I guess my question is from a security standpoint, how do you prevent something like this if you were facebook? Do you ask any company who does a huge number of API requests requesting peoples friends lists? To verify how they are using the data? How do you actually confirm they are doing what they said?
According to the article only ~200k people installed the app and consented. Unless there was an exploit, you get a minimal version of the data in their friend list (user id, name, that is all i really see) not a full profile. So didn't they only really get the names of 49.8 million people?
Is the solution to just not allow allow a third party token to access a friend list, and only your personal information?
I am not trying to defend what is going on, i am just struggling to see how they were able to use the extremely minimal amount of information the friend list api returns to make a full profile on 50 million people.
This might be an interesting read if you haven't already, still doesn't go into too much tech detail unfortunately.
> What the email correspondence between Cambridge Analytica employees and Kogan shows is that Kogan had collected millions of profiles in a matter of weeks. But neither Wylie nor anyone else at Cambridge Analytica had checked that it was legal. It certainly wasn’t authorised. Kogan did have permission to pull Facebook data, but for academic purposes only. What’s more, under British data protection laws, it’s illegal for personal data to be sold to a third party without consent.
> “Facebook could see it was happening,” says Wylie. “Their security protocols were triggered because Kogan’s apps were pulling this enormous amount of data, but apparently Kogan told them it was for academic use. So they were like, ‘Fine’.”
As I understand it, originally the Facebook API allowed you to access friends of friends - hence the millions of records. They changed this a couple of years ago (but apparently after CA had accessed the data).
It was also against the terms of service to download and store the information retrieved from the API. They also changed this many years ago, in the name of developer convenience.
According to the article only ~200k people installed the app and consented. Unless there was an exploit, you get a minimal version of the data in their friend list (user id, name, that is all i really see) not a full profile. So didn't they only really get the names of 49.8 million people?
Is the solution to just not allow allow a third party token to access a friend list, and only your personal information?
I am not trying to defend what is going on, i am just struggling to see how they were able to use the extremely minimal amount of information the friend list api returns to make a full profile on 50 million people.