Facebook Changes to Better Protect your Personal Data

Facebook Outlines Plans to Restrict Data Mining Through Facebook

Facebook is Making Changes in an Attempt
to Restrict Data Mining through their Platform

Bonus: How to Tell if Cambridge Analytica Has Your Information

By now, everyone has heard about  the Facebook Data Mining Scandal.  Third-party apps have been mining our Facebook data for years now, and Facebook made it very easy for them to do so.  When the extent of what was being shared became public, users were incensed and started leaving the platform in droves. #DeleteFacebook began trending on Twitter.  To prevent becoming the next "MySpace," Facebook promised to make changes to prevent apps from mining your data so freely.  These changes will start rolling out today.

What Types of Data were Apps Collecting Before?

Part of what makes Facebook so popular is the amount of third-party content and the ease of sharing. Anyone can create a "Facebook Page," invite followers, embed apps, and invite users to like and share.  When a user interacts with page content in any way, that page can access personal data related to that user.  In addition, anyone can create a Facebook App, independent of any Facebook Page.  Popular apps include quizzes, profile picture frames, games, and sweepstakes.  

To help developers create content and apps, Facebook provides many developer APIs.  API stands for Application Programming Interface, and it is basically a set of tools that make it easier for third-parties to develop apps and content that work with Facebook.  Facebook provides several APIs, including ones for groups, pages, events, search, and games.  They also offer the Facebook Login API, which makes it easy for users to create accounts on third-party sites without having another username and password to remember.  

In the past, APIs gave developers unrestricted access to most Facebook Users' personal data.  The associated apps were SUPPOSED to notify users about what data they were collecting, as well as how they planned to use it, in their Terms of Service and Privacy Policies.  Most of these apps complied with this and disclosed that they were mining your data. However, few people actually clicked through and read either, assuming that the Facebook terms and privacy policies were in place.  Additionally, many of these apps buried their terms on web pages users would never see, as they only interacted with the developers through the Facebook app.  Many users assumed that unless they marked a post public, their data was only being shared with the "friends" or "friends of friends" with whom they had given Facebook permission to share.  But this was not true.  Many apps mined ALL of the information in a user's Facebook profile.  Some (most notable quiz apps,) requested permission to access your friends list and all of the data associated with your friends' profiles. Ostensibly, this was so they could determine "The 10 People to Bring to a Desert Island." In reality, it was to obtain your permission to mine their friends' data as well as their own.  And the Facebook API made it easy to do so, for as long as that app wanted. If you clicked through to a quiz app in 2014, and never used it again but did not disconnect the app, that app could still be mining your data in 2018 and beyond.  

What is Changing

Facebook itself has NOT promised to stop mining your data.  After all, Facebook is a free service that has to make money somehow.  As Sheryl Sandberg (COO of Facebook) said, the alternative to data mining is to charge a fee for using Facebook.  Facebook has promised to make it a LOT more difficult for third parties to mine your data though.  What this means is major changes to the Facebook APIs.

First,  the Events, Groups, Pages and Instagram APIs will no longer be available to new developers.  Apps currently accessing Events and Groups APIs lost access on April 4, 2018. Facebook is now requiring ALL apps requesting access to these APIs to undergo formal app review.   Beginning April 4, 2018, all apps, including those formerly approved, must undergo App Review in order to gain access to the Events API, Groups API, and Pages API.   Legacy Apps had their access pulled and now require review before they can resume access.

Specific APIs, and What is Changing

Event API

Before the changes, the Event API  allowed access to information about events a user hosted or attended, including private events.   This meant they could obtain data about other people’s interest, view RSVP lists, and see all posts on the event wall.  Now, apps using the API will no longer be able to access the guest list or posts on the event wall.  And in the future, only apps Facebook approves will be allowed to use the Events API.  They are also instituting strict criteria for accessing this API, although they have not detailed what this criteria is as of yet.

Groups API

In the past, apps only needed the permission of a group admin or member to access all group content.  (They only needed the permission of an admin for secret groups.) Basically, that means an administrator could grant access to an app, and it could turn around and scrape the members' data.  Apps could easily access member lists and group conversations.  Often, Administrators did not realize what permissions they were granting when they decided to use a third-party app within a Group.

Now, Facebook has vowed to better protect the content of group discussions. Starting today, all third-party apps using the Groups API will need approval from BOTH Facebook and an admin "to ensure they benefit the group."  Apps will no longer be able to access the member list of a group, names and profile photos attached to posts, or user comments.

Pages API

Previously, any app could use the Pages API to read posts or comments from any Page. They could also read user data attached to these posts and comments.  There was no Facebook approval process required.  Now, Facebook is going to review any apps requesting page data, supposedly to ensure the app is "providing useful services to our community."  In other words, the Page API allowed third-parties to create apps that would mine Page Data, as well as the personal information of users associated with that page.  Now, Facebook is going to review the apps before they allow them to access this data.  Facebook has NOT said it will outright restrict this type of data collection, but rather they will review why the app is requesting access to such data before they allow it.

Instagram API

Facebook is basically getting rid of this API completely, until they can roll out a new one.  Effective immediately, the API will no longer be able to access a user’s profile information or media, nor will they be able to view public media "on a user's behalf."    Additionally, apps will not be able to use the API Platform to crawl or store users' media without their express consent.  (Of course, this means apps could do all of this before today.)

Facebook Login

Before, sites or apps using the Facebook Login API could pretty much request access to anything they wanted.   Now, Facebook is cutting off this access.   Previously, when you connected to a site with Facebook, that site could scrape any data it wanted from your Facebook Profile. To understand the extent of what this was, take a look at the types of things logging in with Facebook will no longer share with a site.

Last week, they stopped apps using the Login API from accessing the list of friends who have used an app.  Now, this permission may only be granted after a Facebook Review.  Starting today, they cut off access to check-ins, likes, photos, posts, videos, Events, and Groups.  In the future, access will only be granted to apps Facebook deems worthy in its review process.  

Access to the following data categories has been cut off, and current apps requesting this information will no longer get it:

• Permissions: religion and political views, relationship status, relationship details, custom friend lists, about me, education history, work history, my website URL, book reading activity, fitness activity, music listening activity, video watch activity, news reading activity, games activity.
• APIs: taggable friends and mutual friends lists.

This is probably the most significant change: if someone hasn't used an app in 90 days, the app will be blocked from accessing that person's personal information until they re-authorize that particular app. This means an app you used once 5 years ago will no longer be able to mine your data until the end of time. And as we discussed last week, Facebook has made it MUCH easier to see what apps are connected, and now it's easier to remove any apps a person no longer uses.  (See this post for step-by-step instructions: https://techlaurels.blogspot.com/2018/04/how-to-disconnect-your-facebook-apps-and-why.html.)

Other Privacy and Data Protection Changes

APIs were not the only way third-parties accessed Facebook Users' personal information.  Facebook has long collected a lot of data, and in some ways, were pretty nonchalant about how that data could be accessed and aggregated.  Now the public is more aware of the range of personal data third-parties could (and did) access, Facebook has promised to tighten up the loopholes that allowed this.  As such, they're making changes to other parts of Facebook as well. 

Search and Account Recovery

In the past, Facebook made it really easy to find someone, and even clone their account, using Facebook Search. Before, people could enter another person’s phone number or email address into Facebook search, and it would attempt to match it to an active user.  Data Miners abused this feature, entering e-mail addresses and/or phone numbers they'd obtained elsewhere into Facebook Search, so they could complete their own dossier on an individual.  That meant a spammer could enter a list of e-mail addresses they'd obtained through whatever means and get names, likes, etc. to match.  

Facebook has acknowledged that this function has been heavily abused, and so they are finally disabling it.  They have promised to make changes to account recovery to make it harder for a third-party to gain access to your account.  

Partner Categories

This is a feature Facebook has offered to pages purchasing Facebook Ads or Promoted Posts.  When creating a campaign, Facebook has offered "Partner Categories" to help an advertiser target a promotion.  Facebook says: "categories allow you to further refine your targeting based on information compiled by these partners, such as offline demographic and behavioral information like home ownership or purchase history."   They tout it as a way for businesses that don't have access to customer data of their own to basically purchase some from Facebook.

As of today, Facebook is shutting down "Partner Categories," purportedly to protect users privacy.  They have not yet announced what will replace this.  

App Suspension

Facebook is creating a whole new App Approval process, which promises to more closely scrutinize why an app requires certain permissions, as well as what type of data the app will collect, and for how long.    They promise to continuously monitor apps, and if and when they find one abusing privacy and data protection policies, they will suspend that app.  If they find any developer or app has misused data in any way, they will ban that developer or app.  And they will notify users of why the app was suspended.  They are working on a "bug bounty" program to reward folks who find and report misuse.

Facebook Will Tell You if Cambridge Analytica has Your Data

If you've read this far, you may be shocked at how much data Facebook was freely sharing with third-parties. You may have even downloaded your Facebook Profile to see what data it contained.  As part of its atonement, Facebook has promised to notify users if it thinks your data breached.  Beginning  April 9, Facebook will include a link at the top of the News Feed that will show individuals what apps they use, as well as the types of  information they have shared with those apps.  As a part of this process, Facebook will tell you if they think your data has been exposed.  Facebook users will see one of two screens:

The left side of the graphic shows the notice you will receive if Facebook does NOT think Cambridge Analytica has your information.  The right side shows the notice you will get if Facebook thinks your data has been compromised.  Facebook is estimating up to 87 million people had their data scraped, so do not feel alone if you receive the notice on the right side of the graphic.

And if you receive the notice on the left, it does not necessarily mean your information has not been harvested. It just means Facebook thinks Cambridge Analytica didn't get it.  It is likely your data has been mined by some other app, and quite likely it is being sold to someone somewhere, especially if you're fond of sharing viral memes, taking Facebook Quizzes, or falling for Like-Farming scams.  Your data IS a commodity, and very often, the "cost" of using free services.  Facebook has NOT promised to let users know if they think anyone other than Cambridge Analytica scraped their data either.

Although these notices will BEGIN appearing on April 9, it may take a week or so until you actually  receive your own.  Facebook needs to notify millions of people, and it has not yet revealed the order in which it will begin rolling out these notifications.

What Does All of This Mean For Me?

Facebook has become an ubiquitous presence on the Internet.  Parents have started creating accounts for unborn babies, and almost everyone who uses a computer has a Facebook account.  People use Facebook like a digital scrapbook, and they share their most intimate thoughts, feelings, and photos freely.  Scammers have also infiltrated the platform. They can entice you with a post, scrape your data, sell it, and disappear into the night without you taking much notice. They can trick you into sharing something so that they can access your friends' data as well.  This has been going on for years, and until recently, no one paid attention.  Then we found out one of those Data Miners sold us out in an attempt to influence our elections, and we were shocked.  We suddenly demanded that Facebook start treating our personal information with more care and respect.  

Facebook, which basically makes its money collecting and aggregating data, was also shocked.  Their platform was being used to scrape data to resell, without Facebook getting its own cut.  APIs and functions that had made the platform so ubiquitous were being exploited by the Bad Guys, and Facebook suddenly realized this was happening because they forgot to lock the doors and close all the windows.  Facebook responded by promising to make changes that would secure these back entries to data collection.  They agreed to review those they grant access to in the future, and they attempted to cut off the current pathways that allowed rampant data mining.  In other words, they agreed to do a better job of ensuring doors were kept locked, as well as to be more choosy about to whom they gave keys.

To be clear though, Facebook has NOT promised to stop mining your information at all. In fact, they have continued to emphasize that data mining is their alternative to charging fees for use.  They have just promised to be more transparent about how and when they collect data.  They have also promised to ensure folks they allow data access to are more transparent about how it will be used.  They have neither promised to stop selling your data to third parties, nor to stop selling third-parties tools they can use to mine data.  Most likely, businesses who want to collect data through Facebook will now have to pay Facebook more to do so.

Realistically, this means fewer scammers will be able to purchase access.  Apps will be more closely scrutinized to see what type of data they intend to mine.  Fewer malicious items will be hosted on Facebook's own platform. But these changes can do little to protect you from clicking through a link to a rogue site.  A fake news site may have it's Facebook Share button suspended, but a user can still copy and paste that link into a post.  When you click through, that site can still install malicious cookies or privacy-compromising software.  

Facebook can only do so much to keep its users safe. And it can only keep users safe within the confines of its own platform.  Once you click-through anything that takes you outside of Facebook, you are on your own.  And too many data compromises started with that click through.  Any user who does not change his or her own behavior in response to these revelations will continue to have their data sold and misused.  

Summary:

Facebook had its world rocked by the Cambridge Analytica scandal, a situation which exposed the data mining implications of Facebook and many third-party apps.  Internet Users are too nonchalant about reading Terms of Service and Privacy Policies, and the data scrapers took advantage of that fact, using Facebook APIs to entice users, and then hiding what a user was agreeing to when they liked, shared, granted permission, or clicked through something on Facebook.  And Facebook took the heat for allowing, and even encouraging this type of practice.  In response, they promised to limit the type of data a third-party could obtain without the express permission of Facebook. They also attempted to close the back doors companies, apps, and developers were using to access Facebook data.  Facebook suspended many apps, as well as instituting a review process for new apps and apps looking to access certain categories of user data.  Facebook never promised to stop mining data, but just to make it harder for folks to do without permission.  They also agreed to limit certain data collection practices, as well as limit the duration apps have access to user data. They promised to do a better job of protecting user data in the future, as well as doing a better job of notifying users when a privacy breach occurs. As part of these changes, they will be notifying the 87 million or so users who had their data shared with Cambridge Analytica.  

Again, this situation occurred because we let it occur. "What harm is there in liking and sharing this Free $50 Costco coupon? It might NOT be a scam..." users think, as they like, share, and tag 50 friends, never realizing that they are giving that page permission to harvest their data in exchange for a bogus coupon they'll never receive, or that they're giving away their friends' info with that harmless tag.  Yes, it was the Facebook API that facilitated the data mining, but our own greed that gave the bad guys the opportunity to mine.  

Facebook can make changes to help us protect our information until the cows come home, but if we don't also work just as hard to protect it, we've lost the battle.  The Bad Guys are not going to stop using Facebook to cheat us out of our data, even though Facebook has made it harder for them to do so. 

What have you done in reaction to the Facebook Kerfuffle?  Did you delete Facebook? Did you cull your connected apps? Did you ever really understand what types of data apps and Facebook were collecting for the past decade or so?  Have you started looking for Terms of Service or reading privacy policies before giving an app permission?  Have you decreased your use of "Log in with Facebook?"    And have you received your Cambridge Analytica notification yet? Were you affected by the breach? What types of changes do you plan on making to your own behavior to better safeguard your personal information in the future? Hit us up in the comments and let us know. And as always, thanks for reading.