back to article How could the Facebook data slurping scandal get worse? Glad you asked

Yet another rogue Facebook app that gathered and sold "intimate" details on millions of users has come to light. A report from New Scientist finds that the myPersonality app had collected and shared the personal information for as many as three million users who had installed the app on their Facebook profile. The data has …

  1. Ole Juul

    data use

    ... a thorough investigation into whether they did in fact misuse any data."

    Does misuse even have any meaning in this context.? As far as I'm concerned the fact that they gather it is in the first place is the big issue here.

    1. Anonymous Coward
      Anonymous Coward

      Re: data use

      There are plenty of legitimate use cases for gathering *some* personal data.

      If you're playing a game, for example, that game might request and store your contacts so that the game can notify you automatically when one of your friends starts playing the same game, or has beaten your best score, or done something you haven't, etc.

      As long as that data is held securely and never sold or otherwise disseminated to third parties *and* as long as permission is given in the first place, I would argue that that is a legitimate use of that data.

      A lot of the problems stem from the fact there are too many apps out there that take advantage of user laziness and grab all they can. Educating users and prosecuting rogue developers should take priority in my mind.

      1. Charles 9

        Re: data use

        Users don't want to learn, and rogue developers are as likely as not protected by hostile sovereignty. So what next?

      2. JohnFen

        Re: data use

        " that game might request and store your contacts so that the game can notify you automatically when one of your friends starts playing the same game, or has beaten your best score, or done something you haven't, etc."

        That's not a legitimate reason to request access to your contacts. The game should request the specific game user IDs of your friends instead of requesting a complete list of everybody in your address book.

        "As long as that data is held securely and never sold or otherwise disseminated to third parties *and* as long as permission is given in the first place, I would argue that that is a legitimate use of that data."

        First, nobody can legitimately assure you that the data will not be disseminated to third parties. Circumstances change over time. Second, it's not the person installing the game who needs to give permission -- it's the people whose contact information is stored in your device. It's their information, not yours.

        1. Anonymous Coward
          Anonymous Coward

          Re: data use

          That's not a legitimate reason to request access to your contacts. The game should request the specific game user IDs of your friends instead of requesting a complete list of everybody in your address book.

          That makes no sense. Where will it request these IDs from? How will it know who your friends are?

          Here's how I envision it working (and how I will implement it if I ever have time to work on game projects again):

          1) You download and start playing a game.

          2) Your contact information (email or phone number) is hashed, sent to the game server, and stored along with your game user ID. (And possibly other information that you have consented to sending, like a nickname and/or your real name.)

          3) The game then retrieves unique identification data for each person in your contacts list (email and phone number), hashes each in turn and sends them to the backend which attempts to find existing matches in the game's database. If a match is found, those accounts in the backend are linked for future notifications.

          At no time are any of your friends' details stored remotely unless they play the game and give their consent. But the game still needs access to your contacts list to perform the above.

          1. JohnFen

            Re: data use

            "Where will it request these IDs from? How will it know who your friends are?"

            Because you personally tell it which game user IDs you want to be connected with. There should be no automatic scraping for this.

            "At no time are any of your friends' details stored remotely unless they play the game and give their consent."

            Your approach is less egregious (but still problematic in minor ways -- what if there's a player in the game who does not want to be linked up like that?)

            The problem with your approach is that it requires trusting that the developer is honest and has correctly implemented the functionality. You may be trustworthy, but a ton of developers are not, and there's no way to know that you're the exception. Also, what if your game is a hit and you sell it to a game company that has other plans for that data? Your careful treatment of the data would be reversed on the next update. From the point of view of avoiding throwing your friends and family under the bus, no app should be allowed to have access to sensitive data like a contact list.

            If the app want specific information for specific purposes, it should have the user specifically provide it rather than engaging in automatic scraping.

          2. onefang

            Re: data use

            "2) Your contact information (email or phone number) is hashed, sent to the game server, and stored along with your game user ID."

            So like Signal and their hash of your contacts, so it can let you know which of your friends are on it.

    2. The Man Who Fell To Earth Silver badge

      Facebooks failure to comply with 2011 consent decree

      Facebook can finger point all they want, but none of these data problems would exist had Facebook not violated the 2011 FCC decree.

    3. Anonymous Coward
      Anonymous Coward

      The horse is out of the barn

      Once ANYONE collects the data. I'm sure it wasn't just CA, and some companies that have a stash of this data have probably realized it is now a valuable commodity since Facebook is cracking down and are looking for ways to quietly resell it to whoever is interested.

      The only thing Facebook slamming the barn door shut now does is prevent collection of data on people who join Facebook after this spring. Probably 95% of Facebook's current userbase is out there now thanks to the idiocy of letting apps collect data on people's friends.

      1. JohnFen

        Re: The horse is out of the barn

        Yes, this. I quit Facebook years ago, and that still remains one of the best online decisions I've ever made.

  2. AdamWill

    good looks

    "The revelation comes as Facebook is trying to rehab its image in the wake of the Cambridge Analytica scandal. Having another Cambridge-based outfit caught harvesting details from millions of users is hardly a good look for Zuck and Co."

    Also not a particularly good look for the university, is it? I'm surprised how little that angle's really been pushed in the press so far, but maybe that'll change now...

    1. veti Silver badge

      Re: good looks

      Right. What is it about Cambridge? Is its psychology department that much more unscrupulous than those of thousands of other universities worldwide? That seems hard to swallow.

      Or is it because it's still, after all these years, the recruiting ground of choice for Russian spies?

      1. JaimieV

        Re: good looks

        Cambridge Analytica doesn’t actually have anything to do with Cambridge, city or university. It’s just a word in the name.

        1. JohnFen

          Re: good looks

          But the researcher who gathered the data and sold it to CA was connected to the university.

    2. Anonymous Coward
      Anonymous Coward

      Re: good looks

      >Also not a particularly good look for the university, is it? I'm surprised how little that angle's really been pushed in the press so far, but maybe that'll change now...

      Really? The journalists here might be strictly red brick but I guess the majority of the reporters at BBC, Independent, Guardian, Telegraph etc are from "one of the two universities."

  3. Andy Mac

    “Archibong” will keep me smiling all day.

    1. Doctor Syntax Silver badge

      “Archibong”

      Is he related to Steve? We need to know.

  4. Palpy

    On curves, and being behind them.

    Those of us who worry about such things have watched malware sophistication keeping ahead of anti-malware measures for a long time now. The development curves pace each other, with the malware programmers just a bit ahead of the anti-malware programmers. (By evolutionary principles, of course: anti-malware, like the immune system, can so far not respond to a threat until it appears.)

    Facebook, aka Zucklandia, is rather like a medieval duchy of inbred and diseased courtiers whose sole talent is exploiting the peasants. When a horde of rather savvy and innovative Mongols invades, they have neither the skills nor the weaponry to eradicate the invaders.

    They've never done fark-awl about securing Zucklandia against exploitation, and now the shoes are well and firmly on the wrong feet. And, to switch back to the original metaphor, the curve is so far ahead of them they can't even see the rise. Couldn't happen to a more deserving enterprise, IMHO.

    1. Doctor Syntax Silver badge

      Re: On curves, and being behind them.

      "By evolutionary principles, of course: anti-malware, like the immune system, can so far not respond to a threat until it appears."

      OTOH if system designers built in security by design the bad guys would be lagging a long way behind the good guys.

      Of course when it comes to something like FB the concept of "good guys" doesn't apply. We have to think in terms of bad and worse.

    2. Lars Silver badge
      Coat

      Re: On curves, and being behind them.

      Just the Robber Barons of to day.

      "Robber baron" is a derogatory metaphor of social criticism originally applied to certain late 19th-century American businessmen who used unscrupulous methods to get rich."

    3. Paul 195

      Re: On curves, and being behind them.

      > They've never done fark-awl about securing Zucklandia against exploitation, and now the shoes are well and firmly on the wrong feet. And, to switch back to the original metaphor, the curve is so far ahead of them they can't even see the rise. Couldn't happen to a more deserving enterprise, IMHO.

      All of which kind of assumes that Facebook cares in the slightest about 3rd parties exploiting their data. History shows they only ever care rather belatedly, when someone gets caught doing it and there's an uproar. Otherwise, the system appears to be working exactly as intended.

  5. Mark 85

    If anyone ever thinks for a moment that Facebook won't stop collecting as much as it can and/or will stop selling that info, I have bridge for sale.

    1. Michael Habel

      If anyone ever thinks for a moment that Facebook won't stop collecting as much as it can and/or will stop selling that info, I have bridge for sale.

      Well duh... a Zucck's gotta eat too you know. Or did you confuse Facebook with some Geocities Webpage from the 90s? and, just though well that's ok then?

      1. Nimby
        Devil

        some Geocities Webpage from the 90s

        I MISS my crappy Geocities webpage from the 90s that I coded entirely in Notepad. I do not, however, even remotely miss FB. Does that make me a Luddite?

      2. John Brown (no body) Silver badge

        "some Geocities Webpage from the 90s?"

        The same Geocities that claimed irrevocable rights to all content posted to their web server?

        plus ça change

    2. Doctor Syntax Silver badge

      "If anyone ever thinks for a moment that Facebook won't stop collecting"

      I think they won't stop, at least not voluntarily, which is why I'm not buying your bridge.

    3. eldakka

      > If anyone ever thinks for a moment that Facebook won't stop collecting as much as it can and/or will stop selling that info, I have bridge for sale.

      Which bridge, and how much?

      I'm sure there are some parliamentarians who are interested.

  6. spold Silver badge

    So if my personality refuses to co-operate with the misuse then the VP of Partnerships Mr Archibonk will get all disciplinarian and give it a good spanking? Maybe I misread something... sounds very personal, vicar.

  7. Anonymous Coward
    Anonymous Coward

    Facebook Crimes

    Rogue Apps... Whose the bigger rogue here? Zuk was forced to admit that the entire population of Facebook or 2 Billion+ users, should consider their data at risk. Senior executives failed to block email / phone number lookups by rogue actors rotating pools of IP's addresses, despite knowing the risks!

  8. T. F. M. Reader

    Underestimation of the year

    "myPersonality app had been collecting and sharing the personal information for as many as three million users who had installed the app" and another 346 million unsuspecting "friends", "friends of friends", and so on...

  9. Aristotles slow and dimwitted horse

    Archibong...

    No relation to Steve "Archi" Bong?

  10. Anonymous Coward
    Anonymous Coward

    Don’t worry!

    The idiot masses gave it all away years ago for likes, ego-stroking and virtue signalling. They’re a generation of mental prostitutes; my dog has more intelligence and better morals than most social media users. Doesn’t really matter what Facebook does now or how they attempt to explain themselves. Who cares, who understands, and who’s even listening?

    1. IsJustabloke
      Facepalm

      Re: Don’t worry!

      @ac

      "ego-stroking and virtue signalling."

      of course, you'd never do any kind of virtue signalling yourself would you? oh wait.....

      1. Anonymous Coward
        Anonymous Coward

        Re: Don’t worry!

        "you'd never do any kind of virtue signalling yourself would you". No. Hence posting anonymously. But I can imagine what your instagram feed will be like: "here's me in Lycra on my £3k bike! And here's me again with my beard and totally gifted kids! And here's me again on my best holiday ever! I am so blessed..." and so on and so on...

    2. Jamie Jones Silver badge
      Happy

      Re: Don’t worry!

      my dog has more intelligence and better morals than most social media users.

      Harsh words indeed - especially as I know your dog, and he's as thick as pig-shit!

      1. Anonymous Coward
        Anonymous Coward

        Re: Don’t worry!

        "and he's as thick as pig-shit!" - well is he? He gets to stay at home all day and lick his balls*, which sounds pretty smart to me.

        (* well, the general region where they used to be, before he was tutored...)

  11. Michael Habel

    Isn't this a bit like rope, meet neck?

    I mean I thought the whole point of Facebook (Commercially speaking of corse), was to harvest, and then sell on the harvested Data, of its users. In a not so distant fasion that Google probably does, and nobody has botherd to really go and, have a deep look at it. Since that was prety much Googles EXPLICIT mission statement since day one.

  12. Herring`

    Quality of the data

    It's a bit of a self-selecting sample. You're talking about people who will a) click on the quiz/app/thing called "My Personality" in the first place b) Click "Yes" to "Allow this app to rifle through my data"

    So we're talking about thick narcissists. Although, come to think of it, that's the sort of demographic that advertisers would die for.

    1. werdsmith Silver badge

      Re: Quality of the data

      So we're talking about thick narcissists. Although, come to think of it, that's the sort of demographic that advertisers would die for.

      You can use that expression interchangeably with "Facebook User". All of them.

      1. Waseem Alkurdi

        Re: Quality of the data

        I smell a generalization. Although signing on to Facebook is and of itself a big blunder, it is not narcissism to have been forced into it.

        1. rmason

          Re: Quality of the data

          Also worth noting that it probably also hoovers up all the data it can of all their "friends" too.

          It's not narcissism, in most cases it's boredom, killing time. It doesn't make them all bad people.Your friends or relatives probably did it.

          1. Prst. V.Jeltz Silver badge

            Re: Quality of the data

            Im still confused about what a "facebook app" is.

            Do they see an ad on the stream or whatever its called that says "hey! click here to what sort of random bullshit we will assign to the size of your knob" and then they do that - and find they have to install and download and approve an actual application - and they still want to do it ?

            is this just on mobiles?

            is it actual mobile app or some kind of plug in for facebook app?

            If you're prepared to "Install an app" to get a random fortune cookie type phrase re your personality , then the data gathered by the app authors is going to be a cross section of gullible morons.... ah i see the value now .

            1. Jamie Jones Silver badge

              Re: Quality of the data

              It's more like a plugin. Well, more basic than that - an iframe is opened to the developers website, and at the same time, the request contains an authorisation token the developers site can then use to interogate facebook server and get all the data it's authorised to receive.

              So basically, just a third party website loading within the facebook page, having been given the keys to the door, so to speak.

              Just like with mobile app installs, before the site opens, you generally get a facebook click-through saying "this app requests your name, your age, your place of birth, your credit card details, your bank passwords, and your PIN. Click OK to continue"

              1. Prst. V.Jeltz Silver badge
                Pint

                Re: Quality of the data

                Thanks JJ

                1. Jamie Jones Silver badge

                  Re: Quality of the data

                  No worries! Though I forgot the bit about the "ad in the stream". That's one way to go, and that's how they start off.

                  Unfortunately most of these "apps" end with something like "You scored 10 out of 10. Click here to let your friends know what a brainbox you are."

                  By doing so, the app posts into the users stream, and their friends see it in their stream just as they would a manual posting by said user.

                  However, instead of the usual "I had 3 eggs for breakfast today" - JJ

                  It would say something like: "JJ has just scored 10 out of 10 on our whizzo app <insert cutesie image here> Can you beat them?? Click here to find out!"

                  So, one person runs the app, and then all their friends get to know about it. Then any of them that try the app will generally propogate that information to all their friends etc. so it's easy to see how these apps spread, with minimal ads needed to give them an initial kick start - ads are cheap too - it was many years ago when I last looked at it, but you could get an ad for a penny a click - if they didn't click, you didn't pay.

                  (*) Of course, when I say "app" I mean "someone elses web page loaded in an iframe" but "app" is shorter to type :-)

          2. Anonymous Coward
            Anonymous Coward

            Re: Your friends or relatives probably did it

            well, they're bad, bad people, and I told them this. They might have blocked me on facebook since then, but...

        2. Anonymous Coward
          Anonymous Coward

          Re: to have been forced into it

          Oh, I'm sure huge majority has been forced into it, can't be any other way! :D

        3. John Brown (no body) Silver badge

          Re: Quality of the data

          "I smell a generalization. Although signing on to Facebook is and of itself a big blunder, it is not narcissism to have been forced into it."

          uk.gov plans to use Facebook as an authentication mechanism for citizens to sign into government websites doesn't appear to me in news much these days. I wonder how that project is getting on? Maybe El Reg could ask the relevant parties about its progress.

    2. Anonymous Coward
      Anonymous Coward

      Re: people who will a) click on the quiz/app/thing called "My Personality"

      I thought fb is all about "moi", hence 100% would click on "my personality"? And yet, it's only 100 mln? What's wrong with you, people?!

    3. Anonymous Coward
      Anonymous Coward

      Re: Quality of the data

      If you're running a "mom'n'pop" business with a potential worldwide audience of 2 billions people, it's not narcism, it's simple economics.

      I'm just a budding partime pro-photographer, I shoot images mostly for fun but I'm currently working on a project with someone I met through Facebook that could net us some serious revenue. I've had companies approach me to license my images and we're not talking a tenner to use an image on a website, we're talking about the sort of 1 or 2 year image license payments that allow me to buy professional level lenses with the "pocket money" I make from a license. I've had requests for people seeking training in shooting images, average daily rate you can charge is upwards of £150, the real pros happily charge £300/day. That's why I use Facebook.

      I always say, Facebook is a like a chainsaw. Show it respect from a distance, use it at arms length and be careful or it happily chew your arm off and leave you for dead if you let it!

      1. JohnFen

        Re: Quality of the data

        "That's why I use Facebook."

        Well, I have to give you credit for at least being honest about why you don't mind furthering the interests of a horrible, corrosive company like Facebook. As long as you get yours, I guess.

    4. GIRZiM

      Re: Quality of the data

      Have you forgotten that the whole CA scandal blew up because it was the whole "yes, please slurp my friends' data as well and, no, don't bother getting their permission, it's okay, they won't mind" that upset people, not the idea of people voluntarily giving up their own data?

  13. Anonymous South African Coward Bronze badge

    hooverbook - proudly sucking up your data

  14. Jeroen Braamhaar
    Big Brother

    Basically what Facebook is doing ...

    ...is a China-style crackdown, emphasizing that nobody, and absolutely NOBODY but they themselves gets to spy on their citizens.

    The irony of their position is scorching.

  15. Roger Kynaston

    Facefail and not being a product

    It is oddly difficult to not use social media. I deleted my facething just before the Cambridge Analytica thing hit the mainstream. But, here at work, they are saying that social media is an excellent way of staying in touch with the users and we should be expanding it's use. Are they going to hoover up all the intellectual property of said university? Am I going to have to reactivate my facething just so I can tell a user that I have patched their server, or rather that puppet has.

    Does that make me a sheeple?

    Also, no one seems to be getting exercised about what Google is doing with all the data that people hand over to them.

    I know that I don't have the answers I just hope that cleverer people than me come up with some.

    1. Anonymous Coward
      Anonymous Coward

      Re: Facefail and not being a product

      A lot of people think I'm strange because I don't use LinkedIn. I remind them that they jizzed out millions of user details because they didn't think to sanitise their user inputs.

      They don't care.

      If they don't care about sheer incompetent oafs, why would they care about competent baddies?

    2. JohnFen

      Re: Facefail and not being a product

      "It is oddly difficult to not use social media."

      I dunno, I find it really easy. There are a multitude of other ways to keep people informed.

      1. Charles 9

        Re: Facefail and not being a product

        Which no one else uses, you start to find. If it eventually becomes a matter of "work or don't work," do you cut off your bread supply to spite Facebook?

  16. Anonymous Coward
    Anonymous Coward

    The terms of service state something along the lines of “All your postings are belong to us“.

    That and the lack of a downvote/dislike/disagree option always put me off. The suppression of dissent at Facebook’s core, which makes it unsuitable for any real interaction. This totalitarian “you may only agree”, the hijacking of any and all posts and pages for commercial purposes, manipulating the feed so I actually DON’T get to see what my firends are up to, but instead get another ad for some exploitative corporation trying to sell me a climate killer machine, whole swathes of the population being used as guineapigs for mad scientist style social experiments, and the fact the whole damn site looks like something out of a horror movie featuring Windows Vista have made it unsuitable for human consumption. But hey, drivethroughs are also popular.

    Anonymous because these days we even need to hide our secondary made-up online identities from the Borg.

    1. JohnFen

      "Anonymous because these days we even need to hide our secondary made-up online identities from the Borg."

      You only have one alternate identity? Why not dozens? One for each forum you interact with, even.

      1. Charles 9

        Because each one is simply secondary to each other, and they're getting pretty good at DE-anonymizing fake accounts using incidental details like clock times, IP addresses, etc. They crack one, they're already well on their way to getting the rest.

  17. Gordon Pryra

    it may have violated Facebook’s policie

    I don't think Facebook's policies have anything to do with anything.

    The fact that Facebook gives developers a whole raft of tools that allow them to do these things is more pertinent.

    Them washing their hands and saying the developer is at fault is hypocritical and probably meaningless if they were ever taken to court.

    If you give someone the keys to the castle you can't say its not your fault when the drawbridge comes down because you told them not to open it.

  18. Gordon Pryra

    This is by design

    Ignoring all the bollocks coming out of Facebook towers about policies etc

    Facebook have not become a multi billion $ organisation flogging adverts for toothpaste and whatever crap gets pushed to the screen.

    They have made their money by selling data and access to the tools that allows data harvesting.

    Their tick box defence of "its against our policies" is as useful as the "are you over 18, click yes to see tits click no to not see tits"

    Its not a defence any more than a 14 year old is going to click "no" companies using data harvested from Facebook will have brought the tools with the tacit acknowledgement that they were going to harvest data and make financial gain from that.

    1. Jamie Jones Silver badge
      Thumb Up

      Re: This is by design

      Exactly. Facebook are almost acting like they've been hacked, but as you say, it's intentionally designed that way.

  19. Anonymous Coward
    Anonymous Coward

    developed by Cambridge University researchers

    but I thought... I thought I heard...I thought I read... some strongly-worded statements from Cambridge University to the tune of "Cambridge Analytica - nothing to do with us, guv!"

    Would they be so uninformed?! Or is it, perhaps, fake news?! No other option comes to my mind....

  20. hoola Silver badge

    And WhatsApp

    The change in the T&Cs for WhatsApp is another, typical Facebook cop out. Essentially it is used by loads of people, including minors (not the underground type) to communicate. Recently a pop-up appeared where you just ticked a box to say you were over 16. How in hells name are kids just going to stop using it. They will just tick the box as the shites at Facebook say, well you agreed and then continue to sell the data. I have zero confidence in Facebook to be doing what they claim and keeping the two separate. They should never have been allowed to buy WhatsApp in the first place. If you read the T&Cs then there is every chance that data is being used for profile matching with Facebook accounts.

    They are simply the worst bunch of money-grubbing lying scroats there is, along with most of the similar Silicon Valley app-based outfits.

  21. Anonymous Coward
    Anonymous Coward

    facebook's doing allright

    on the markets, anything goes.

  22. PaulR79
    FAIL

    "We are currently investigating the app, and if myPersonality refuses to cooperate or fails our audit, we will ban it.”

    That'll teach them!

  23. EnviableOne

    Security by design

    The only way they will get me to Trust them with any data, is if all profiles are locked down by default, but that'll never happen and would never be free!

    as a wiser man than i said "if you're not paying for a service, you (or your data) are the product"

    1. Anonymous Coward
      Anonymous Coward

      Re: Security by design

      No, the WISEST man said, "You're the product, full stop. Whether you're paying our not. Because there's always someone above you paying more than you. Always a bigger fish. And because everyone does it to stay in business, jumping ship won't matter to anything."

  24. adam payne

    The revelation comes as Facebook is trying to rehab its image in the wake of the Cambridge Analytica scandal.

    Facebook doesn't need to go to rehab it needs a defibrillator.

    "To date thousands of apps have been investigated and around 200 have been suspended — pending a thorough investigation into whether they did in fact misuse any data."

    You gave them to tools to do it and they did it gladly

  25. Hoe

    I hate FB and wished it would die off but it won't and they will continue abusing peoples trust because most people don't give a damn! :/

  26. JohnFen

    No such thing as "anonymized" data

    "The report notes that the app, developed by Cambridge University researchers, had advertised its data sharing as being anonymous"

    Any time an organization is collecting data online about you and is claiming that it is anonymous or "anonymized", they're either mistaken or lying.

  27. onefang

    I wonder if during this review, some useful apps for breaking the FB walled garden will also mysteriously vanish?

  28. MichealHeitz

    Thanks for the post.....anybody mind sharing some knowledge on GDPR in detail???

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like