Skip to main content

Facebook Launches Data Abuse Bounty Program

Most big tech companies have a bug bounty program. These initiatives are supposed to incentivize security researchers to share any vulnerabilities they find in the companies' products rather than revealing them to the public, selling them to third parties, or exploiting them. Facebook now wants to apply the same approach--offering compensation for quiet disclosure--to apps that inappropriately use its platform data.

That's why Facebook announced the Data Abuse Bounty Program. (Catchy name, right?) The company doesn't seem to have many of the program's details worked out yet, however, and we suspect that's because it's rushing to respond to the Cambridge Analytica scandal in as many ways as possible. Introducing the Data Abuse Bounty Program is quite literally another item on Facebook's "avoid another scandal" check list:

That image was taken from Facebook's blog post announcing this new program. In it, the company said that it wants to "reward people with first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people’s data to another party to be sold, stolen, or used for scams or political influence." It will then investigate the claims and, if appropriate, shut down the offending app and take legal action.

Facebook explained what it's hoping to learn from the Data Abuse Bounty Program via its terms, where it said that submitted apps must involve:

More than 10,000 Facebook users.Definitive abuse of data. Not just collection. A case we were not already aware of or actively investigating.

The company also said that submissions cannot be related to social engineering, malware that tricks people into downloading apps, or Facebook-owned-but-technically-separate services like Instagram. Most of those restrictions seem to be designed to separate the Data Abuse Bounty Program from Facebook's existing bug bounty program, but the exclusion of services like Instagram is less easily explained.

Facebook offered more information about the Data Abuse Bounty Program in a separate FAQ page. The company said that researchers will be paid at least $500 for any submissions on which it acts, and that rewards are based on "a variety of factors, including (but not limited to) impact, data exposure, number of affected users, and other factors." The maximum appears to be $40,000--the same as its bug bounty program.

A Good (Albeit Rushed) Start

The Data Abuse Bounty Program was clearly born of desperation. Facebook wants to assure its billion-plus users that the Cambridge Analytica scandal won't happen again. (See the check list above.) But the program’s swift, scandal-driven introduction doesn’t reduce its potential impact on Facebook users’ privacy. Other companies that manage widely used platforms might actually want to follow Facebook’s lead in encouraging researchers to investigate the apps that collect information via their services

Many large companies encourage developers to build on top of their platforms, whether it's via whole-scale integration or simple login support. Twitter and Google are the most similar to Facebook in that their platforms are used by countless apps. Rarely do people stop to think about all the apps that have access to their Twitter, Google, or Facebook data, even though Cambridge Analytica showed how easy it can be to exploit.

Consumers shouldn't and can't be expected to investigate every app or service they encounter. It's up to the companies running these platforms to make sure everything is on the up-and-up, and to independent researchers to suss out when the platform makers have shirked their responsibilities. If that requires these companies to grease a few palms via programs like Facebook's, well, they should just grease away.