Hacker News new | ask | show | jobs
by fixermark 2640 days ago
Unfortunately, Facebook had a fundamental misunderstanding of how privacy has to work, and their users will be paying for their error for years.

If it's earth-shatteringly bad for your users if their private data is leaked by a third-party, you cannot exfiltrate that data to a thrid-party. Full stop. No amount of policy un-leaks data, and "You cannot continue to operate as a Facebook service" is an empty threat the moment it becomes more valuable for the third-party to violate the agreement than to continue to operate as a Facebook service.

The takeaway: if you are responsible for user privacy, you must do the computations on the user's data. Have partners ship you the computations they wish to do, vet them, and then ship them results compliant with your users' expectations. Don't hand third-parties a subset of the keys to the kingdom and expect an honor system to preserve user privacy.
3 comments
lacker 2640 days ago
Have partners ship you the computations they wish to do, vet them, and then ship them results compliant with your users' expectations.

In this case, the user clicked okay on a dialog that said something like "Share my friend list with this application." It would be sane at that point to expect that the application has access to your friend list. The application typically doesn't want to do a "computation", per se, they want to do something like show you your friends that are already using the application, so that you can share things with them and so on.

There are many, many services that share data in this way. iOS and Android share your contact list in a similar way, for example. And those services have the same exact problem, that sometimes third parties leak data. There is no other, better-implemented way for a platform to share data.

In the end, this is a "scandal" because Facebook is getting bad press already for other issues, and people do not really understand the nature of data platforms so they cannot distinguish big problems from small ones.

link
SpicyLemonZest 2640 days ago
Facebook used to be much better at locking down third-party exfiltration. But back in the early 2010s, the zeitgeist was against it; there were countless articles in the genre of "I'm a random third party developer, and Facebook is trying to stop me from exfiltrating massive dumps of my user's data! How anticompetitive!" So they decided to start being more open.
link
ChrisCinelli 2640 days ago
Can you provide one or two of those articles?
link
SpicyLemonZest 2640 days ago
My favorite is this one, where a guy complained Facebook wouldn't let his extension export all your friends' email addresses.

https://www.zdnet.com/article/facebook-blocks-google-chrome-...

link
lacker 2640 days ago
Look for articles like this one:

https://www.adweek.com/digital/facebook-and-zynga-battle-ove...

Many of the initial adopters of the Facebook platform were companies like Zynga that were reliant on specific details of the platform, and got very frustrated by platform changes. Many but not all of the changes that Facebook wanted to make during this period were ones that kept data more private.

link
cjhopman 2640 days ago
Here's an article discussing it: https://gigaom.com/2011/07/06/who-owns-your-social-graph-you...

Look at how angry the commenters there are that facebook would even consider restricting the access that third-parties have to such data.

link
throwawayjay01 2640 days ago
How would this work in the case of data portability? If Facebook were to be forced to provide an API that allowed users to export all of their data to a competing social network would Facebook be responsible for ensuring that the competitor was using the data responsibly?
link
fixermark 2640 days ago
Not at all; they'd be responsible for bundling that data in a well-defined format into a blob of some kind that the user can request be exfiltrated (after providing their credentials to authenticate the request). The third-party would then have to digest said blob. Users assume trust of the third-party regarding responsibility for data misuse when they feed the third-party the blob (same as if they'd hand-entered the data via a regular GUI). Google already offers a functional model of this via https://takeout.google.com

Putting control in the hands of the user is quite different from allowing third parties to exfiltrate data on a user without their consent.

(It is worth noting that this approach is still exploitable---third party convinces users to cough up their authentication codes, then acts as the user and makes the request for the whole kingdom themselves. But user education on the amount of power handed to someone when you literally give them your passwords is a separate issue).

link
jsgo 2640 days ago
Say there's a startup that is going to revolutionize date keeping and events and scheduling and all that, for the sake of aping a common naming scheme, call them Calendr[1]. Only drawback is that their security is an afterthought, but they're not promoting that.

So a Facebook user that is friends with you on Facebook says to Calendr, "scan my contacts and generate a calendar that already has my contacts' birthdays and any events they've created on it (one would assume this list would include anything that is shared at the Friends Only and Public tiers) for me."

Three weeks later, Calendr is hacked and all of their data is accessible. A Have I Been Pwned-style service will let you read through the data and sure enough: fixermark's super secret event was now publicly viewed as part of this data set. You do not have an account with Calendr and you haven't even heard of it before.

How would you, as a Facebook user, prevent this from happening beyond not creating the event in Facebook? How would Facebook prevent this beyond not providing the data to the third party?

[1] edit: oh geez, there is a Calendr. This has nothing to do with the real Calendr (this is fictitious Calendr).

link
fixermark 2640 days ago
They may not be able to prevent it without refusing to exfiltrate that data. But then they maintained clear resopnsibility (at the cost of usability) for the user's data. Excellent example though, because it highlights a real joint-ownership problem in data on a social network (the aggrieved fixermark in this case certainly couldn't have stopped his friend from hand-entering the details of the super-secret party into FakeCalendr without consent either; to a certain extent, sharing information always implies trust of the recipient to store that information responsibly).

Unfortunately, privacy / usability is the tradeoff. Facebook had clear incentives to simplify usability at the cost of privacy. But as a result, these breaches continued to happen.

(I use the past tense here because I don't know what their app ecosystem looks like now. When I was using it, it was extremely easy to do a full friends-of-friends data exfiltration, with the only guard against it being "Don't do that and then dump it publicly for all to see").

link
wmf 2640 days ago
Yep, now if you have N friends your data might be in the hands of N companies. You'd need a GDPR-like privacy framework with audits and even then the risk of mistakes is enormous.

(Note that when people talk about data portability they're really talking about federation since social networking can't work otherwise. Non-social data is a little easier.)

link