After the Cambridge Analytica scandal broke out, Facebook has been under significant pressure from both the public and world governments to rein in those who abuse its APIs and harvest as much data about its users as they can.
The company has admitted that Cambridge Analytica harvested even more data than reported so far, and it started restricting how third-party developers can use its APIs.
Cambridge Analytica Has Harvested Up To 87 Million Accounts
In a blog post, Facebook admitted that Cambridge Analytica may have harvested more than 50 million accounts. The company said that:
In total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica.
Facebook came up with this number based on the number of friends connected to the people who installed the quiz app made by Aleksandr Kogan, the Cambridge professor who partnered with Cambridge Analytica, the U.S. subsidiary of SCL Elections. Most of the 87 million people were Americans.
Cambridge Analytica rejected Facebook’s claim and said that the company had the data of only 30 million accounts. Both Facebook and Cambridge Analytica seem to be referring specifically to the usage of this app in 2014. Neither seem to talk about any other data Cambridge Analytica may have obtained in a different way since 2014.
Mark Zuckerberg, Facebook's CEO, said that he hasn’t fired anyone over the Cambridge Analytica scandal.
Most Facebook Public Profiles Have Been Scraped
Facebook also admitted that malicious actors have abused the company’s search and account recovery features to scrape the profile data of most Facebook users (which total around 2 billion right now).
Other people could find you on Facebook if they had your phone number or email address. Considering how many data breaches have occurred in the past few years, with Yahoo alone exposing 3 billion email accounts, it’s no surprise that the bad guys were able to search for the Facebook profiles of every person in those hacked databases.
What is surprising is that Facebook didn’t block the bots and scripts in any way from searching their own database billions of times. It’s this kind of lax rules that has gotten the company in trouble so many times, and why its users' data has been so vulnerable.
New Data Access Restrictions
Facebook has added a set of restrictions to its APIs to make sure third-party developers aren’t as free to collect all the data they want.
Those restrictions apply to the Events, Groups, Pages and Instagram Platform APIs, as well as the Facebook Login. Facebook said that it will need to approve all apps that integrate the Facebook Login and request access to information such as check-ins, Likes, photos, posts, videos, events, and groups.
The company also added that it will no longer allow apps to ask for access to personal information such as religious or political views, relationship status and details, custom friends lists, education and work history, fitness activity, book reading activity, music listening activity, news reading, video watch activity, and games activity.
If a user hasn’t used an app in over three months, then the developer will not be able to request their data anymore either.
Recently, some users were outraged to find out that their phones’ call and text history was being saved to their Facebook accounts even though they didn’t remember ever agreeing to that. Facebook said that the feature is already opt-in but that it will limit the storage of such data on its servers to a year. Time of calls will no longer be uploaded, either.
Facebook said that starting on April 9, users should see a link at the top of their News Feed that will show them what apps currently have access to their accounts. Facebook users will also be able to remove any app they want from that list, so it can no longer access their data.
The API restriction has already impacted some applications, including Tinder, which relied on the Facebook Login to connect its users. However, this is one of the things companies were warned about years ago - that they can’t rely on proprietary platforms such as Facebook Login to build their user bases, because one day Facebook could take it all away.
It doesn’t look like the data restriction will completely break Tinder, because users may just need to agree to some extra permissions. The two companies said they will work together to figure it all out.
All Facebook Services And Products Share Data About You
In the past, Facebook didn’t clarify that its other products and services, such as Messenger, WhatsApp, Instagram, and Oculus, were also sharing users’ data with the company. The company will now make that more clear. Last December, France’s Data Protection Authority (DPA), CNIL, banned WhatsApp from sharing data with Facebook, while UK’s own DPA recently said that WhatsApp can share the data as long as it’s done under GDPR rules.
Zuckerberg recently confirmed that Facebook will implement all mandated GDPR changes and privacy controls everywhere in the world. However, in some countries, they may be implemented under a different format, depending on the local laws.
The company also confirmed that it views all private chat messages sent through Facebook Messenger as if they were public messages. In other words, those messages aren’t private at all, unless you use the end-to-end encrypted Secret Conversations mode. However, for truly private communications, you may want to look somewhere other than Facebook.
People should now be more aware of the implications of allowing not just Facebook, but all sorts of online services to both track them and collect their data. It's not always easy to understand what the online services are doing with your data. As we saw with the recent Grindr story, people expect the data they submit to sites to be used in specific contexts, but then companies use that data for something entirely different.
The Facebook string of scandals will probably not end with Cambridge Analytica and these data restrictions until companies and governments figure out a way to regulate data access so users don't have to worry about too many surprises regarding how their data is used later on.