The Cambridge Analytica scandal, where a right-wing data firm slipped through Facebook’s loopholes and stole millions of user profiles, has gotten the lion’s share of attention as the embattled social media site attempts to repair its reputation. But also placed in a public statement about what Facebook was doing to protect privacy was an admission that effectively, it’s closing the barn door after the barn burns to the ground. If you have a Facebook, at the very least there has been an attempt to “scrape” your data from the page. And what’s most glaring is how easy it was, and how Facebook apparently didn’t notice.
The problem, which is placed sixth in an inventory of nine items, is simple. If somebody has your phone number or email address, they can find any account tied to that phone number or email address, just by searching for it on the site:
…malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.
This sounds bad already, but it’s not until you consider the sheer potential scale of this that it becomes frightening. Almost every data breach from other websites includes the contact data of users, and plenty of corporations share that data as part and parcel of more sensitive leaks, like Grindr’s accidental revelation of its users’ HIV status. Even outside of that scenario, lists of email addresses and phone numbers are widely available; your own phone provider will gladly hand over your name and number to anybody who pays them for it.
The only good news here is that only the parts of your public profile have likely been scraped. Anything private hasn’t been scraped by this method, but in the same post, Facebook more or less admits it’s let apps and developers do pretty much anything they wanted. Take, for example, what it has filed under “Facebook Login:”
We will also no longer allow apps to ask for access to personal information such as religious or political views, relationship status and details, custom friends lists, education and work history, fitness activity, book reading activity, music listening activity, news reading, video watch activity, and games activity. In the next week, we will remove a developer’s ability to request data people shared with them if it appears they have not used the app in the last 3 months.
In other words, Cambridge Analytica may turn out to be just the beginning of a much broader scandal. When he’s in front of Congress next week, Mark Zuckerberg will have a lot to answer for.
(Via Washington Post)