[maemilius]

Unless I'm horribly misinformed, the Google breach is absolutely nothing like the Facebook-Cambridge Analytica deal. CA got huge amounts of information about users. The G+ breach just gave out contact information.

It's similar only in that it unintentionally gave out more information than it was supposed to. Beyond that, they're not similar at all.

I get that we shouldn't give Google a slap on the wrist because it's "not as bad", but we absolutely should not conflate the massive breach that was CA with this.

[Bartweiss]

I think the comparison is a coherent one on the security side - these were both attacks enabled by allowing apps to piggyback on the visibility settings of the app user. Further, both represent threats which can't be entirely controlled (picture a user infected with a worm that simply opened Facebook and clicked through profiles), but can be constrained by auditing API data request options. If I had a social media site with an API for user-installed apps, I'd be thinking about these attacks in the same category.

But I do think the coverage here, equating the attacks on a user-impact level, is substantially unfair. The Facebook attack in some cases compromised Timeline posts and private messages from friends. What's more, Facebook initially claimed only profile data had been access, and took very little further flak when it was eventually revealed that private messages had been compromised.[1] Portraying the contents of the breach as comparable feels like it not only overstates the current exposure, but gives Facebook a pass on the broader reach of its exposure.

[1] https://www.wired.com/story/cambridge-analytica-private-face...