing. It's been a few years since I have used it in that much detail and I get the impression things have tightened up a bit since then but it was always designed to replicate the normal Facebook site. If you could see something by browsing the site you could see it through the API, with suitable permissions of course.

When a user authorises a connection, the apps makers can pull down the users name and email address and, if allowed, a list of the users friends. With another permission, this can be expanded out to include things they have liked or followed which can go a long way to define a person's interests, beliefs and political persuasions. You can then combine this with information the user and their friends have decided to share publicly which helps to build up a picture of these people.

From one user connecting your app to their Facebook account you could get a very complete picture of well over 100 people.

If you spend your time in the code and look at each of these things separately there is nothing wrong with it; it's the users data that they have granted permission for it to be used by a 3rd party or decided to share publicly. When you sign up as a developer you have to agree to terms of use which include things about not saving or using data inappropriately but there is absolutely nothing that can stop a developer if they have ulterior motives.

At this point Facebook have done all they can, they have asked the user if they want the 3rd party to access the data and they have told the developers what they can do with it.

It's only when you take a step back do you see how this data can be augmented and used way beyond its intended purposes. As a developer it's quite hard take a broader look like this as when you're working with these APIs and lists of permissions everything is clean and simple and very black and white.

Capturing to much

The other thing to emerge recently is the capturing of phone call logs and sms messaging by the Facebook mobile apps installed on peoples phones. Again, this is easy to understand but a lot harder to explain away or justify.

Going back a few years the mantra (for better or worse) in large parts of the tech community was to capture as much data as possible incase it could be useful later. Storage was super cheap and data was valuable, you would be daft not to! This is made worse by the lack of granularity with permissions on mobile phones, for example if your building a video playing app you will probably need full access to the phone system in order to pause playback if a phone call comes in. The app doesn't do anything with phone calls but by gaining access for innocent reasons you immediately get access to call logs, then all it takes is a developer or project manager to say why not capture that phone data, it could be useful for... (insert some obscure reason here).

This type of behaviour has thankfully started to decline as people get a better grasp on the type of data and the increasing awareness of users legitimate privacy concerns, also within Europe the GDPR rules coming into force pushes people to capture as little as possible so if you wanted to capture lots of data like this you now need a very good reason.

In the end I don't think its fair the level of grief Facebook is getting for the Cambridge Analytica story but they are a very big company and have been for some time so have the skills to foresee these types of problems and inappropriate uses of the data and to come up with solutions, even if that means taking a step back and raising some walls around their garden.