Disagreed - this is the result of stupid users. If the APIs are gone they will just be entering their Facebook credentials directly (which would leak way more data than what relatively limited API access allows).
Someone who has view access to my profile may view my data, and they might also extract that information with API - however, they do not have any right to give permission on my behalf to someone else (e.g. Cambridge Analytica), that would require a power of attorney or something like that.
My friend might technically send that information to Cambridge Analytica, but my friend can't give them permission to use it, CA would be required to acknowledge that they don't have the legal permission to use that data and discard it. My friend can tell Facebook "I permit you to give that information to Cambridge Analytica" but Facebook is not allowed to act based on that "permission" since it's not something my friend can permit.
> My friend might technically send that information to Cambridge Analytica, but my friend can't give them permission to use it, CA would be required to acknowledge that they don't have the legal permission to use that data and discard it.
It's pretty well accepted that Cambridge Analytica acted unethically, and potentially even unlawfully.
> My friend can tell Facebook "I permit you to give that information to Cambridge Analytica" but Facebook is not allowed to act based on that "permission" since it's not something my friend can permit.
This seems like an unnecessary technicality - if CA wasn't allowed to access your data directly they would just proxy it through the original user's device via an app or something. The end result would be the same.
I grant API access to my friend. That is a direct relationship.
I don't grant API access to people that my friend grants API access to.
If one grant allowed for another grant, by that logic you could chain all the way down to any connected node which is clearly not a desirable model.
Data brokers are trying to make it seem like me adding a friend is somehow not a grant so that they can "plus one" on their reach. But it is a grant. It is literally me granting my friend access to my data. Just because the company doesn't call it a grant and doesn't treat it like one on a technical level doesn't change the fact that I have granted my friend access to some data.
API access or not is just a technicality. You grant your friend access to this data. Even if API access was restricted, malicious parties would just get your friend to install malware or give out their Facebook credentials directly (thus bypassing the API access restriction).
Either you trust your friend with that data or you don't. Anything else is just playing a game of whack-a-mole which may just give people a false sense of security.
I think its a bit harsh to call users stupid. When we move away from HN, we realize how teach naive a layman can be. We haven't seen something of this sort happen at this scale happen many times before. A lot of efforts are going into privacy now, way more than before.
People ARE stupid, this is a known fact; this is one reason why consumer and privacy protection laws are a thing, why two-factor authentication is a thing, why e-mail verification of logins is a thing, why you can't just start trading in stocks, buy alcohol, etc etc etc.
Companies protect their users from themselves; they HAVE to, in case they (the users) shoot themselves in the foot. And consumer have a reasonable expectation, regardless of Facebook's terms & conditions, that their data isn't shared to third parties - or that they at least get asked when it happens, instead of being pointed to a tl;dr of T's & C's.
Plenty of people do not have the literacy level to understand terms and conditions [1]. This is a worrying trend, but it's something that companies like Facebook should (and are) aware of - people don't read terms and conditions, people don't understand them.
I guess I'm stupid too if I have a stupid friend or relative.