Someone who has view access to my profile may view my data, and they might also extract that information with API - however, they do not have any right to give permission on my behalf to someone else (e.g. Cambridge Analytica), that would require a power of attorney or something like that.
My friend might technically send that information to Cambridge Analytica, but my friend can't give them permission to use it, CA would be required to acknowledge that they don't have the legal permission to use that data and discard it. My friend can tell Facebook "I permit you to give that information to Cambridge Analytica" but Facebook is not allowed to act based on that "permission" since it's not something my friend can permit.
> My friend might technically send that information to Cambridge Analytica, but my friend can't give them permission to use it, CA would be required to acknowledge that they don't have the legal permission to use that data and discard it.
It's pretty well accepted that Cambridge Analytica acted unethically, and potentially even unlawfully.
> My friend can tell Facebook "I permit you to give that information to Cambridge Analytica" but Facebook is not allowed to act based on that "permission" since it's not something my friend can permit.
This seems like an unnecessary technicality - if CA wasn't allowed to access your data directly they would just proxy it through the original user's device via an app or something. The end result would be the same.
I grant API access to my friend. That is a direct relationship.
I don't grant API access to people that my friend grants API access to.
If one grant allowed for another grant, by that logic you could chain all the way down to any connected node which is clearly not a desirable model.
Data brokers are trying to make it seem like me adding a friend is somehow not a grant so that they can "plus one" on their reach. But it is a grant. It is literally me granting my friend access to my data. Just because the company doesn't call it a grant and doesn't treat it like one on a technical level doesn't change the fact that I have granted my friend access to some data.
API access or not is just a technicality. You grant your friend access to this data. Even if API access was restricted, malicious parties would just get your friend to install malware or give out their Facebook credentials directly (thus bypassing the API access restriction).
Either you trust your friend with that data or you don't. Anything else is just playing a game of whack-a-mole which may just give people a false sense of security.
My friend might technically send that information to Cambridge Analytica, but my friend can't give them permission to use it, CA would be required to acknowledge that they don't have the legal permission to use that data and discard it. My friend can tell Facebook "I permit you to give that information to Cambridge Analytica" but Facebook is not allowed to act based on that "permission" since it's not something my friend can permit.