Member Login
menu

Facebook Restricts Data Access: All Users' Information May Have Been Harvested

Facebook is the giant of the web. The largest social media by margins, is having the hardest year.

After the Cambridge Analytica scandal was revealed, the company made headlines all over the world, regarding how "malicious actors have also abused [the platform] to scrape public profile information."

in a lengthy post to its online newsroom, the company addressed many vulnerabilities in its API that allowed user data to be harvested by third-party app developers.

They include fixes on Events API, Groups API, Pages API, Facebook Login, Instagram Platform API, Search and Account Recovery, Call and Text History, Data Providers and Partner Categories and App Controls.

CEO Mark Zuckerberg said that the scale of this activity can make almost all Facebook's 2 billion+ users had their public profile data scraped.

"Everyone has a setting on Facebook, that controls — it’s right in your privacy settings — whether people can look you up by your contact information. Most people have that turned on, and that’s the default, but a lot of people have also turned it off. So it’s not quite everyone, but certainly the potential here would be that over the period of time that this feature has been around, people have been able to scrape public information. The information—that if you have someone’s phone number, you can put that in, and get a link to their profile which pulls their public information. So, I certainly think that it is reasonable to expect that if you had that setting turned on, that at some point during the last several years, someone has probably accessed your public information in this way."

And in addition to the revelation, the company also admitted that the total number of users affected by the Cambridge Analytica data scrape was much higher than previously thought. The total wasn’t 30 million users, as reported in 2017, or 50 million as reported in March. But might be potentially as high as 87 million.

"We do not know precisely what data the app shared with Cambridge Analytica or exactly how many people were impacted. Using as expansive a methodology as possible, this is our best estimate of the maximum number of unique accounts that directly installed the thisisyourdigitallife app as well as those whose data may have been shared with the app by their friends."

"Thisisyourdigitallife" was the app that Cambridge Analytica used to harvest Facebook data between 2013 and 2015, before Facebook revoked the app's access to its API.

The company had basic protections in place to mitigate this type of activity. From limiting the number of searches from one single IP address, for example. But attackers can cycle through hundreds of thousands of IP addresses. Facebook also has automatic tools which routinely check for illegal photos and malicious links.

But following the scandal, Facebook admitted that it's guilty of "a massive breach of trust."

Facebook's 2 billion users that may have been breached, could have been archived in repositories all over the world by academics, companies and criminal actors, not to mention governments. But Facebook's bigger problem is not the confirmation of this and acknowledging its mistake, but why the company hid this privacy issue for all this time.

Why it took Facebook until April 2018 to reveal the scope of this unauthorized data harvesting activities? Why it was focusing only on a narrow slice of that harvesting, rather than solving the bulk of the exploit?

Published: 
05/04/2018