Now departed Facebook Chief Security Officer Alex Stamos recently defended Facebook on Twitter saying Cambridge Analytica obtaining data on millions of Facebook users wasn’t a “breach.” Well, maybe technically no, it wasn’t. This is because Facebook 1) carefully wrote their Terms of Service so this wouldn’t be defined as a breach and 2) happily left the doors open for anyone to take the data.
Russia-linked “researcher” Aleksandr Kogan created a personality test that hundreds of thousands on Facebook took. What few knew, because it was, I think, carefully hidden, was that granting the test access to your profile also granted access to all your friends profiles. Because Facebook permitted that then (and has been forced to change that.) So, Kogan got info on millions of Facebook users, then shared it with Cambridge.
Lawfare Blog says there are multiple laws in the U.S. that might be used to prosecute, Facebook, Kogan, and Cambridge. Plus there will almost certainly be criminal investigations from UK, Europe,and Australia. Read the post for more.
In other words: Don’t worry everyone, Cambridge Analytica didn’t steal the data; we were giving it out.
And they were. As Ben Thompson notes, an old Facebook developer page shows that their API would allow developers to access not only to user account information, but also huge amounts of friend account information—things like “friends_interests,” “friends_religion_politics” and much more
The image shows an old Developer Page on Facebook showing how access to a Facebook user also gives access to info about Friends.
Expect this developer page to come up again in potential litigation and legislative hearings. It shows that Kogan did not need to get Facebook data through the back door, because he could waltz in through the front door—the door Facebook built for developers. This was not a breach of Facebook’s network. But it was a breach of users’ trust, general expectations and perhaps also Facebook’s terms of service.