A Facebook app developer laid out how the company is massively underplaying the risk of another Cambridge Analytica data scandal
- Facebook just announced it has suspended 200 apps and investigated thousands of others in case they misused people's data.
- But a Facebook app developer told Business Insider that the company is massively underplaying the risk of another Cambridge Analytica scandal.
- They said the company's historically more relaxed approach to privacy means it will be tough to investigate apps and leaves it vulnerable to further data breaches.
- The developer said one major social app developer, Slide, was sold to Google in 2011 - meaning Facebook might have to investigate Google if any of Slide's apps violated its policies.
How will Facebook prevent a second Cambridge Analytica?
That should be a question on the minds of regulators, Facebook shareholders and, hopefully, CEO Mark Zuckerberg himself.One of the first major steps announced by Facebook last month was that it would audit apps that are plugged into its platform to check if they misused data.
That's important, because the entire Cambridge Analytica debacle began with an innocuous-looking quiz app created by an academic called Aleksandr Kogan.
Called "This is your digital life", the quiz app collected data about Facebook users and their friends. Then, contravening Facebook's terms, Kogan handed that data off to the political research firm Cambridge Analytica.
We know that Facebook is sorry. Mark Zuckerberg embarked on an apology tour two years after The Guardian first disclosed the misuse of data.
What is still unclear is how Facebook can guarantee that history won't be repeated because Aleksandr Kogan's app wasn't just a one-off. There were thousands of apps that might have accessed people's friends' data.Business Insider spoke to a developer who created social apps on Facebook as a thought experiment to see how much information people would give up.
Here are four questions he thinks lawmakers and regulators should ask Facebook:
How can Facebook really see which apps abused data?
In a recent blog post, Facebook said it had audited thousands of apps to examine whether any of them misused people's data. But given it took years to acknowledge that Kogan's app abused data, how will it suddenly know?
To recap: It was The Guardian that first reported in 2015 that "This is your digital life" obtained data from millions of Facebook users and handed it to Cambridge Analytica. The Guardian notified Facebook at the time but, as Channel 4 would later report, Facebook didn't follow up to ensure that illegitimate data was actually deleted.
Remember that Facebook allowed apps to access friend data between 2007 and 2014.
According to the Facebook developer, speaking to Business Insider on the condition of anonymity, it is still unclear whether Facebook ever tracked what data app developers asked for during those seven years. And, importantly, whether it's still hanging on to that information up to 11 years later.
"When Facebook says that it will look at how apps used your data to see whether it was legitimate, the first step is to understand what data was requested in the first place by that third-party app," the developer explained. "It's something they could have logged. The questions are whether they actually did, and whether they retained those logs, especially after all these years."
Is Facebook willing to investigate Google?It feels like internet history now, but one of the biggest developers of social apps for Facebook was a company called Slide, in 2008.
Slide created applications such as "Top Friends," which let you pick your favourite friends and list them on your Facebook page. (Top Friends was temporarily suspended for leaking information about Facebook users.)
There's no evidence to suggest Slide's apps might have sucked up user data inordinately - but given that Facebook isn't being particularly transparent about who it's investigating, there's no way to know.
If Facebook decides Slide accessed lots of user data, who exactly is it going to audit? Max Levchin, who sold the company to Google? Or Google, who never created the apps and closed them all down?
Both Levchin and Facebook declined to comment.
How will Facebook identify the people who built dodgy apps?
The Slide/Google issue runs a lot deeper than one big developer. Given Slide shut down seven years ago, it isn't clear who holds any Facebook data its apps might have collected.
There are lots of other, similar problems - especially given many of Facebook's most popular apps date from a time when the company was much less strict about account verification."It's possible developers set up shadow profiles on Facebook to be the administrators of their apps," our developer source explained. "More recently, Facebook is stricter about requiring identity documents, but that's not always been the case. If it's just a fictional person, who will Facebook pursue?
"And if more organised bad actors set up offshore entities in privacy-friendly jurisdictions and listed those as the commercial entities behind the app, who would Facebook follow up with?"
And just like Slide, many smaller app developers were bought and sold in private transactions, the developer said. "If apps transferred ownership to other individuals, who would you determine is the bad actor?"
Who is to blame for Facebook failing to read developer policies?
One of Facebook's key defence tactics during the Cambridge Analytica scandal was to blame Kogan, the quiz app creator, for contravening its developer terms and conditions. These stipulate that app makers can't collect information for commercial gain and hand it off to other third parties.
When he was hauled up in front of British politicians last month, Kogan turned the tables. He pointed out that Facebook hadn't vetted his policies.
Here's what he said, emphasis ours:
"This is the remarkable thing about the experience of an app developer on Facebook. You can change the name, you can change the description, you can change the terms of service, and you just save changes. There is no obvious review process. We had a terms of service up on the Facebook platform - linked to the Facebook platform - that said we could transfer and sell data for at least a year and a half, and nothing was ever mentioned. It was only in the wake of the Guardian article that they came knocking."
"Many of these developers' policies could have been one or two lines of nonsense. And in that situation, who is to blame? Is it the developer for offering inadequate explanations of their use of data, or Facebook's for checking it existing but not checking its validity?"