[Mahn]

There's nothing that Facebook did here than any other company, in tech or otherwise, wouldn't have done.

And for the record, Facebook did not "share data with Cambridge Analytica for shady research purposes". A rogue third party developer created one of those shitty quiz apps for Facebook, and then proceed to get users to signup for it; several million did, which allowed said developer to harvest data thanks to the very permissive APIs that Facebook provided at the time. He then proceeded to sell this data to Cambridge Analytica. Facebook has a responsibility in what happened there, but "Facebook sold data to Cambridge Analytica" is a widly misconstrued story.

[nathan_long]

> There's nothing that Facebook did here than any other company, in tech or otherwise, wouldn't have done.

This isn't true. Lots of companies wouldn't steal users' call logs - eg, Mozilla, Signal, and plenty of boring, normal ones who make TODO list apps or whatever.

It also isn't relevant. See how that argument flies in criminal court. "Anybody else would have stolen that car."

What we see here (again) is that FB does nasty things and it's in the public interest to stop them - along with "any other company" who does the same things.

[wahern]

Facebook's business is car stealing. They tell you that upfront: we want your car, and if you park it in our garage we're going to take it.

All this anger over Facebook is ridiculous.[1] Now, if you want to talk about Android and Google's decision to make it more difficult to not only control but to know what data apps (especially theirs!) will take, that's a different matter....

[1] Especially from geeks, and particularly geeks from the 1990s and earlier when we were told that unless we promoted non-centralized publication models that we'd see the very constellation of centralized, user-antagonistic, profiteering services we now have. Whenever someone says, "but why would you want to host your own e-mail/web/chat server, my head wants to explode." It's always "why would you" (or "why would you, it'll never be as good as GMail/Facebook/Twitter/etc"; never, "maybe I should promote and help work on projects that make it easier".

[altcognito]

"A rogue third party developer"

We are all rogue third party developers, and clearly, the priority, much like most businesses is to make a profit, and the customers/ethics come second.

I love the fact that you get bent out of shape that Facebook didn't sell it though, it's a theme I've seen with Facebook employees: "But we didn't sell it!"

I'm not sure if they are lamenting the fact they didn't sell it but I sure as hell can tell what they give a damn about. If you want to hide under "anybody would have done it", lets take a trip down histories gravestones and figure out whether or not we should bother trying to do the right thing because it is the right thing to do.

[deogeo]

> There's nothing that Facebook did here than any other company, in tech or otherwise, wouldn't have done.

Dubious, but still good point. Meaning legislation to force companies to behave slightly less unethically is all the more direly needed.

[rhizome]

If exfiltration of user information and data was not the explicit purpose of FB's API policies, they soundly rejected the principle of lead privilege, which dates back 45 years and is no doubt incorporated into FB's own systems.

thanks to the very permissive APIs that Facebook provided

Why did they do this?

https://en.wikipedia.org/wiki/Principle_of_least_privilege

[varenc]

Facebook improved this years ago and you can see the discussion surrounding this change in the released emails. These days a Facebook app can't ask for your entire friends list, instead, it only gets to see your friends that have also authorized that app. Also, user IDs now have a per-app namespace so they can't be (easily) correlated between different apps.

The discussion revealed in this release is pretty fascinating. For example, you can see that at some point Zuck's friends authorized 31 apps and 76% of those apps had "read_stream" access giving access to their entire newsfeed.

Through one lens this is Facebook locking down their API in an anti-competitive way, which is somewhat true, but mostly this feels like an API change making privacy improvements for users. (The Cambridge Analytica data came from an older app that was running before these changes were made...)

[rhizome]

Facebook improved this years ago and you can see the discussion surrounding this change in the released emails...

This is the same elision they use. My question was, in the face of almost two generations of awareness of the principle of least privilege (almost typed "lead" again!), why did they design the API so that it gave away so much information and data in the first place?

Through one lens this is Facebook locking down their API in an anti-competitive way, which is somewhat true, but mostly this feels like an API change making privacy improvements for users. (The Cambridge Analytica data came from an older app that was running before these changes were made...)

https://newsroom.fb.com/news/2018/12/response-to-six4three-d...

Read the "Whitelisting" section. The only change they mention is turning off the ability to request permission to access the now-problematic data and information (let's say "D&I"). Of course, we also know that this is selectively applied. That's not "somewhat" anticompetitive, it's not necessarily different that the CA problem, and at any rate is only a marginal privacy improvement for users because there's (my estimate) no way in hell they're going to tell us who still has access to the APIs.

[kjeetgill]

Can't they trivially use your first name and/or email to correlate across apps? I'm pretty sure those are all part of the lowest permission class.

[varenc]

I don't think the Facebook API gives you access to your friends emails...but agreed there are still ways to correlate this. (hash of profile photos for example?)

[basch]

The "permissive api" is facebook changing what words mean over time. People signed up, shared things, and then facebook changed default behaviors without communicating the change WELL.

http://mattmckeon.com/facebook-privacy/

In April 2010 basically everything a new user posted to facebook was public by default. They didnt "care deeply about peoples privacy."

[Khaine]

Facebook provided the means for Cambridge Analytica to occur. Facebook also shared social graph information with Obama's campaign.

Facebook is far from blameless, and should be held to account for its scummy behaviour, and for enabling scummy behaviour.

[ladzoppelin]

That's not true man. Some companies were "allowed" to use/get the data even after it was shutdown and the API was created in the first place to entice the masses.

[InTheArena]

It's worth remembering that Facebook did share data in violation of their own terms of use with the Clinton came - in fact, that policy came about because Obama "abused" Facebook to collect contact information for friends of people who liked or followed his campaign. Despite this policy change, Facebook allowed Clinton to do the same. They claimed it was by mistake, but even after the mistake was revealed, they didn't change it or cut off Clinton. Clinton's campaign manager speculated it was because "they agreed with us", but also thought that the Trump campaign had similar access (so far, no evidence has emerged to that).

Facebook is not a good actor, anyway you look at it. They are selling data to first or second parties, who are using it to damage our country.

[rmc]

Maybe the problem is profit-driven companies...

[zepto]

Yeah - if everyone was assigned a job by the government we wouldn’t have this problem.