Hacker News new | ask | show | jobs
by baeaz 1277 days ago
Let's remember that this is because Facebook had an open API that a 3rd party developer abused with the consent of the users.

In case you wonder why nobody bothers to have open APIs for anything anymore. (cf. Twitter 10 years ago and today)
4 comments
CharlesW 1277 days ago
The Facebook API used by the app was never open. Additionally, "Facebook required app developers to sign agreements promising to abide by privacy restrictions attached to user data they received through Facebook APIs"¹. The problem is that Facebook never did an adequate job of auditing or enforcing that.

Also, even if you somehow believe that users knowingly consented to share the amount of data that they did, they definitely did not consent to data traitor Aleksandr Kogan selling their personal knowledge graphs to Cambridge Analytica.

¹ https://arstechnica.com/tech-policy/2018/03/facebooks-cambri...

link
baeaz 1277 days ago
That's false. The api was called friends permission and was public. There are references to it everywhere in the web. For example here you have a rando asking about it in SO: https://stackoverflow.com/questions/6392338/what-is-the-diff...
link
CharlesW 1276 days ago
You said "open", not "public".
link
nickff 1276 days ago
Not the OP, but “open” is vague, and might plausibly be meant as “public”. HN guidelines say you should respond to the strongest possible interpretation of a comment, not nit-pick:

>” Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.”

That said, OP’s response seems a bit harsh, as what you said wasn’t “false”, it just wasn’t their intended meaning.

link
fanso99 1277 days ago
I might be remembering the details wrong, but wasn't the main issue that users half-knowingly allowed spying on their friends without any consent required from those friends? Open API isn't the reason this abuse happened IMO - Facebook failed to prevent massive data collection on users who did not give any consent.
link
closeparen 1276 days ago
The concept of “personal data” with one sovereign owner applies in very limited scenarios like a private Google Doc or unshared Dropbox folder. The vast majority of internet applications in fact represent some kind of sharing or communication. Such applications necessarily either help you to restrict how your counterparties interact with shared data, limiting their freedom, or don’t, violating your privacy. As such it’s hard to see either side of this tradeoff as especially blameworthy.
link
baeaz 1277 days ago
Sure - if you give a 3rd party application API access using your account, they can see whatever your friends have made available to you.

This is as if my friends sued Facebook because I gave you my password and you used it to snoop on them.

link
fanso99 1277 days ago
I am not buying this. It's borderline victim-blaming. An informed consent must be required. Giving access to an app is not the same as sharing your password with them and explicitly allowing them to do anything they want. Saying that, even if you do share your password, the app should not be able to collect data on your friends without their consent.

There is a huge difference between you stalking someone else's friends and a company collecting billions of data points to use for political manipulation. The purpose, the scale, the incentives are different. We need to stop assuming that the rules should be the same for an individual and a business just because they use the same loophole.

link
baeaz 1277 days ago
>An informed consent must be required.

While I don't know what the prompt exactly said, I bet it was specific enough. The fact that people just click Accept without reading it shouldn't make it less binding, that would be infantilising users.

>There is a huge difference between you stalking someone else's friends and a company collecting billions of data points to use for political manipulation.

I agree. And that company is not Meta. So I don't understand why Meta is paying. In any case all I said was that this is one of the reasons APIs are closed and everything is a silo.

link
fanso99 1277 days ago
> While I don't know what the prompt exactly said, I bet it was specific enough.

An informed consent from users who's information is going to be collected. In this case it was the friends of the person signing up. Again, that's the only reason Cambridge Analytica was successful. They didn't have that many users, they collected a ton of data on the users' friends.

> I agree. And that company is not Meta.

Meta had an obligation to protect its users' data. It failed at that.

link
baeaz 1277 days ago
>An informed consent from users who's information is going to be collected.

That consent was granted the day they accepted/sent the friend request. Once the friendship was established, the other user had access to the profile information. They can do with that information as they please, which includes giving it to a 3rd party. If it's illegal to do so, the parties at fault are the user who accepted the API access request and perhaps the 3rd party, but definitely not the medium.

>Meta had an obligation to protect their user's data. It failed at that.

If I go to your profile and take a screenshot, has Meta failed at protecting your data? What if a friend gives me their password or remote desktop access to their computer and I look at your profile? Should we fine Facebook?

link
LinuxBender 1276 days ago
There is a movie on Netflix [1] that covers this in more depth called The Great Hack.

[1] - https://www.netflix.com/title/80117542

link
ratg13 1277 days ago
Your comment glosses over that the API that allowed users to share other user's private data.
link
CharlesW 1277 days ago
For anyone who's curious, the wildly leaky API feature that gave broad access to friend data was called "friends permission", and was killed in 2014. https://www.theguardian.com/news/2018/mar/20/facebook-data-c...
link
filoleg 1276 days ago
A sidenote that might be irrelevant, but fully private data never got shared. Only the friend data that is visible to the person who gave the API permissions.

Here is a simple example: you posted 3 photos on your FB profile. One was fully public, another one was friends-only, and the last one was only available to you and your relatives (which i am not one of). If i used such a cambridge analytica app and gave permission to my friend info, it would be able to get the first two photos, but not the last one (because I have no access to it myself).

link
closeparen 1276 days ago
A social application could not meaningfully have anything like openness or data portability if the scope of the API were strictly your own profile.
link