Say there's a startup that is going to revolutionize date keeping and events and scheduling and all that, for the sake of aping a common naming scheme, call them Calendr[1]. Only drawback is that their security is an afterthought, but they're not promoting that.
So a Facebook user that is friends with you on Facebook says to Calendr, "scan my contacts and generate a calendar that already has my contacts' birthdays and any events they've created on it (one would assume this list would include anything that is shared at the Friends Only and Public tiers) for me."
Three weeks later, Calendr is hacked and all of their data is accessible. A Have I Been Pwned-style service will let you read through the data and sure enough: fixermark's super secret event was now publicly viewed as part of this data set. You do not have an account with Calendr and you haven't even heard of it before.
How would you, as a Facebook user, prevent this from happening beyond not creating the event in Facebook? How would Facebook prevent this beyond not providing the data to the third party?
[1] edit: oh geez, there is a Calendr. This has nothing to do with the real Calendr (this is fictitious Calendr).
They may not be able to prevent it without refusing to exfiltrate that data. But then they maintained clear resopnsibility (at the cost of usability) for the user's data. Excellent example though, because it highlights a real joint-ownership problem in data on a social network (the aggrieved fixermark in this case certainly couldn't have stopped his friend from hand-entering the details of the super-secret party into FakeCalendr without consent either; to a certain extent, sharing information always implies trust of the recipient to store that information responsibly).
Unfortunately, privacy / usability is the tradeoff. Facebook had clear incentives to simplify usability at the cost of privacy. But as a result, these breaches continued to happen.
(I use the past tense here because I don't know what their app ecosystem looks like now. When I was using it, it was extremely easy to do a full friends-of-friends data exfiltration, with the only guard against it being "Don't do that and then dump it publicly for all to see").
So a Facebook user that is friends with you on Facebook says to Calendr, "scan my contacts and generate a calendar that already has my contacts' birthdays and any events they've created on it (one would assume this list would include anything that is shared at the Friends Only and Public tiers) for me."
Three weeks later, Calendr is hacked and all of their data is accessible. A Have I Been Pwned-style service will let you read through the data and sure enough: fixermark's super secret event was now publicly viewed as part of this data set. You do not have an account with Calendr and you haven't even heard of it before.
How would you, as a Facebook user, prevent this from happening beyond not creating the event in Facebook? How would Facebook prevent this beyond not providing the data to the third party?
[1] edit: oh geez, there is a Calendr. This has nothing to do with the real Calendr (this is fictitious Calendr).