The Need for Transitive User Privacy
If anything, the Cambridge Analytica scandal that came to light earlier this year is far from over as Facebook continues to reel from the fallout over its lax data protection policies. With over 200 apps suspended as a result of an ongoing audit, the social network has not only suffered a reputation hit, but also has come under intense scrutiny for its opaque data sharing practices, including signing up long-term agreements with device manufacturers that gave them broad access to Facebook users' information without their consent.
While this no doubt stresses the need for strong transitive privacy laws (i.e. prevent leakage of your friends' data when 'voluntarily' giving up yours, a loophole Apple recently closed by prohibiting third-party apps from harvesting user information to build advertising profiles or contact databases), Facebook has a far more pressing problem at hand: How big of a problem is it in the first place? Was Cambridge Analytica just the tip of an iceberg?
And everything we have learnt so far seems to indicate in that direction. Back in April, Facebook quietly admitted that its Search feature was abused by "malicious actors" to "scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we've seen, we believe most people on Facebook could have had their public profile scraped in this way." Let's pause for a bit to let that sink in: A majority of Facebook's ~2 billion users have had their contact information (if publicly available) surreptitiously collected by third-parties who have no business mining them in the first place.
Even more troublingly, security researcher Inti De Ceukelaire found another instance where a personality quiz app designed by Nametests.com "publicly exposed information of their more than 120 million monthly users — even after they deleted the app," and that "this data was publicly available to any third-party that requested it."
Although the security bug was closed by Nametests, it's hard to tell if any user data was abused this way. But the fact that it remained open for almost two months (the issue was reported to Facebook on April 22, with no actionable response until June 27) demonstrates the social network's relaxed attitude towards user privacy. After all, if Facebook fails to enforce its own policies on other developers, who else but itself is to blame for all the negative press coming its way.
While this no doubt stresses the need for strong transitive privacy laws (i.e. prevent leakage of your friends' data when 'voluntarily' giving up yours, a loophole Apple recently closed by prohibiting third-party apps from harvesting user information to build advertising profiles or contact databases), Facebook has a far more pressing problem at hand: How big of a problem is it in the first place? Was Cambridge Analytica just the tip of an iceberg?
Apple App Store revised data sharing guidelines (iii), (iv) and (v) |
And everything we have learnt so far seems to indicate in that direction. Back in April, Facebook quietly admitted that its Search feature was abused by "malicious actors" to "scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we've seen, we believe most people on Facebook could have had their public profile scraped in this way." Let's pause for a bit to let that sink in: A majority of Facebook's ~2 billion users have had their contact information (if publicly available) surreptitiously collected by third-parties who have no business mining them in the first place.
Even more troublingly, security researcher Inti De Ceukelaire found another instance where a personality quiz app designed by Nametests.com "publicly exposed information of their more than 120 million monthly users — even after they deleted the app," and that "this data was publicly available to any third-party that requested it."
Although the security bug was closed by Nametests, it's hard to tell if any user data was abused this way. But the fact that it remained open for almost two months (the issue was reported to Facebook on April 22, with no actionable response until June 27) demonstrates the social network's relaxed attitude towards user privacy. After all, if Facebook fails to enforce its own policies on other developers, who else but itself is to blame for all the negative press coming its way.
Comments
Post a Comment