Hacker News new | ask | show | jobs
by DCF 3009 days ago
How would that not be a breach? Their system allowed a malicious entity acting in bad faith to gain large amounts of data under false pretenses. If they got the data by pretending to be an employee and social engineering their way into the data that way facebook would 100% call that a breach. Is this that different?
3 comments
castle-bravo 3009 days ago
"The processor is, in fact, operating as it is designed"

- Steve Smith (Vice President, Intel)

link
fauigerzigerk 3009 days ago
I don't think it's so clear. Two things happened:

(a) Users were duped into giving up their data under a false pretense. This alone cannot be called a breach.

Also, one of the following occurred:

(b.1) Facebook was duped into letting a fraudster install an app on their platform. If this happened, it was a breach.

or

(b.2) Facebook knew all along that the academic research was only a cover for duping users into giving up their data. If this happened then it was not a breach, because Facebook themselves effectively sold the data.

So what Facebook appears to be saying is: There was no breach. We sold the data!

[Edit] Judging by what this man says, it was probably b.2: https://www.theguardian.com/news/2018/mar/20/facebook-data-c...

My conclusion is that there was no breach.

link
danso 3009 days ago
A small point, but one that FB uses in its defense: it does not charge for API usage
link
fauigerzigerk 3009 days ago
Because they know that apps make money through Facebook ads and they do charge for those. If Facebook knew about the true purpose of this sort of app, then they also knew that they were going to make a lot of money off of it.
link
stale2002 3009 days ago
Well, the difference is that it was not unauthorized access. It was allowed by Facebook on purpose, because this is their business model.

It is WORSE than a breach, because FB is complicit.

link
dragonwriter 3009 days ago
> It is WORSE than a breach, because FB is complicit.

A breach in which the custodian is complicit is still a breach, not something worse. Obviously, the its worse from the perspective of the custodians degree of responsibility if they are actively malicious rather than negligent or innocent, but this is still within the usual definition of a breach of private data. A breach is about the subject’s privacy being violated, which can happen with or without the complicity of the custodian of the data.

link