Not sure why people are so hung up on the "breach" vs "not a breach" debate. The issue is this: taking a random personality quiz online is old news. We've been doing these since the 90s. The problem is that when you log in with FB, your real name, and all of your metadata is attached to that quiz.
It's not just "IP 12.342.32.1 is chaotic neutral" but "'Bob Smith, with a degree in X from Y, that likes A, B, and C and is newlywed' is chaotic neutral." The issue isn't really the quiz (and it's not even CA tbh), it's Facebook giving out real names, real pictures, etc. every time you "Log in with Facebook" on any random website or app.
If it was just this, I would be okay with it. It was also saying "and here is a list of all of Bob Smith's friends, and their info".
I have my Facebook profile set to 'friends', and perhaps its obvious now, but I guess I didn't realize an app installed by my great aunt now has all my information. I happily gave her access to see my profile, kids pictures, etc. But do I want every single thing she connects to to see any data I allow her to see?
Yes. If you're curious what the present-day FB settings are that control this sort of information sharing, see here: https://i.imgur.com/6fyLx18.png
It's located in the user's "Apps" settings [1] under the section, "Apps Others Use: People who can see your info can bring it with them when they use apps. Use this setting to control the categories of information people can bring with them."
Yes, it really went that deep. But only if you pinky swore to only use that data to improve your app and then delete it! Facebook changed their API in 2014 and removed that ability, allowing companies to only see the profiles of friends that already had the same app (which the developer already had access to anyway). They claimed it was for user privacy, but really they realized they were giving away the crown jewels and allowing other companies to recreate large swaths of their social graph.
Getting the discussion to "breach/not breach" is taking the discussion away from the actual point. Facebook is a cancer for privacy. The affiliates of Facebook are a cancer for privacy. Privacy is a human right. Facebook is cancer (imho).
That said, I believe FB would LOVE if we change the topic from PRIVACY to "anything-except-privacy".
And yes. Any/all dictators (of any shape or form) are trying to silence the media/journalists. Why would FB practice a different method?
This way they want to make sure that the next whistleblower won't have an outlet.
I agree with you about being very cautious about how this debate gets framed. Big corporations are boss at framing the debate in such a way that the results don't matter. Be very aware of this tendency.
But this is how these sorts of OAuth schemes have always worked. It's always been explicit, too. You grant these apps access to this information. What exactly is the issue here? That this time it was used in a way people don't like? There's a reasonable debate to be had about how to deal with all this data, but to blame Facebook as if they made some error or leaked some data in an unauthorized way, or did anything that we didn't all know was possible this whole time is just totally disingenuous on the part of journalists and regulators.
The thing that seems really wrong here is that you weren't just granting access to your own information, but all of your friends as well, who had little say in the matter beyond their original grants of permission to Facebook.
It is this way that Cambridge Analytica was able to get 50 million profiles by just paying ~270k Amazon mechanical turkers [1].
It's true that everyone agreed to everything along the way: people allowed Facebook to have the information in question, and people allowed Cambridge Analytica to access that information. But it wasn't the same people agreeing to both. The set of people agreeing to the latter was much smaller than the former.
It may be true that technically neither Facebook nor Cambridge Analytica did anything wrong (at least in collecting this information, this seems to be by far the least shady part of CA's business), but, Facebook's business is built on trust, and this is a huge hit to that trust. Arguing technicalities doesn't help.
> The thing that seems really wrong here is that you weren't just granting access to your own information, but all of your friends as well, who had little say in the matter beyond their original grants of permission to Facebook.
Except that those users had granted that permission to the people who then granted it to CA. So, transitively (which is the only way to think about permissions), they had granted it to CA.
Not really.
You granted permission for your friends to access the information. You did not give your friends permission to grant permission in accessing your information or share it directly.
Now Facebook may make a different statement etc and the rules of service, privacy can allow for this. But it is not a property that is transitive in general. And it is bad publicity. (I hope.)
I can be told a secret, I do not necessarily have the permission to share, for instance, what happened in the bachelor party last Saturday right?
No, this is not how OAuth works - OAuth itself is just a protocol to receive authorization from another server [1]. In this case, a third party relies on Facebook to say "This user has logged into Facebook and their ID is foo". OAuth _does not need_ social information or anything else.
Of course, you can allow the authorization server to publish these details, but this is not an inherent part of OAuth. Also, there's OpenID Connect [2] which builds on OAuth and adds just this information in another token: "The ID token resembles the concept of an identity card, in a standard JWT format." (from [2]). However, you can happily use OAuth without ever publishing the user's details.
I took your comment to say "You have to allow access to your data if you're using OAuth, because that's how OAuth works", and wanted to argue against that. The OAuth protocol is so complicated because it tries to be safe and secure and so it doesn't force any data disclosure.
However, I now see that you probably meant "OAuth forces you to accept these permissions explicitely". In that case, we're hopefully both right :)
We (the general public) grant permission for facebook to use our data, with the expectation that they don't let any bad actors do anything with it that harms us (the general public). This has been their image, this is what they espouse, and it is clearly not what happened.
>anything that we didn't all know was possible this whole time
I believe the reason this story is blowing up so big in the media is because most people never imagined their data being used in this way. When I login to patreon and subscribe to someone, I know exactly what I am paying. When I login to facebook and make a post, I (the average user) have no idea what it is that I am paying and/or how it can be used. I give away some factoid about myself without realizing that my angry post about Trump actually tweaks some political vector that is being calculated on me.
Consent is not enough, informed consent is the bar we have to set and it's basically impossible to say that the average facebook user is properly informed of what data they're giving, how it's being used and how much it is worth in dollar terms. Can you imagine if I could log into Facebook and see the models they've generated based on my content, and the dollar amount they've collected for that information so far. That's informed consent and somehow I doubt Facebook would be quite as profitable if people knew the actual cost they're paying.
I believe that you, a person with a strong interest technology, believe the consequences are (and perhaps always were) obvious.
But I disagree that if we went back in time and quizzed people clicking "yes" that the majority would really understand that recent events were the probable expected outcome of them clicking "yes".
There's a difference between consent and informed consent. And it was strongly in the interests of Facebook (and anybody who made an app using their APIs) to be very vague about the potential consequences.
It doesn't help that anytime Facebook changes their privacy policy or their available privacy settings, they tend to set it to a convenient default that benefits them, and that Plumber Joe is likely to never even know about.
"anything that we didn't all know was possible this whole time"
Actually, there are lots of people who have no clue that such things are possible. Maybe in 20 or 30 years, everyone would become savvy enough to understand the implications of giving away their personal info freely, but we are not yet there. The people who know (younger, tech savvy etc) are in the minority. Today a big chunk of the population simply believes everything they read on FB, that is why trolling works so wonderfully
Well, fwiw, these quizzes weren't even on a separate website where you need to login using OAuth, but they were part of Facebook's "apps" ecosystem. And they were popular, so everyone was doing it, however harmful (and as has been said, even if you're not doing it, if your friend is doing it, the app can also see your information as your friend's connection). Add to that the tragic permission scheme where Facebook does say "This app can see this information..." without offering an option to allow/deny sharing of some things (I think they've changed it so you can give granular permissions).
Granular permissions are also a pain point for me on Android phones. They were possible with apps on BlackBerry phones in the late 200x's, but on Androids before version 5 or 6? No, it's either give the app permission for all of requested functionality, or don't install it...
Additionally, I think the public is now realizing how powerful the friend/follow metadata graph is. It's pretty easy/robust to infer traits about people for whom you don't have explicit information. Alan, Betty, and Charlotte filled out the quiz and all live in Florida; Dave has mutual friendships with Alan, Betty, and Charlotte; Dave probably lives in Florida. You can do this recursively and don't need to have concrete information about the majority of members in a graph in order to make pretty strong probablistic inferences about the traits of a large graph.
I believe it’s a legal point: In case of a breach, Facebook would have been required to disclose it to the affected users. They are pushing hard against the term because it might end up determining their liability.
This thread seems to think the technical implementation is at fault.
I'd offer an alternative: the fact that we're stuck "sharing" via centrally managed platforms is the real issue.
I don't care about Facebook auth mechanism. Regardless of how it shares data, FB still HAS all the data, and can find a different way to share that with whatever party they want.
There's no leverage in the information economy outside "Use the one or maybe 2 ISPs you have, and these handful of "top" providers online."
It's like having a meat space economy be controlled by a top-down authority, and you can only trade along it's finan... distribution network.
Oh wow, what a shock. We remade cyberspace society to be just as centrally controlled as meatspace society. While meatspace became more constrained in an authoritarian way yet again in human history.
Human society exists in a strange loop of "build walls that are used to oppress me."
Is there anyone in advertising who wouldn't want this? I honestly don't see why this is a problem. Many people don't care about what gets shared but do care about the benefits it brings to their user experience.
Sincere question: this article in the last paragraph says "Facebook threatening defamation against the Guardian for calling this a data breach is ludicrous and Facebook should be ashamed and apologize"
-- does this conclusion hinge on the fact that Facebook should have realized earlier that the app is harvesting data? If the creator of the app said that he is doing it for academic purposes only then how should have Facebook known? Not trying to defend Facebook, but calling this a breach is at least a little bit gray area, no?
A breach is unauthorized access, possession, or use of data. Cambridge Analytica was not allowed to retain this data, or to use it for commercial purposes. Therefore it’s a data breach.
Consider an alternative scenario: a Facebook employee has access to data to perform his job. He makes a copy, takes it with him, and uses it in his new startup. Breach? It’s exactly the same as above, only the employee was an external partner in reality.
If it's a "little bit gray", then you probably shouldn't sue for defamation about it.
The "breach"/"something-else-that's-not-a-breach" debate from what I've seen doesn't hinge on Facebook knowing or not, it's about if all loss of data can be called a breach or if the term should be reserved for cases where the perpetrator did aquire the data without Facebook knowing.
How would that not be a breach? Their system allowed a malicious entity acting in bad faith to gain large amounts of data under false pretenses. If they got the data by pretending to be an employee and social engineering their way into the data that way facebook would 100% call that a breach. Is this that different?
(a) Users were duped into giving up their data under a false pretense. This alone cannot be called a breach.
Also, one of the following occurred:
(b.1) Facebook was duped into letting a fraudster install an app on their platform. If this happened, it was a breach.
or
(b.2) Facebook knew all along that the academic research was only a cover for duping users into giving up their data. If this happened then it was not a breach, because Facebook themselves effectively sold the data.
So what Facebook appears to be saying is: There was no breach. We sold the data!
Because they know that apps make money through Facebook ads and they do charge for those. If Facebook knew about the true purpose of this sort of app, then they also knew that they were going to make a lot of money off of it.
> It is WORSE than a breach, because FB is complicit.
A breach in which the custodian is complicit is still a breach, not something worse. Obviously, the its worse from the perspective of the custodians degree of responsibility if they are actively malicious rather than negligent or innocent, but this is still within the usual definition of a breach of private data. A breach is about the subject’s privacy being violated, which can happen with or without the complicity of the custodian of the data.
This is a really weak-sauce dictatorship, come on! In a real autocracy, Facebook would simply suspend all involved journalists' and editors' Facebook accounts for 6 hours with a message that Big Brother is watching and the suspensions will be formalized if they don't drop their story.
Any editors or journalists that don't cooperate should have their Facebook, Whatsapp, or any other service suspended. (If any other service starts gaining network effects, Facebook can just buy it when it has < 100k users - this is how a monopoly works under network effect)
Anyway Mark Zuckerberg, my message to you is if you want to be remembered as one of the worst autocrats who ever lived, you are really going to have to step up the retaliation. Maybe introduce targeted executions of journalists?
This is fun to watch. The most evil company I can think of is being exposed for its core purpose. Are people going to realize what a monster Facebook is?
No, Americans will continue to give zero fucks. A few more people will be outraged, but business as usual will continue. Maybe Facebook will claim they "fixed" the problem that created this "breach" (as it's being called), but nothing will change
>"No, Americans will continue to give zero fucks."
You realize theres 2 billion people on FB but only 330 million people in the US right? That's many more people than just Americans giving "zero fucks."
Not if you believe that there is a 1-to-1 relationship between Facebook accounts and real, living humans.
I find it more likely that Facebook is completely unwilling to admit that many of its accounts are not genuine representations of a real, living person.
When millions of Americans get their news from Facebook, it's doubtful that many current users will find out what is happening. It is certainly similar to the Fox News effect.
The news feed of a Hacker News frequenter is very atypical. You likely have more friends in the tech industry, and thus you're likely to see posts on this story.
Your comment calls into question the anecdotal evidence used to dismiss a claim made with no evidence whatsoever.
I have a similar anecdote, but mine does not match the mitigating circumstance you ventured.
Regardless, even a less-than-credible personal account clears the bar of required evidence to dismiss the above claim, since that requirement is currently zero.
I downvoted you due to the doublethink of providing an out for good pharma companies to exist, while calling all firearms companies evil. I can see having a problem with IMI or other state funded companies that are a part of a Nation's greater military industrial complex, but on what grounds do you consider Glock or Remington evil?
A pretty obvious distinction is that pharma companies make tools for saving lives, while consumer gun companies make tools for taking lives.
(And yes, I'm aware of the theory that consumer guns are for taking lives in self defense. But in 2012, there were 33,563 gun deaths in the US, only 259 of which were justifiable homicides, so it's at least reasonable to think think that whatever the intent of gun companies, it's not working out like one might hope.)
The main reason for the second amendment is deterring authoritarianism. It works, regardless of force proportion. Occupying Afghanistan was a pain that was ultimately not worthwhile for anyone who tried it.
Regarding self-defense, there is also a benefit in deterrence - look at relative crime rates in the most heavily armed per-capita states.
> The main reason for the second amendment is deterring authoritarianism. It works, regardless of force proportion.
No. It's delusion. In doubt, feds will fuck you over and shoot your corpse when they're done. There is no such thing as stopping the police, short of welding yourself shut in a tank, but you're bound to run out of gas, air or food/water. Or being blown up with an RPG, if you do enough damage.
The only thing that works as a deterrence to authoritarianism is masses - but you really need MASSES, as in hundreds of thousands of people, not a couple hundred neckbeards with guns. Hell, G20 Hamburg was in the upper 5-digit range of protesters with a decent amount of experienced and willing rioters and it got royally screwed. I don't nearly see any protest coming near that range of numbers soon... except, maybe and hopefully, if Trump decides to be a totally ignorant idiot and fires Mueller.
The case for deterring authoritarianism is not G20 protests, it's
(a) groups like Deacons for Defence (https://en.wikipedia.org/wiki/Deacons_for_Defense_and_Justic...) where the presence of weapons serves as a deterrence, or if you want to turn to more grim times,
(b) events like Warsaw Ghetto Uprising (https://en.wikipedia.org/wiki/Warsaw_Ghetto_Uprising)
where the concentration of weapons counts for forcing an oppressor to suffer casualties instead of just rolling over the unarmed opposition. That is what the quote you are responding to alludes to.
Finally, weapons also serve as deterrent for the out-of-control forces, e.g.
(c) 1992 Los Angeles Riots (https://en.wikipedia.org/wiki/1992_Los_Angeles_riots) when the government is not acting directly or indirectly against a group but is simply not acting at all during critical time
All of these has happened before, and all of these will happen again, during our lifetime.
Comparing guns per capita on a small sampling, the top 5 most violent states per one survey are Louisiana (gun ownership: #11), Alaska (gun ownership: #1), Tennessee (gun ownership: #15), Delaware (gun ownership: #51), and Nevada (gun ownership: #16). All over the place, at least so far. Maybe a small bias towards "more guns=more violence per capita", but with such a huge outlier with Delaware, that makes me imagine that the overall data is pretty noisy.
My impression is that there is a much stronger indicator of guns-per-capita: population density. The top 5 guns per capita states are: Alaska (population density: #50), Arkansas (population density: #40), Idaho (population density: #44), West Virginia (population density: #29), Wyoming (population density: #49). Again, somewhat messy, but there seems like a strong bias towards more rural areas.
This makes sense to me. In America, a driving force for many people with guns is less pure self defense and more sport and recreation. Of which the opportunities are quite a bit more readily available in rural areas.
Cars kill people in accidents[1]. Guns are used for this on purpose. By your logic, we should also ban food because it feeds the people using the cars and the guns.
Guns can still be used in the military, nobody ever argued that (vis-a-vis to you comment about Hitler & the russians). And btw, about those russians, they found new ways (tools invented by the americans) to screw with the world, didn't they? How are guns defending us now?
[1] in recent years, terrorists have been using cars to kill people too, but not the same extent.
They manufacture weapons. It's pretty much the most black and white fit for an evil company that can exist. That seems incredibly obvious to the point that I sincerely doubt you had to ask.
1. Cars kill a lot more people than guns. Every year. And while cars can be useful a lot of the driving is more ir less meaningless.
2. While guns might be used for evil they are also used for good: there is no doubt in my mind that our big neighbour to the east (I'm Norwegian) would have invaded a number of European countries during the 50-ies, 60-ies and 70-ies if those countries hadn't been prepared to defend themselves.
Not to detract from what you say (it was interesting, I originally thought cars were much more dangerous in USA as well and I was very wrong) but from what I can see in 2017 cars were back on top.
> Ah yes, expanding my world view that we should encourage school shootings. ... If only we were all so enlightened as Americans
That's not what I said at all (I even offered non-evil usages that occur daily, globally). Twisting words will get you nowhere here on HN (and in fact earns you a flag). Not to mention a dash of xenophobia to go with it doesn't do you any favors.
I won't engage with someone who twists words and groups entire populations together under false pretenses. I'll simply tell you what other users have here:
You left out "espouse noble ideals" - "connecting people" or "making America great again." It's behind these public "facades" that the litigating into submission and threatening into silence is done.
I wonder how the UK goverment will react to this, aswell as the EU, considering they tend to value privacy in a different light then the american court system.
There needs to be serious discussion in society and the legal community, about the deliberate "weaponization" of legal actions. Where the purpose is not to pursue a legitimate and balanced complaint, but rather to cow another party into compliance/cooperation by threat to destroy them through legal actions rather than the outcome of a legal process.
The threat of forcing the other person to spend themselves into bankruptcy, for example.
Standards need to be defined and enforced, where such activity is grounds for punishment up to and including disbarment.
To the extent such already exists, it is clearly proving insufficient.
Law should be about justice, first. Not just another field of unfettered warfare.
Also, to that end, sealed records and confidentiality should be more severely constrained. The judicial system is a public system; everyone should be able to see what you're up to in it, for better and for worse.
Protecting clearly threatened victims, sure. Defined legitimate, critical secrets, for defined limited periods of time, ok (real national security, trade secrets). Beyond that, not so much. Not at all, maybe.
The NYTimes article you link to doesn't contain the word "threat". This piece appears to contain a new bit of information about the ethically challenged behavior of FB and CA. It deserves a separate conversation.
One thing I don't understand, at one hand you are supposed to keep digital data for X amount of years ( I think 7), and on the other hand the company cannot make use of it, why would it be sitting on servers, might as well make use of it.
so, this is effectively two solid admissions of guilt, in hand. why bother suing journalists if there isn't a truth that you don't want to get out?
needless to say the idea that they want to suppress journalists is egregiously illiberal and warrants our unanimous excoriation of these businesses.
zuck's silence (terror? or destroying more evidence, as they have already done?) is very telling. if we organize, the bell will toll for facebook. it is long overdue.
as a bonus, zuck's presidential run is ruined, hopefully.
Defamation/libel is interesting; since only the already wealthy can afford it, more often than not a defamation lawsuit is a sign that someone is trying to suppress true facts.
There have been several high profile cases when politicians sued for libel, won, the facts were established as true, and the politician jailed for perjuring themselves during the trial.
No, they're extremely effective in the "SLAPP" sense, because you have to be able to prove the truth in court against perjuring witnesses, and you have to be able to pay for it.
"This includes £24,000 in damages to Monroe and £107,000 to her lawyers to cover court costs." Hopkins is now selling her house to cover costs.
Most people fold immediately when threatened with a convincing libel suit, because apologising (even for the truth) is a lot cheaper than a settlement which is in turn a lot cheaper than losing your house.
Note that a litigant doesn't necessarily have to suppress facts forever, a few years while the case proceeds is often enough to turn the original issue into a historical curiosity.
To give context to all of the surrounding links, which are all about libel in the UK, remember that truth is not an absolute defense to libel in the UK. In addition, the burdens of evidence are different.
Downvote the above hard to confront your withrdawal symptoms then make your posts with your contact details announcing you are going to leave facebook, a few reminders then do it.
Life is better without them. They really haven't got you, you can break free just by deciding to do it.
This will blow over, Facebook is far too entrenched and without serious competition. Some people will use Facebook less and replace it with Whatsapp and Instagram, but Zuckerberg has that base covered
Facebook is entrenched because the culture allows it, but I sense a major kumbaya moment for Baby Boomers, Gen X, and Millenials that could upend this culture. Finally, the younger generations can see in practice why many of their elders were intuitively resistant to social media.
> younger generations can see in practice why many of their elders were intuitively resistant to social media.
The idea that "their elders" were "intuitively resistant" because they understood the decade-later implication of algorithmic user profiling being weaponized to undermine public thought and democracy is.... generous.
They didn't understand computers or why anyone would give a shit about seeing your lunch. Both fair. But let's not repaint them as wise prophets of some future data apocalypse.
The real kumbaya moment you're talking about is both self-deprecating and metacognitive: "I am not so much an individual as one of fewer-than-you'd-think archetypes, and my beliefs about the world are malleable based on cute pictures placed in front of me for pennies. I should take time out of every day of my life and spend it working to double check that the things i think are true, and the people I hate are the thing I think they are. Whole organizations of much smarter people than I will abuse me at every chance they get to take as much money from me as they possibly can. Most things that feel good on the internet are designed to turn me, somehow, into money."
This is a painful, stark realization that lots of people never get to. Whole industries rely on people never coming to the realization that all of us are "basic bitches" and not anomalously unique or intelligent.
I'd love to believe you that there is a multi-generational awakening to the idea that people are herdable animals, but don't bet the farm.
> The idea that "their elders" were "intuitively resistant" because they understood the decade-later implication of algorithmic user profiling being weaponized to undermine public thought and democracy is.... generous.
Intuition doesn't require explicit understanding. Many of my elders certainly had the instinctive sense that we're oversharing and that it will, somehow or another, bite us in the behind. And many of my peers assumed they were paranoid.
Anecdotally, I'm in my early 20s and none of my friends post to Facebook at all any more -- it is essentially just a messaging app that happens to have your real name in it and a large userbase. I deleted my account and haven't noticed a lick of difference -- in fact, a couple of my friends living far away called me on my phone to ask if I'd deleted my Facebook and tell me that they've deleted theirs as well. Since I did this a couple of months ago I've gotten a lot more texts and calls from acquaintances and friends I used to only interact with in group chats.
So basically if you're feeling trapped by Facebook's social network, remember that it is in fact possible (and often superior) to interact socially outside of Facebook. The tide may be turning.
Of course this is a generalization, but I disagree with you. Older generations didn't trust social media companies with their private details because they felt it was too creepy and intimate. The younger generations thought they were paranoid or behind the times.
It's not just "IP 12.342.32.1 is chaotic neutral" but "'Bob Smith, with a degree in X from Y, that likes A, B, and C and is newlywed' is chaotic neutral." The issue isn't really the quiz (and it's not even CA tbh), it's Facebook giving out real names, real pictures, etc. every time you "Log in with Facebook" on any random website or app.