[Bartweiss]

I think the comparison is a coherent one on the security side - these were both attacks enabled by allowing apps to piggyback on the visibility settings of the app user. Further, both represent threats which can't be entirely controlled (picture a user infected with a worm that simply opened Facebook and clicked through profiles), but can be constrained by auditing API data request options. If I had a social media site with an API for user-installed apps, I'd be thinking about these attacks in the same category.

But I do think the coverage here, equating the attacks on a user-impact level, is substantially unfair. The Facebook attack in some cases compromised Timeline posts and private messages from friends. What's more, Facebook initially claimed only profile data had been access, and took very little further flak when it was eventually revealed that private messages had been compromised.[1] Portraying the contents of the breach as comparable feels like it not only overstates the current exposure, but gives Facebook a pass on the broader reach of its exposure.

[1] https://www.wired.com/story/cambridge-analytica-private-face...