Facebook quietly admits failure
Yesterday, Facebook admitted for the first time that it made a mistake – at the end of a 2,000 word blog post about security:
"In total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica."
This number is bigger than the 50 million (74% more, by the way!) than The Guardian initially reported, and somehow is not the extent of it all.
Unfortunately, it gets worse beyond here:
"[...] malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we've seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature."
So what's a 2.5-billion-plus user social network to do? Close down the API, almost immediately. Facebook gutted the API yesterday without notice, marking the death of the Facebook Platform as we know it.
The changes to the API are sweeping and crippling for many developers:
- The Events API is now under heavy lockdown, with Facebook manually approving apps and only in rare circumstances
- The Groups API requires manual Facebook approval and a group administrator to review data being used. Apps won't be able to see members of groups anymore.
- The Instagram API is disabling user follower collection, comments and relationship access.
- Facebook Login is locking down data access including religious views, political affiliation, relationship status, custom friends list, education and work history, and activity on fitness, book reading, music listening, news reading, video watching, and games.
- App developers will be blocked from requesting data from people who are not using the app regularly, and won't provide email or phone number access when using Facebook login.
Many of these changes came into effect suddenly last night, and all hell broke loose. Tinder, for example, was crippled because Facebook restricted email addresses and phone numbers which it relied on for sign-in, causing the app to endlessly crash.
Just a few short years ago, Facebook was trying to convince us to login to the service with every app we own to take advantage of a feature called Open Graph, which would share information like what you're listening to on Spotify and make it easier to sign in.
Developers can still get a bunch of information about users, but now Facebook is acting as a manual gate-keeper for apps, sort-of like Apple does for the App Store. Whether that will work depends on your judgement of how much you trust Facebook to actually check apps.
Zuckerberg also said that Facebook would bring "GDPR-like" controls to users around the world, marking a huge win for the European legislation focused on privacy that comes into effect next month.
GDPR requires Facebook to explain what data it collects, why and regularly check in with users about it, as well as requiring it to allow users to request a personal information archive of all metadata on hand.
By complying with this, it seems difficult for Facebook to argue it shouldn't be regulated in the U.S. -- but we'll get the answer to whether or not lawmakers care about that when Zuckerberg faces Senate next week.
The takeaway from all of this is that Facebook didn't do much at all on its platform to protect data because nobody really knew what was going on -- including the company itself.
AWS secrets manager helps with a big security mistake
This new tool from Amazon allows developers to easily code API keys and other secrets into applications without hard-coding them. This is a common problem, particularly for newer companies, and AWS' new tool might actually help stop people committing their secrets to Github.