[cryptarch]

Uhhh... "facebook can't query user data"? Facebook even has the current occupation and location data of users, so of course they can find out at what specific store you work!

Facebook has a larger user base with richer data on them, than the app in the story. None of that data is E2E encrypted, and all of it is available to (some) FB employees.

I think your FUD is unjustified here.

[jimmywanger]

Nowhere did he say that "facebook couldn't query user data".

He's saying that it's probably not in a form that's easily queryable. With that information in an ill-secured data store that's highly categorized you can do all sorts of mischief.

And how is it FUD? Once you cleanse and normalize data, fraud opportunities become very apparent.

[cryptarch]

It sounds a lot like "I assume FB has good data practices based on nothing, and I assume this app has bad data practices based on nothing, thus this app is probably bad".

Yeah, the app has an option to fill in your store ID, but Facebook has at least as valuable data on you (like many private conversations), and has the tooling to extract all kinds of markers from this rich data (i.e. for advertising and running facial recognition on all your pictures). Fraud opportunities are everywhere in the centralized social media (/ web services) sphere.

[jimmywanger]

> "I assume FB has good data practices based on nothing, and I assume this app has bad data practices based on nothing, thus this app is probably bad".

That is a strawman. FB probably has decent (at least industry standard) data practices because they're a public company, spend a lot of money on hiring engineers, and have been under investigation for keeping data secure. I think that if they're doing something wrong, they're probably not doing something obviously stupid.

Now, you have another app which was written by "Now, Marler has a second job: She’s one of about two dozen current and former employees who helped construct an app called WorkIt that answers questions about Walmart’s policies and workplace rights using Watson, IBM’s artificial intelligence bot."

I'm not saying that this app is bad, I'm saying that they have a huge probability of overlooking data security vulnerabilities. Of their two dozen employees, how many of them are really well versed in inf sec or IT?

The belief that FB has good data practices and there are no assurances that another random app has unknown data practices is rooted in reality.

The fact that the random act is asking for so much possible PII is not a good sign.