So it seems we're in the midst of yet another Facebook privacy "gaffe" uncovered by the Wall Street Journal. A breach large enough that Congress called Mr. Zuckerberg to appear before them and explain how and why it happened.
So What's the Big Deal This Time?
The top 10 gaming companies were caught transferring data via user IDs. LOLApps, the largest "offender," was suspended and has since been reinstated.
What is a User ID?
Facebook's developer page explains that "...people and pages with usernames can be fetched using their username as an ID." This data "... presents a simple, consistent view of the Facebook social graph, uniformly representing objects in the graph (e.g., people, photos, events, and fan pages) and the connections between them (e.g., friend relationships, shared content, and photo tags)."
So Why is This Important?
With this user ID your name can be known and the relationships between you and your friends, your groups, events, etc., can be associated and then re-associated with the data inside the third party's databases and voilÀ -- instant marketing and user profiles by name, not anonymous user.
Now at first, I was going to write about the issue itself, but it has been covered extensively and I feel I have little to add to the actual discussion of the incident. But as I read the materials from the Wall Street Journal and quotes from Sophos and a few others, I found myself cringing at the remarks and wanting to scream at my laptop.
Why are we blaming LOLApps? Why aren't we looking at Facebook?
Poor Little Facebook -- What Are They To Do?
Aside from checking, aside from auditing, what else are they to do? Exactly that!
I was at DefCon this year, a hacker and security conference in Las Vegas, and it's a well-known fact that Facebook has no checks for security on its apps. Yes, you read that right, none, nada, zip. If you saw some of the stuff coming out of that conference, you would probably shut down your account immediately.
But seriously, when did we as consumers decide it's OK for companies as large and as wealthy as Facebook to not have security checks? When did we decide it's OK to not take care of our privacy, and our data? Probably around the time of free stuff and shiny objects, but that's neither here nor there.
Just Accept It?
All the time, I hear people saying some variation of, "Well you know, we just have to accept that we must live in a world where we don't have privacy, where we don't have security."
We do? I beg to differ. No we don't.
We can just tell companies like Facebook to stop being careless, stop being sloppy, stop giving out all our data, get a security team, and audit its apps and app companies. If Apple can do it, so can Facebook.
Take a few million and build out the proper infrastructure to protect our information and our privacy.
And we consumers have to stop being so lackadaisical and demand that they protect our data by not buying into this idea that losing our privacy is inevitable. It's only inevitable if we allow it. It's either laziness, ineptitude, or (even crazier) by design that this happened over and over and over again.
Maybe it is All by Design?
Does anyone still believe this is all by accident? That Facebook doesn't have a security or audit team because it can't afford one and that these teams of app developers accidentally get your user information and user IDs? Guess it's easier to beg for forgiveness rather than asking for permission (*cough*GoogleStreetView*cough*)?
It seems that the only data LOLApps, the largest game maker on Facebook, could have been getting was data Facebook was allowing LOLApps to get because that's how data works. The people who own it are like gatekeepers. They have to give you a key and then let you into the castle before you can walk away with the golden egg.
Either that, or Facebook has the most inept developers in the world, which I know isn't the case. In fact, if I were a Facebook developer, I would buy a T-shirt that reads, "Facebook Programmer -- Zuckerberg made me do it!"
Pump It Up!
We now live in a world where companies like Facebook and Twitter pump out your data (see last month's articles on why your Twitter Direct Messages (DMs) aren't private) and then expect the company that receives it to deal with the permissions.
These companies give them all your data on an honor system. "Here you go. Take this data, but we trust you. In fact, so much we won't even check on you."
Yes. This would be like the bank that holds all your financial data taking it all and pumping it out in the morning paper. Then hoping the people who decided to use the data weren't nefarious or in any way corrupt. Because, of course, there would be no checks on the other end when they came back to use that data at the bank.
So Johnny could come in and say he was Suzy, take out a credit card in Suzy's name, and it would all be OK. Why? Because no checks are in place and nothing is secured.
I don't think so. Do you?
If you've had enough of these privacy issues and want to stop Facebook from tracking which pages you visit, one Google engineer offers a solution in the form of Google Disconnect. The Chrome-only extension claims that it "blocks all traffic from third-party sites to Facebook servers, yet you'll still be able to access Facebook itself."