|
|
|
|
|
|
by varenc
2752 days ago
|
|
|
Facebook improved this years ago and you can see the discussion surrounding this change in the released emails. These days a Facebook app can't ask for your entire friends list, instead, it only gets to see your friends that have also authorized that app. Also, user IDs now have a per-app namespace so they can't be (easily) correlated between different apps. The discussion revealed in this release is pretty fascinating. For example, you can see that at some point Zuck's friends authorized 31 apps and 76% of those apps had "read_stream" access giving access to their entire newsfeed. Through one lens this is Facebook locking down their API in an anti-competitive way, which is somewhat true, but mostly this feels like an API change making privacy improvements for users. (The Cambridge Analytica data came from an older app that was running before these changes were made...) |
|
|
This is the same elision they use. My question was, in the face of almost two generations of awareness of the principle of least privilege (almost typed "lead" again!), why did they design the API so that it gave away so much information and data in the first place?
Through one lens this is Facebook locking down their API in an anti-competitive way, which is somewhat true, but mostly this feels like an API change making privacy improvements for users. (The Cambridge Analytica data came from an older app that was running before these changes were made...)
https://newsroom.fb.com/news/2018/12/response-to-six4three-d...
Read the "Whitelisting" section. The only change they mention is turning off the ability to request permission to access the now-problematic data and information (let's say "D&I"). Of course, we also know that this is selectively applied. That's not "somewhat" anticompetitive, it's not necessarily different that the CA problem, and at any rate is only a marginal privacy improvement for users because there's (my estimate) no way in hell they're going to tell us who still has access to the APIs.