270 comments

[ 4.2 ms ] story [ 272 ms ] thread
This wasn't a data breach, it was a misuse of data by a third party.
You are nitpicking a small part of an article (incorrectly) and it distracts from the main point: A foreign power is working with American billionaires to subvert democracy and install a dictator. This is a serious issue and one of the biggest news stories of our time.

> This wasn't a data breach

Yes it was.

> it was a misuse of data by a third party.

So a bank robber who gets into the vault just misused the locks? Or the security guard misused his eyes? This was a data breach. Your language makes it sound less serious than it is, and you are wrong. This was a data breach.

Edit: Less than 30 seconds in, this post is already downvoted. I won't complain about downvotes of course, but it's insane that no conversation is actually allowed to happen on this site without burying one side. I spoke with a neutral tone, didn't do any name calling, I'm not looking for a fight. But downvotes within seconds! You can't silence me HN. I'll keep commenting my opinions and facts no matter how much you don't like what I'm saying. Nitpicking breach or misuse is silly and distracts from the actual substance of the article. It was a breach, by the way.

You're downvoted because you're technically not correct.

The case is more like the bank manager allowing the robber into the vault, with full knowledge that the robber wants to and could easily make off with all the valuables, then asking the robber to please not do that before heading back to work, leaving the thief unattended in the vault.

Edit: it's a breach of contract, maybe; but not a "data breach" which I think everyone understands to be more like the case where the vault is forcibly broken into.

I really don’t get your point. Bikeshedding on what to call it makes it seem like the actions of the company, the Bond villains behind it, and Facebook are just fine. FB’s actions show that they knew CA was not just pushing the envelope of the consumer preference and false identity manipulation that makes them their billions but totes aware it was being done together with a foreign adversary to subvert our democracy.
Words mean things. Don't assume that because someone nitpicks a technically incorrect use of a word/term that they are shooting down the entire argument. In fact, we're often trying to help; because we do agree with you; but can't get behind what you're saying 100% because part of it is not actually correct.

I'm definitely not disputing the fact that FB is an evil entity that only cares about making profits off your personal information. But, they haven't suffered a data breach in the same way as, say, Equifax; and it seems to me that choosing to use the word "breach" here must be in an effort to get more clicks; because "breach in the Equifax sense" is what the author knows most people will assume is meant.

Bikeshedding what to call a crime can be useful and important.

The democracy we are concerned about protecting presupposes rule of law, and precision when discussing laws and crimes.

I was completely technically correct. It's a data breach. Plain and simple.

> A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

A data breach, yes, but I believe by GSR not FB? It seems like users did authorized FB to share data with GSR?
This is a stupid discussion. So I’ll continue it:

Facebook was authorized to have the data. CA was not authorized, at least not to retain the data. Therefor, it is a data breach. Facebook was the breachee, CA was the breacher. And Billy-Ray was a preacher's son.

> A foreign power is working with American billionaires to subvert democracy and install a dictator.

Seriously?

I'm no fan of any politician (or really of "tyranny of the majority") but I was kind of impressed at how well it all worked out last time. An "unpopular" candidate won and the ruling elite turned over the reigns just like they're supposed to do trusting the checks and balances in the system to work.

The quickest way to get a dictatorship is to go against the legal results of an election because the unpopular candidate won based on some metric of "unpopular" like "kids rioting in the streets".

That was not a peaceful transition. Trump said in plain language that he would not accept the results if he lost. He called on gun owners to shoot and kill his political opponents who he has also been trying to jail for the past many years.

If you are impressed with the level of functional elections and government in the US since the last election, I'm shocked. It is not a functional system. It is clearly disfunctional.

> That was not a peaceful transition.

Indeed, it was the only election since I've been alive that the losing side rioted in the streets calling for the overturning of the election results.

> He called on gun owners to shoot and kill his political opponents who he has also been trying to jail for the past many years.

Fake news much?

Right. They basically just made an app on FB then had users accept the permissions. The horribly beautiful thing about FB permissions is that almost every single app will request EVERYTHING, and if you deny even a single permission that the app doesn't even seem to need, then the app will break or won't let you use it. So every user is indoctrinated into just clicking accept regardless of the supposed "granular" permissions. They are granular as in granulated sand, falls right through your fingers.
It's not a secret that FB's business is profiting off your personal data. You could choose to stop using it.
However in this situation we are talking about 3rd parties having an all or nothing policy on your data. If you don’t let some apps you login with Facebook have access to everything you can’t use their app.
...and have everyone else who knows you stop, and block their widgets and buttons that track you, and block any org that might leak, sell, or just share some of your info with them. I can’t stop a friend or just some rando at a party from uploading a photo of me. I can’t stop friends from using FB and getting me into their system. In 2018, privacy isn’t just about what we choose to do.
I agree. But you should take that first step, and then start lobbying your friends to stop posting pictures of you. Personally, I also excuse myself at gatherings when the cameras come out, because I know it's all going straight to FB. The shaming has already started to decrease; now I'm usually not alone in popping out of the room.
I instead, always asked everyone be tagged as someone else. Typically, people are relatively okay with this because no one notices.

It totally breaks the CNNs for face detection.

Smart, I think I’d have more success trying this than just leaving the situation entirely. This is going to be a lot easier to pull off with non tech oriented friends than a speech about privacy and why I have to leave the room.
That is a great idea. Personally I have tried to serve bad data to google captchas for many years. The text capthas were really easy, but the newer image captchas are much more obstinate. Or maybe my shadow profile just got tagged as an unreliable captcha form-filler.
This is a great idea, thanks! I've been asking not to be tagged, but this is better.

I worry that "not tagging" is somehow adding sparse data which can later on be filled in.

I would be seriously impressed and surprised if they managed to get any information based on photos uploaded that happened to include people who weren't tagged and weren't on Facebook. Aside from the all-or-nothing nature of specific apps, privacy is more about what you choose to do than that - most people just choose to not do much for privacy. At least as far as most private corporations using the Internet goes.
As of 4 years ago every app needs to be whitelisted by Facebook for every permission they want to request: https://developers.facebook.com/docs/facebook-login/review/w...
And you can remove individual ones! It was actually far better than the Android model at the time.

Many apps didn't get updated to work with the new API though (most hilariously, the NYT refused to let me create an account without my friend list in early 2015).

This wasn’t the case for Graph API v1.0, which I‘d suspect was used to gather the data. It was active until 2015...
I think a better source for this is a related story from Guardian on how all of this worked

https://www.theguardian.com/technology/2018/mar/17/facebook-...

It was extremely attractive. It could also be deemed illicit, primarily because Kogan did not have permission to collect or use data for commercial purposes. His permission from Facebook to harvest profiles in large quantities was specifically restricted to academic use. And although the company at the time allowed apps to collect friend data, it was only for use in the context of Facebook itself, to encourage interaction. Selling data on, or putting it to other purposes, – including Cambridge Analytica’s political marketing – was strictly barred.

It also appears likely the project was breaking British data protection laws, which ban sale or use of personal data without consent. That includes cases where consent is given for one purpose but data is used for another.

Facebook?

Yeah

So I, like, need to collect some data, lol

Sorry, can't do that

But I'm like, uh, an academic, this is for great science, see my Cambridge page here, lol

Ah, ok, just don't share it, k?

Yeah, yeah, no prb

kthxby

Don't you think that it can be a breach in the same sense of a breach by phishing? After all, both of the cases are about people giving their "secrets" for one reason but the info being used for something else.

I mean, in the case of traditional phishing the user is tricked to provide the password by impersonating a banking site, getting their funds stolen and in the case in question, the users are tricked to provide personal information by being promised some kind of personality analysis but their data is used for political propaganda that they didn't asked for resulting in life-changing consequences du to politics.

Interesting comparison.
Technically perhaps correct, but for the victims it seems rather irrelevant to me.

In a data breach, someone would have used a technical vulnerability or some other (e.g. social engineering) vulnerability of Facebook to get illegitimate access to the data.

In this case Facebook simply gave them access to the data and took their word that they won't misuse it.

Now maybe the latter situation might not be a data breach in the classical sense, but I don't see how it makes it any better for the victims. If anything it seems worse -- Facebook didn't even try to protect their data.

Facebook isn't the victim here, it's voters who may have been specifically targeted at a "physchographic" level and had their opinions unduly influenced. Further, every person who's a member of a democracy that was targeted by Cambridge Anayltica and is now being run by corrupted politicians (or in the case of Brexit by misinformed voters) is a victim.
Nobody’s saying FB’s the victim. It’s their fault, if anything. People are „unduly” influenced all the time, and by everybody. Saying CA somehow worse than anybody else just because they worked for people you don’t like is disingenuous. It’s FB that should be held accountable here; they gave away people’s personal data to a third party.
Why are you calling it Target by CA? Its such a great advancement in technology.
Yes, sorry, if that wasn't clear. By victims I mean the people whose data was harvested of course.
Every single definition I find classifies this as a data breach.

> A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

Possibly, but remember it starts with the user authorizing a company (FB) to release his/her data to a third-party. If the user doesn't trust the third-party then it shouldn't authorize the data sharing. The question I guess is that FB then agrees to share the data under certain conditions (that the third party only uses the data for an agreed purpose), and if this agreement between FB and the third party isn't honoured, shouldn't FB then sue for damages on behalf of the user?
Yes indeed, we need to redefine "data breach" to include "against terms of service" to make it easier to go after all the future Aaron Swartz's.

If you redefine a concept and use it against your political enemies don't be all that surprised when they turn around and use it against your political allies.

(comment deleted)
But they were authorized to access the data, weren't they? The problem wasn't that they accessed it, it was that they used it for things they weren't allowed to.
Everybody with an FB app key is "authorized to access [the] data," but the API TOU says you can't save anything.

I'm imagining the crux of the CA issue is that they saved stuff.

It’s a data breach in the same way “social engineering” can still be considered hacking
I.e., prosecutors aren't really interested in the distinction.
If that third party wasn't sanctioned or authorized by the contract binding it with facebook then it's a breach.

(not sure if you meant /s)

Facebook: "no-one herds our sheep but us, mmmkay?"
I wonder how many of the "see what you'll look like when you're 80" and "find out how you'll die" quiz apps are doing this behind the scenes.
If I am reading the paper which started all of this correctly, you don't even need the quiz apps if you have the correct permissions:

http://www.pnas.org/content/110/15/5802

The quiz apps are how you get the permissions.

Require the user to "connect with Facebook" to see their result. Give them the result, but quietly siphon off every bit of data you can with the access token.

All of them. That's the only reason the apps exist.
That’s a ridiculous statement.

I still run several games on Facebook platform. It’s much easier to acquire and retain users than on mobile and it’s much more profitable because there seems to be a higher propensity for users to pay.

I once told a sales rep from my ISP to stop trying to sell me on a phone subscription to which he replied that "I probably signed up for a Facebook competition or something" as if that justified it. (I don't have a Facebook account.)

One of the worst things Facebook did was to just destroy any expectation of privacy.

> Facebook denies that the harvesting of tens of millions of profiles by GSR and Cambridge Analytica was a data breach. It said in a statement that Kogan “gained access to this information in a legitimate way and through the proper channels” but “did not subsequently abide by our rules” because he passed the information on to third parties.

This is exactly how Facebook was designed. You get a stupid quiz or photo frame in exchange for a copy of your friends list. It's always worked that way, and it's why Facebook OAuth was more popular than Google+ and other Oauth since 5+ years ago -- because app devs can make more money from Facebook OAuth since it comes with a copy of your friends list, so they prefer to integrate Facebook.

As of ~4 years ago when graph api 2.0 was released that’s not true.

The /friends endpoint only returns friends of the user who have also already installed your application.

As of April 2016 wasn't it limited to 50 "close friends"? IIRC it was also possible to abuse iOS webview and the FB library by modifying some private methods and injecting some JS to get the info of more than 50 friends. I don't remember the details, but I saw it in the wild in a high growth top 10 iOS app (reverse engineered to see how they were getting so many users so quickly).
I think it is much more important to focus on an investigation to make clear to the public how this data was used. That i think will lead into a much more interesting story. No one seems to want to go there and i don't understand why. Maybe because a lot of its clients are political parties/political individuals around the world and they do not want to be ousted for using "public opinion manipulation technology" on a wide scale.
Any investigation would be about as thorough as the Russian bots "investigation".
I was curious how the figure leaped from the 270k cited in the Facebook press release to this 50M figure.

It sounds like they never had full access to the Facebook profiles beyond the 270k who installed the app, but just harvested the friend lists of those 270k. This doesn't give the app developer full access to the friends' profile data, but I guess once you have the network of friend connections you can use other public data sources to fill in or infer the gaps. And of course some of those 50M will have FB profiles that are fully public open books ready for anyone to harvest.

I will say as someone who has developed Facebook apps, the whole ecosystem is pretty much on the honor system for protecting user data. There are some seemingly random and capricious (and often erroneous) abuse detection algorithms, but once an app has access to user data who knows what they do with it and whether it was kept secure -- surely Facebook has no idea unless they perform invasive manual physical audits.

You could get access to the full friends‘ user profile data in Graph API earlier than v2.0. If you had 500 friends, and granted friends_* OAuth permissions to an app, the app had access to 501 user profiles.
You know where you read this?
At $dayjob-1 we relied on this to pull in your Facebook friends as contacts. Eventually FB limited the scope of this to friends who also had the app.
This was post-v2.0 afaik.
I can confirm this, at least generally. Given access by a user, you had access to all the data the user could access, including the user’s friends’. There may have been exceptions, but, for example, friends’ likes were accessible.
From the very beginning there has been a rule that you were not allowed to persist data more than a few days in your own dB. But it was obvious there was no way for fb to verify what you did or did not keep.

There has never been substantial control on profile data harvest on fb. It was whatever you could get users to okay, which was a lot given the value your app had to appear to provide.

A substantial percentage of the US population installed that "cow clicker" app at some point, and who knows what data they harvested. Even if they did not access your full profile, they could probably learn a lot about you based on when and how often you were clicking on cows.
While your point stands, Cow Clicker itself was unlikely to be doing something nefarious. It was created specifically as a criticism of similar game mechanics, and got viral mostly by accident.

https://en.m.wikipedia.org/wiki/Cow_Clicker

Hence why the researcher who created it decided to kill it.

> It sounds like they never had full access to the Facebook profiles beyond the 270k who installed the app

That's completely speculative, and we don't need more speculative information ... I'd much prefer to wait for evidence.

From the interview, the architect of the system says Facebook detected the download of data (50 million users' data might crush smaller companies.) and asked what was going on and he just told them it was for academic purposes so Facebook let it pass. Also when Facebook told them to delete it later, CA said they did but didn't.
One thing other commenters haven't mentioned is that Facebook asked the other parties to delete the data and promise never to use it again and the other parties even certified that they had done so, but the whistleblower is alleging they lied to Facebook.

Maybe that's legally actionable.

50M doesn't strike much in FB scale, that's until...

  At the time, more than 50 million profiles represented around a third of active North American Facebook users, and nearly a quarter of potential US voters.
Sorry for the crappy formatting, can't edit now, so here's pprint version:

  At the time, more than 50 million profiles represented around 
  a third of active North American Facebook users, and nearly 
  a quarter of potential US voters.
Think about all those apps where you connect your bank account via your online banking creds that have full access to everything you buy.
Do people do that?
Yes, I know Mint does it and most credit unions offer FinanceWorks. Intuit gets the data from both.
OK, this feels like it will bring about the end. Of something. Facebook? Massive use of data for political campaigns? Anything?

If we keep consuming news like this, and do nothing, it's going to scalate massively. Same way as when Snowden told people they were spyed on and they collectively shrugged and continued with their lives as if nothing had happened.

We, people in tech, have a massive moral burden to educate 'normals' on the meaning of news like this!

The problem is that regular people no longer have a place to communicate. It used to be that the workplace, church, neighborhood or union meetings were the place to socialize and discuss these issues and take collective action. Now we have nowhere to turn to. Modern nomadic culture alongside temporary jobs, low trust and personalized news all make sure that we cannot take collective action on anything.

We need to find a new way to communicate before this cancer becomes so widespread that the last bastillions are lost.

> It used to be that the workplace, church, neighborhood or union meetings were the place to socialize and discuss these issues and take collective action

People still socialize and discuss issues in the real world. Having a Facebook group for a church or neighborhood doesn't preclude anyone from going to church or physically interacting with their neighbors. People also still take collective action in the real world - Antifa, BLM and the Tea Party are three modern examples, but there are countless others which simply don't get media attention.

And, all else aside, social media is still perfectly adequate for enabling communication between most people.

I'm sorry, but your comment seems more rooted in hyperbole than reality.

> The problem is that regular people no longer have a place to communicate.

Have email, chat, forums, physical letters, meetings, etc gone away for some reason?

If you include the word “privately” then some of the criticism you’re receiving may fall away. “Regular people no longer have a place to communicate privately”.

This is increasingly true. Actions are increasingly recorded. Privacy is increasingly undermined. We have a big problem on our hands.

The IETF's BCP#188 document is one of many consequences of Snowden, its title is "Pervasive Monitoring Is an Attack", and the text begins "Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible".

Almost literally right now, IETF 101 is starting in London, and one of the things presented will be a series of proposals by people who claim they (or organisations they work for, the IETF is only for people, corporations can't participate they can just send people to it) have a legitimate reason to snoop on TLS traffic. TLS 1.3 is designed, following BCP#188, to make such snooping impossible without ongoing assistance from one of the endpoints (if the endpoint is co-operating with the snooping there's mathematically nothing anybody can do) and they would dearly like to return to an era when they could snoop with just a little one time assistance. Now, maybe this would have been stiffly resisted anyway, but BCP#188 means anybody who isn't sure has an existing IETF document telling them exactly why this is a terrible idea.

The first Ad Sales pitch deck for TheFacebook.com included a slide showing how advertisers can target students based on their sexual orientation, political bend, dating interests, gender, age, education, and social graph. All of which can be used to discriminate based on protected variables, like gender, sexuality, age, mental disability, and race.

This will not be the end, and has been like this from the very beginning. If foreign companies can get access to this information, then intelligence agencies certainly can too.

To a certain degree, this is a problem that Facebook has already taken steps against in the last years.

Remember that Facebook gives you zero access to users’ data just for being an advertiser. This scheme relied on users granting access to an app.

Data access by apps was curtailed two or three years ago to no longer include friends’ data. The permissions dialog has also become far more granular. From my observation, apps seem to mostly respect facebook’s rules on data scarcity, i. e. asking only for the data they actually need.

GDPR will enshrine this principle in law at least for European citizen, and it’s somewhat likely that it will have some effect far beyond the borders of Europe.

Regarding elections, first steps will likely align the law with that for TV advertisement. Clear information about an ad’s sponsor should be required, as well as the selectors used to target you. I’ve also heard some chatter about requiring a public repository for all ads. Right now, there might be waves of, for example, racists ads that never get reported in the news because the targeting never hits those people that would consider the ad problematic. The Atlantic is running a pilot program with a chrome extensions that records all advertisement you see on Facebook for such a repository.

In the current political climate, it’s unfortunately unlikely that the US will lead with new regulation. But there are a few decent agencies in the US that can squeeze a lot of mileage out of laws already on the books (the special prosecutor, and even the FEC). Social media companies are also quite scared, both because they fear a hit to their business, and because most of their excecutive do retain some humanity. You can also expect individual European companies to get out the big guns, seeing Trump and other Russia-backed populists rattling the core of the current consensus on liberal, open, civil societies.

> Remember that Facebook gives you zero access to users’ data just for being an advertiser.

As an advertiser you can target users based on very specific details, and track any user that responds to your advertisement campaign.

You get all the access (AKA, you know which part of your customer base resulted from targeted ad campaigns, so anything you can target on, you can attribute to that subset).

Regarding elections and digital platforms, a Dutch policy advisory states that the government should disallow non-transparent political advertisements (all advertisements should clearly state who sponsored them and to promote which political cause, if any), and to ensure that political parties can not hide their trade-offs, they shouldn't be able to micro-target people with a different message (increase taxes vs. decrease taxes, depending on what makes the user more likely to vote for you).

We are on a technical forum, thus I expect you to come up with a technical description on how can I use fb ads targeting to find out who is white and likes Arsenal in my neighborhood.

Arguing that only some advertisers get access to the tools required is bullshit: this is saying that Facebook won't tell you directly who is such and such, but will give you access to tools to bypass their own rules. I hope you see how idiotic arguing for such a case is.

(comment deleted)
FB has known all of this since it happened two years ago and only admitted it when a journalist asked them about it.
Yes. But the method that was used to siphon the data out of Facebook is no longer available.
Correct, and we now know the issue is that someone who had legit access sold the data.
My problem with this 'outing' of CA is that Facebook explicitly commercially exists to harvest user data for Procter & Gamble, Johnson & Johnson, Fidelity etc etc so they can profile us. A million dollars is chump change in the crazy US election game. This all seems overly selective - it's ok for some people to profile but not for others. I'm not in favor of any of it to be clear but there is a definite political bias going on here. Let's not forget FB itself has a formal political unit that exists to push propaganda in foreign elections, 'stifling opposition and stoking extremism'

https://www.bloomberg.com/news/features/2017-12-21/inside-th...

In recent years America seems to be very eager to compromise. First it did for security after 9/11 and now for right thought after Trump.
> Facebook explicitly commercially exists to harvest user data for Procter & Gamble, Johnson & Johnson, Fidelity etc etc

Sources on this?

https://www.wsj.com/articles/p-g-to-scale-back-targeted-face...

Not hard to find information, although it is typically couched as brand reach and advertising spots. The big data sales side of FB and other sites is more sensitive and less overt

https://www.facebook.com/help/494750870625830?helpref=uf_per...

(comment deleted)
Your links do not support the idea of “harvest[ing] user data”. They describe the usual Facebook ad platform, where you can set criteria to target users. But nowhere does it mention data on individual users flowing from Facebook to advertisers.
from my original Bloomberg link in post about FB

'Politicians running for office can be lucrative ad buyers. For those who spend enough, Facebook offers customized services to help them build effective campaigns, the same way it would Unilever NV or Coca-Cola Co. ahead of a product launch.

While Facebook declined to give the size of its politics unit, one executive said it can expand to include hundreds during the peak of an election, drawing in people from the company’s legal, information security and policy teams.'

It is harder to find information about FB's data sales policies (which are very opaque unless you speak to people high up in marketing large companies and their activities). FB's ad platform information is pretty transparent, but the quarterly numbers don't really add up for me based on spend by large firms like Procter & Gamble etc in those areas...

> It is harder to find information about FB's data sales policies

So you’re explicitly agreeing that you have no proof that Facebook is offering data for sale.

The quote you cite has nothing to do with the initial assertion: providing consultants that teach people how to use the ad manager is something completely different than selling PII.

Obviously you won't be finding a FB webpage providing details of where to buy user data by the thousands as I tried to explain above. FB"s role working with and for the Trump campaign provides some insights

Trump, Cambridge Analytica and how big data is reshaping politics - Gillian Tett in the FT https://www.ft.com/content/e66232e4-a30e-11e7-9e4f-7f5e6a7c9...

And obviously I won’t be admitting to murder, therefore I must be a murderer?

The linked article, once again, provides no proof (or even mention) of any data being sold by Facebook. I have no idea why you keep piling on irrelevant articles.

Cambridge Analytics just got banned for scraping data (stealing..) from Facebook.

That’s the exact opposite of Facebook selling them the data.

The Facebook page you refer to is interesting.

At the bottom it says to reach out to https://aboutthedata.com/ to see what data they have on you.

So I did. Then I scroll down to see "See and Edit Marketing Data about You. CLICK HERE" only to be redirected to a registration page that requires my US-based address and last 4 of SSN.

Talking about misled communication, or rather blunt deception, otherwise how the heck "click here to see data about you" lands me on registration page? I don't want to register, I want to see the data!

This simply isn’t true.

I’ve spent lots of time and money getting data out of FB.

You can pay to get anonymized topic data via DataSift and others, you can pay to run ads against users you have email addresses for (but you don’t get their data) or you can scrape (which is against the terms of service and they have an aggressive anti bot system to stop it - unlike Twitter).

Their political support systems are analytics support to ad buying.

I could see a constitutional amendment barring psycho-graphic profiling from election advertising and intent. Not sure how it could be enforced because this is very technical.

Even so, there is a significant difference between Coke trying to sell me a flavored soft drink and a firm tweaking my emotions to get me to abstain from voting with false information or to vote against my best interests with false information.

There are definitely people who are susceptible to psycho-graphic warfare and we need to protect them in order to protect our democracy.

You do it by making the activity costly. Mandatory opt-out for any persistence of data. Require regular re-enrollments for anyone who opted in.
European GDPR is going to help a lot when it kicks in this May
I don't think "false information" is the kicker here. Taking a cursory glance at Breitbart and Fox News, there isn't that much that is patently false. Furthermore, my observations of how propaganda works in general is that it doesn't usually rely information that is technically false. It relies on selective distribution of information, editorial spin, and other more subtle methods.

This makes "enforcement" basically impossible because you can't have a news outlet without editorial decisions. A better way to go about it would be to try incentivize media outlets to make a good faith effort at "both sides" journalism, but members of both political sides have been attacking the media for doing just that since the 2016 election season.

> Taking a cursory glance at Breitbart and Fox News, there isn't that much that is patently false.

Don't you think it would be better for you to take more than a cursory glance before commenting ?

Breitbart has had significant issues with fake news over its lifetime. Far more egregious and consistent than other any other news organisation not that I would necessarily call it one.

https://en.wikipedia.org/wiki/Breitbart_News#Notable_stories

Sure, but the parent's point is that even if you got rid of the fake news, you'd still be able to spread plenty of propaganda and sway people. Going after the easy target of "fake news" might feel good, and even do something to help make propaganda less effective, but isn't going to make a huge dent in the problem.
In addition to Fox and Breitbart, the Washington Post, Buzzfeed, CNN, and even the New York Times have had to retract dozens of viral political articles over the last two years. The retractions were only seen by a fraction of the people who saw the original headlines. This is an inevitable result of journalism increasingly relying on rumor and catering to partisan audiences.

Where is this line that should be drawn, and who should draw it? Breitbart may have a higher frequency of “oops someone gave me bad info, or my reporter/editor made an unsubstantiated inference” events, but their audience is much smaller than the large outlets.

> and a firm tweaking my emotions to get me to abstain from voting with false information or to vote against my best interests with false information.

Better ban 24 hour news networks then. And any form of political advertising.

It’s not very likely for any US constitutional amendment to be passed ever again.
1. It's not an "outing".

2. Johnson & Johnson doesn't work for Putin.

3. United States elections aren't crazy. Entire parties of Congress being blackmailed into submission by foreign influence is crazy.

4. It's not overly selective.

5. I hope it has an extreme political bias.

6. Facebook commercially exists because the United States has shit privacy laws.

7. How much did Putin pay you to gas light articles?

8. A million dollars is still a million dollars.

9. Let's not forget about that one time you tried to comment on HN to down play this article. When in fact I couldnt be happier to see this.

> How much did Putin pay you to gas light articles?

That is an egregious violation of the guidelines and a bannable offense on HN. If the rest of the internet is losing its mind, that makes following HN's rules more important, not less.

> Let's not forget about that one time you

This also crosses into personal attack, which is not ok. Heated political arguments are bad enough without users trying to take each other out like this. Please don't do it on HN, regardless of how strongly you disagree.

https://news.ycombinator.com/newsguidelines.html

Edit: your account history unfortunately contains many examples of personal abuse. You've also broken the guideline against using HN primarily for political or ideological battle. We ban accounts that do these things, so would you please re-read the guidelines and use HN as intended from now on?

(comment deleted)
Something I have been noticing for quite some time now is an increasing tendency for people to seemingly believe they can read other people's minds &/or the future, or that they somehow have an omniscient insight into the world. You might expect this on Facebook or Reddit, and I know this will not please most people here, but it is becoming rather common on HN as well.

To those of you who disagree with me, keep this idea in the back of your mind for a while and remember it as you read comments. Make a serious effort to notice how many people know what other people's motives are for their beliefs, how they know the real reason for certain policy decisions, how they know what Putin or Trump are thinking and what they are going to do in the future, how they know China is going to fail now that they've gone full-on communist dictatorship (because history "guarantees" it), etc.

I honestly don't think I am imagining this, I think something very historically significant is happening to the psychology of the public.

There is a cult of ignorance in the United States, and there always has been. The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that "my ignorance is just as good as your knowledge."

Isaac Asimov, Column in Newsweek (21 January 1980)

True enough, but I believe what's different now is that there is significant it has taken serious root in the "informed" class as well, HN being no exception.
>This all seems overly selective - it's ok for some people to profile but not for others

What's the issue here? Selective information distribution is rooted in the society, people are O.K. with some information to be known to some people while kept secret from others due to implication differences.

I.E. I'm fine to be profiled for selling me chocolates but I'm not O.K. to be profiled to be manipulated to select public officials or to make my mind about controversial topics like the god, abortions, guns etc. I expect to be exposed in a proper way to these topics, i.e. proper journalism and discussions.

Sadly, the downside of the consumer data culture in which we live is that you don’t really get to make that call. It seems like data is really an all or nothing game at this point, regardless of how society feels about it. Not sure how to change that, either, and I don’t personally think legislation is the answer.
It’s really easy: you pass laws.

Look at health records. HIPAA is rather successful at keeping your health data narrowly confined to those that need it. There is nothing that prevents similar laws to work for financial data, location data, etc.

The only roadblock is people saying they “don’t personally think legislation is the answer”. Because there is literally nothing but law that can have an effect.

Good law is hard. HIPPA prevents gossip. That’s about it.

The sales director for a drug manufacturer knows that you’ve filled a prescription before the claim is filed.

Enfamil and Gerber knew the estimated due date of our baby — although the only interaction we had with anyone was a miscarriage at 8 weeks and a near fatal complication.

(comment deleted)
That can be regulated. That the US chooses not to do so doesn't mean it cannot be done.

See, for example, GDPR.

> HIPPA prevents gossip. That’s about it.

I agree that HIPPA is technically very weak.

But let's also agree that preventing gossip about private health info is a good thing -- a definite step in the right direction.

Laws are about building and reinforcing the culture we want to build. In that light, HIPPA is a long way from a failure: it sets the standard that "health care privacy is to be taken seriously, and as a society we believe it is important enough to legislate", if nothing else.

Sadly, the downside of the consumer data culture in which we live is that you don’t really get to make that call.

This can be changed, regardless of whether any of us is ready to throw up our hands about the whole situation as it stands.

Isn't the GDPR supposed to help with that?
I would love to see international privacy rights harmonization with GDPR the way we had the Berne Convention for copyright.
You are either intentionally being dishonest or you missed the point. The OP is saying that it is okay for some companies or more pointedly political ideologies to do things like this but if the leftist press or governments do not like the party and or candidate doing it then it is a problem. He should have used the work hypocrite because that is what is at the crux of this "issue"
What is the "leftist press"?
People signed up to give it to Facebook, and whatever your views on that bargain, this wasn’t part of it.
I guess if P&G uses the data to push me to buy some soap, it's less sinister than using that to influence an election. Commercial vs Political.
This is simply not true: There is NO indication that Facebook ever allows data on specific users to flow from their platform to advertisers.

Only apps have limited access to the data that you agree to share in the app install dialog.

The article you linked does not even mention any of the companies.

>My problem with this 'outing' of CA is that Facebook explicitly commercially exists to harvest user data for Procter & Gamble, Johnson & Johnson, Fidelity etc etc so they can profile us.

Not only conglomerates but anyone with the money and know-how. Example P&G proxy fight:

https://www.reuters.com/article/us-procter-gamble-trian-inve...

Neubecker said he has seen several ads on his Facebook feed that link to Trian’s “Revitalize P&G” website and to videos of Peltz and former P&G Chief Financial Officer Clayton Daley, who is advising Trian.

The video of Peltz features him sitting in Trian’s Park Avenue, New York City headquarters, discussing P&G’s future, gripping a Trian-labeled coffee mug that reads “Sales up, expenses down.”

In response, P&G has called upon more than a century of product marketing experience with its own “Vote Blue” campaign.

One YouTube video begins with an image of P&G’s blue logo and a banner proclaiming “Every Single Vote Matters!”. A narrator and series of slick images offer step-by-step instructions, ending by asking viewers to vote for the blue proxy card and to throw Trian’s white card in the recycling bin.

Trian won this fight.

Sorry what are you talking about ?

Please provide some evidence that anyone with money and know how can harvest tens of millions of accounts from Facebook.

Your example does not address this and seems just like normal Facebook targeting to me.

What? You can scrape that kind of data with a simply Python application...
You are either lying or completely ignorant because this is not possible.

The data that this app obtained was far deeper than what Google can crawl e.g. what a person liked.

Pardon my ignorance but what was Cambridge Analytica doing if not using advanced analytics for Facebook targeting?

I don't think Facebook has a section where someone can talk about what stocks they might hold. So, if the HF was able to target specific people who owned P&G stocks then I think it was an efficient targeting, maybe not as much of scale of US elections but enough to turn the voting in their favor.

Agreed. This is marketing. The tone of the article makes it sound like some egregiously illegal scandal. The only wrongdoing is that one private entity breached the terms of service with another private entity. Innuendo.
You are being completely disingenuous here.

1. It is not normal marketing to have tens of millions of Facebook account data on your own private server. This isn't standard practice by any company large or small. Standard practice is to use Facebook's advertising system which does not reveal this data.

2. The wrongdoing wasn't just "breaching the terms of service" it was the transfer of account data from one party to another for the purposes of influencing an election.

3. It is not innuendo.

The thing about the relatively low cost of a million is that we know that many of the voters targeted by the Russians for influence on both sides were much cheaper than what your example commercial interests targeted for marketing services/products, so a million dollars on targeted campaign is much more effective than what that million dollars buys in a major media market TV ad equivalent or commercial Facebook targeted ad.
For 'Russians' I would suggest individual oligarchs over the nation state. Semion Mogilevich rather than politicians...
It's both. Very little goes on in Russia without the knowledge and/or support of Putin.
There is a big difference between sharing data with companies, and allowing companies to specify as targeting rules.

Facebook lets companies bid for ads to show you, based on Facebook’s data about your interests and demographics. If you never engage with the ads there is no information leakage.

It’s the difference between telling a random person “I’ll tell my gay friends about your party” and “Did you know that Bob is dating Steve?”.

> Facebook lets companies bid for ads to show you, based on Facebook’s data about your interests and demographics. If you never engage with the ads there is no information leakage.

That's not true.

Please provide evidence then.

I have never seen Facebook allowing large scale harvesting of their data.

And it would qualify as data breaches in places like EU which do not tolerate this sort of thing.

Well, they may not officially permit it in public, however they clearly allow it, otherwise we wouldn't be here.
do you understand how this data ended up in CA's hands? Regular facebook app asked persmission to get data to it's users, one by one. It then retained the data and shared without facebook or their users permission (and against FB terms). Then facebook realized this data was shared, required CA to delete all of it. CA agreed. CA didn't delete. That's how we are here

I'm no facebook fan by the way, but there's no reason for facebook to sell their most important asset when they can allow you to pay to use it, without ever seeing it

well, this seems to go deeper then I was anticipating. What I wrote above might not be accurate since the story is still evolving....
I've heard a lot of people believe otherwise (including a sibling post), so probably best to bring in evidence/sources. Here's Facebook's statement on it: "No, we don't sell any of your information to anyone and we never will." From https://www.facebook.com/help/152637448140583

So if you believe Facebook sells your information, then you also believe that Facebook is directly lying about it on a help page about that specific topic. Sometimes conspiracy theories are true, so it's not impossible that that's what happening, but it's not like Facebook is openly selling your information.

No, it's worse, they just gave it away for free.

Until 2014 or so an app could request permission to view almost any data a user stores on Facebook. That's not great, but hey, you could argue it's not Facebook's fault that people don't understand permission prompts (I'd disagree with you, but...). But those same prompts allowed users to give away their friend's data, so absolutely anyone you're friends with could take some stupid personality test and give away your information in the process, and there was no way you'd even know.

You always need to parse statements like this very carefully. Pretty much any other company who isn't providing your information to others says "we do not share your data with unaffiliated entities..."

Facebook said that they don't sell your information. Which is true -- they aren't a data broker. But they implicitly state that your data is shared, subject to the limited controls available. You cannot stop Amazon and Facebook from sharing, for example.

> If you never engage with the ads there is no information leakage.

But what if you do?

You won't get far in a blinding leftist arena if you go around spitting truth like this.
Please don't purposefully oversimplify things and engage in whataboutism in an effort to downplay their importance.

You should read this:

https://www.theguardian.com/news/2018/mar/17/data-war-whistl...

Three particularly important points:

The guy who was contracted by CA to steal the data is from Russia.

He had previously undisclosed funding from the Russian government.

CA later tried to do business from a Russian oligarch.

Choice quote:

"There are other dramatic documents in Wylie’s stash, including a pitch made by Cambridge Analytica to Lukoil, Russia’s second biggest oil producer. In an email dated 17 July 2014, about the US presidential primaries, Nix wrote to Wylie: “We have been asked to write a memo to Lukoil (the Russian oil and gas company) to explain to them how our services are going to apply to the petroleum business. Nix said that “they understand behavioural microtargeting in the context of elections” but that they were “failing to make the connection between voters and their consumers”. The work, he said, would be “shared with the CEO of the business”, a former Soviet oil minister and associate of Putin, Vagit Alekperov.

“It didn’t make any sense to me,” says Wylie. “I didn’t understand either the email or the pitch presentation we did. Why would a Russian oil company want to target information on American voters?”"

Why bother protecting any data, if you can put a footnote in your ToS.
Let's be realistic here. This headline is nothing but partisanship. The only reason this is exaggerated as a "data breech" is because of the connection to the Trump campaign.

The real scandal is that such data is so easily harvested and freely available.

I'd be interested in seeing how much of facebook's data repository was used in targeted political ads by all parties. Including Russian agitators who have been shown playing both sides.

It's essential to hold the President publicly accountable for his actions, especially when illicit actions pervert the foundation of the United States, the democratic process. That's not partisan; that's normal, healthy democracy; that's the primary public good provided by journalism.
Sure. But it is unethical to exaggerate and hold only part of the political system accountable for shady or illegal practices.

This is part of a consistent pattern. Our media has become as hopelessly partisan as our unfortunate two party system, and unethical behavior on one front does not justify the same on another in response.

Can you explain why it's unethical to hold people accountable for their actions or actions others took on their behalf?
From my post, again:

>But it is unethical to exaggerate and hold only part of the political system accountable

Please consider what I wrote in sum. Partisanship and exaggeration are antithetical to trust.

Don't think the intent of my question was communicated clearly. Let's try again.

From your original post:

> The only reason this is exaggerated as a "data breech" is because of the connection to the Trump campaign.

You have provided no evidence of this, and until you do, your comment is read as a case of whataboutism[0]. Because we are not shoehorned into the pursuit of a unilateral solution, we can both [A] call out Trump's unethical engagement of Cambridge Analytica (CA) and [B] lobby for more stringent privacy regulations, like the EU is doing.

Given the, as a prior commenter said, 25 scandals, along with string of accusations of indecent conduct, collusion, etc. that Trump is clouded with, the conclusion being made is that his engagement is not the unknowing of an unethical actor acting on his behalf, rather the turning of a blind eye.

So given the inflammatory nature of the original comment:

> Let's be realistic here. This headline is nothing but partisanship.

So in sum, on first glance your comment leads me to assume you have an agenda.

Assuming that this isn't true, lets talk about main issue here: the micro targeting of ads, and the usage of this "data breach" in the Trump campaign.

Frankly, this scares me. The power this data provides and the way that it can be wielded should scare people - who wants to live in a world where the government/corporations/people can induce people into certain behaviors? Whether Trump or Clinton uses this information would result in people bringing up their pitchforks.

I don't think that we're exaggerating here calling it a data breach - it is a gross misuse of personal information, however gained. And while I'll admit the term data breach is a bit of a stretch, the connotation of the word fits perfectly with the situation. People downloaded an app for a survey, had their entire social network scraped, and then had that information used for an ulterior motive, without them knowing at all. We should be holding them accountable for their scummy behavior. Facebook already is starting to.

We've already seen the GOP bring up the email campaign and Benghazi for the entire length of the Clinton campaign. Note the irony here as the GOP is almost completely silent over America's current president's daily antics. It is the lack of response from the GOP toward any of the recent political events that is characterizing HN's response toward CA as overblown.

So with that said, why do you believe that it's unethical to call out Trump and by extension CA's actions.

[0] https://en.wikipedia.org/wiki/Whataboutism

>So with that said, why do you believe that it's unethical to call out Trump and by extension CA's actions

Nothing in that wall of text justifies your twisting of my words.

>I don't think that we're exaggerating here calling it a data breach...And while I'll admit the term data breach is a bit of a stretch

If you weren't in such a desperate rush to misconstrue my argument, perhaps you would be able to maintain consistency in your own.

Once again, I am speaking of the ethics of exaggeration and selective accountability in journalism. My point is not that it is unethical to call attention to this misuse of data, but that the post title likely deliberately misleading because of enablers like yourself, who selectively turn a blind eye to such embellishment at any mention of Trump or the GOP.

There are at least 25 scandals surrounding the Trump administration currently that are each worse than the two pseudo-scandals surrounding HRC that Conservatives managed to drum up, I. e. E-Mails and “Benghazi”. And ts not like FOX and the entire US Congress have less power than the Guardian.

So, no: “They are all the same” isn’t just cynical and useless. It’s also wrong.

So, in your opinion, this justifies the false headline of the article, and is reason to turn a blind eye to the same potential data abuse when committed by the other party?

>They are all the same” isn’t just cynical and useless. It’s also wrong.

Please do not put words in my mouth. All I am asking for is journalistic integrity. Media in the U.S. has proven repeatedly to be partisan, which, to a rational person, makes it very difficult to separate fact from propaganda. This article is a case in my point.

Unethical politicking is not an excuse for spread of misinformation.

(comment deleted)
Can't wait for Sheryl Sandberg to write a new book now on garden soil or something.
Any reason to attack the one woman among the Facebook leadership and not, say, Mark Zuckerberg?
Because the others among the Facebook leadership are not going around writing and promoting books?

Also, do you genuinely not find it disconcerting that Facebook leadership go to great lengths to avoid discussing the privacy implications of their service? And the only person in that group who puts herself "out there", so to speak, is instead writing "success literature"?

Is there some specific evilness to writing books? Because I don’t see how her writing books is reason to single her out for criticism.

> Also, do you genuinely not find it disconcerting that Facebook leadership go to great lengths to avoid discussing the privacy implications of their service? And the only person in that group who puts herself "out there", so to speak, is instead writing "success literature"?

So you’re angry because they don’t talk about privacy. And you’re especially angry at her because ...she doesn’t talk about privacy?

That argument also doesn’t make much sense when comparing her to Zuckerberg explicitly, who’s at least as “out there” as she is. Didn’t he go on a “50 states listening tour” last year?

I guess she likes money and success literature earns more then privacy literature.

If there would be someone in Facebook leadership that writes about privacy and political implications for it, it would absolutely make sense to single out that person. Success literature is irrelevant to topic.

But, I think she was single out, because she is only name besides Zuckenberg the parent knows. Never underestimate ignorance on discussion forum.

So... If I were in Cambridge Analytica's position, employed to influence the US election, one of the first things I'd do is match this data with any data I could find on voting patterns. Which reminds me, didn't some of the Russian APTs hack into state voter databases?
You don't need to hack into voter databases - most people register for the party they vote for and that is public information(along with their home address, phone number, and whether they voted in past elections).
You may not even need to cross-reference it, Facebook asks you what your political affiliation is and displays it on your profile (or did, at one point)
(comment deleted)
(comment deleted)
China has more. They have enough that this is a drop in the bucket. While they might be as blatant and ineffective as Russia by interfering with an election, they want a low profile and to maximize capture of revenue, so they are more about making money than trying to put feces on the face of the American political process.

You people should pick your battles. It would help if you knew the battlefield first.

How about this idea: what if the Russian bots aren't actually Russian? How has no one considered this possibility?
Yes they have considered it. And they have identified they are Russian.

You really think governments wouldn't have checked this ?

I thought the public might be a bit more skeptical.

How did they identify with certainty that they are Russian? Is there any way for someone without top secret clearance to verify this?

How - the special counsel Mueller has subpoena authority. First link from indictments in list form. The one I saw on TV was that guy with Hillary in a cage in parades - he was paid by Russians to make it. I also remember reading about the pro and anti gun rallies at that Texas state park - the Russians made the Facebook page for both sides in that little incident. https://mashable.com/2018/02/16/indictment-russian-trolls-in...

Presumably Mueller used that subpoena on Facebook and internet providers and the Russians didn't try to hide very hard and used mostly Russian ip addresses.

There's also the fact Facebook admitted it sold ads and post promotion to Russian agencies and told Congress the reach of those ads and posts. Recently Facebook revealed to all users in North America whether or not they had interacted with those ads/posts. Several news organizations have independently found the data from other sources including actual interviews with the people working in Russia.

One technique the Russians used was to impersonate Americans of some extreme view to stow discord and inflame the other side of some debate. https://www.thedailybeast.com/exclusive-russians-impersonate...

There was also several different Facebook campaigns where they got Africans with pidgin English to pretend to be Americans and try to inflame white nationalists and latent racists fears.

I've heard all sorts of the juicy details, it makes a great story there's no doubt. What I'm looking for is some substantial, verifiable evidence to overcome my suspicions at how perfect of a story it is, as well as some of the inconsistencies.

For example:

> Presumably Mueller used that subpoena on Facebook and internet providers and the Russians didn't try to hide very hard and used mostly Russian ip addresses.

So on one hand, article after article tells us how sophisticated these hackers are, yet these very same hackers didn't hide their ip addresses, and also openly posted links on twitter that were supportive of Russia. Doesn't something about that seem a little off to you? If it does, you'll be the first person I've encountered who think it does, everyone else is completely confident that this is an open and shut case. Yet, none of these same people can point to any specific evidence that could convince me. Sure, everyone has some articles full of juicy stories, usually containing confident statements from high ranking government officials assuring us crimes have been committed and they have proof, but I've never been able to find a person who could point me directly to any proof.

1/3 of the way through https://www.justice.gov/file/1035477/download, rather than having my mind changed, my skepticism is stronger than before.

This feels a bit like some things we've experienced in the past, where the "facts" about an enemy, that we're are assured are 100% completely true and verified, trust us turn out to not be true several years down the road. But by then, we've already spent trillions of dollars and waged a war killing thousands of innocent people.

I'd rather not go down that path again, so I'm sorry if I can't join in the party vilifying the evil Russians, because based on the information I have so far, it seems like classic misdirection with the primary beneficiary once again being military budgets, and everyone is just a bit too enthusiastic to believe anything they're told.

EDIT: There is no shortage of internet downvotes for people like me who aren't willing to go along with this story, but there is a severe shortage of people who will put me in my place with actual content. You can probably imagine the effect this might have on the certainty I feel in the correctness of my stance. Unlike others, I'm open to having my mind change, but for some reason no one can muster any effort beyond a condescending and intellectually lazy "let me google that for you".

> Russians didn't try to hide very hard and used mostly Russian ip addresses.

This is incorrect. The indictment explains it. They routed their connections through US-based VPNs to appear as if they were American users.

As they should, but I read another Authoritative Proof that many people assured me I should take Very Seriously that used the posting of pro-Russian propaganda as the proof that Twitter bots that interfered with the election were Russian.

I don't doubt at all that there is a government sponsored organization in Russia that promotes Russian interests via cyber operations, as I'm sure there is in the United States. I'm looking for proof that:

a) this isn't a 3rd party posing as Russians

b) The harm or danger of this meddling is proportional to the airtime and Very Serious Tones of Voice we've been subjected to 24x7 for the last year.

Do you know of any compelling (and verifiable by a civilian) evidence that could help me with that?

a) Feel free to read the indictment, some detail there. I assume there will be far more at a later point.

b) I have no idea what effect it had. I personally am not sure it did have any effect that made a difference. Coverage is still warranted because attacks from foreign nations are newsworthy regardless of success.

How much reading are you willing to make time for? I've collected a very large number of links to source, research, & analysis material on Russia's ongoing active measures campaign over the last 14 months (though ironically, I still haven't gotten around to reading the recent indictment). This is a complex issue, and my perception is that a full proof of all the claims alleged about Russia's operation will require much more detail and logical inferences than most people who keep harping about "where's the proof? where's the smoking gun?" really expect. But if you want to keep the scope limited to just your a) and b), then I can probably dig up some compelling and hopefully verifiable public evidence in support of them (at least in support of your point a - for b, the only people who have metrics & data on how effective and impactful this operation has been on our country are probably the IRA, Russian intelligence services, and Cambridge Analytica. So point b is tougher for me, but I could at least point you to proof of the dark seriousness of their intent and goals). It might still be a lot of material to go over, though. Fair warning.
They have some of the Russians who worked for the RIA interviewed for newspapers and admitting what they did, which kind of blew my mind. I guess one could claim those were faked, like the moon landing conspiracy theorists.

From your own example which I presume is about the Iraq war, there is nothing that an ordinary citizen can do to prove that powers in the US, UK, and Kuwaiti governments (and Iraqi agents working in favor of an attack on Iraq) falsified the evidence they presented to the public for a compelling argument for invading Iraq without relying on sources that cannot be verified by an ordinary citizen without access to the journalists/non proliferation experts/government agents responsible and nothing an ordinary citizen can do to prove US claims that Iraq had an active WMD program and mistreated Kuwaiti babies as claimed at the time (by what we know now was a state actor who lied for Kuwait) in congressional testimony after the Iraq invasion of Kuwait. Even the New York Times and that one reporter famously lied flat out about Iraqi weapons programs and abuses in the build up to the war. But there were plenty of people who were investigating the claims of Iraqi WMD who said there was nothing there and that led to a lot of people protesting against the war. I don't see any investigators for the FBI or NSA coming out and being a whistle blower and saying this Russian thing is faked, on the contrary, the only whistle blower who came out so far, actually showed the internal NSA documents that said the USA elections was under cyberattack by Russia. The most reputable guy who came out for the Iraq WMD was possibly Colin Powell. Less well know is that he was also the first US Army investigator who looked into the My Lai massacre and he found that nothing was done wrong, so he was kind of used to this type of thing by then. It took a second Army investigator to reveal what happened there.

Or more contemporaneously there is nothing a citizen can do to prove that the recent Russian spy who was released to the UK and attacked was poisoned with a Russian only sourced nerve agent. And if it was the Russian nerve agent (that the Russians offically proclaimed to have destroyed all stockpiles of), there's no way for a citizen to prove it was Russian government behind it or that some other power was responsible for usage of it. I didn't vote either way on your comment, it just seems like an impossible standard.

I honestly don't think wanting to see verifiable evidence before forming a decisive opinion on something is anything near an impossible standard, especially since as you've noted, our governments and newspapers are known to lie to citizens. Anyone who's done any reading on the topic outside of the mainstream knows what you see on TV in the west is a slanted version of the truth at best. And yet, look how absolutely certain people are about their beliefs, but when asked to provide some of the hard-factual content they read to form this rock solid opinion, almost no one has anything other than a downvote. To me, this looks like some sort of a classic mania, and it's quite concerning.
> You people should pick your battles. It would help if you knew the battlefield first.

I am so glad you know more than the UK, EU, US etc governments who have identified Russia as the primary source of instability for elections.

And since when has this been an either/or scenario. You can focus on both Russia and China.

1) Facebook collects and builds a profile about you 2) Facebook allows third parties to target advertisements based on the profile 3) Advertisements are tracked 4) Browsing habits and advertisement tracking reconstructs who was targeted
I hadn’t thought of it like this before, but from a political POV everyone’s vote, whether they are a dole bludger or a quantum physiscist, are worth the same. So really, to win an election .. take that as you will. Identifying these people is a very profitable area.

Interesting side note .. in Australia we assign school funding based on the highest education received or wage class of the parent (classes A, B ... E or such).

I used to make fb apps, any app gets full access to fb's user graph as long as they request the relevant permissions.

Users don't comprehend what permissions they are giving to apps they run. A quiz site getting full access is not surprising.

Once an app has any amount of access the only thing stopping them from harvesting their own clone of your data is an agreement in the ToS that you won't store PII for more than x hours.

These rules are like the bare minimum to stop good actors. If you're a bad actor fb does not do a single thing to protect users from you. As evident in this report fb is also not above blaming the users for the hostile environment fb created and placed them in.

There must be countless copies of harvested fb data out there. My employer at the time once realized we were accidentally storing some PII permanently in a derived field. If good actors can't even keep above the law what do you think the ecosystem looks like in the shadows?

IMO we aren't having the right conversation with fb over how they mistreat our PII and we should loosen the definition of that term when companies like the one in the article can infer our political preferences from the innocuous bits of our lives we tag on facebook.

We should be asking why even an authorized API that can't stop you from copying the data doesn't count as a systemetized data breach.

> We should be asking why even an authorized API that can't stop you from copying the data doesn't count as a systemetized data breach.

Is your argument that no company should offer any developer APIs at all? It's impossible to stop apps from storing data that they have access to, given malicious intent.

This is like saying that the existence of the Google Calendar API is a "systemetized data breach" because an app could copy data from it once authorized by a user.

I'm not sure how we draw the line. But it should at least feel ethically itchy if ppl can use data you collected to statistically infer things normally considered private information.

This puts Google on the wrong side of the line, wherever it is, next to other big offenders - fb, twitter, linkedin.

To waffle less, I would absolutely be very cautious with who you give access to your gcal. You can tell a lot about a person knowing their schedule, who they meet with, where they meet, when they fly, etc. Lots on a calendar

It's one thing to use the friend graph to show in your app who else uses it. That's pretty legit. The other use case is to store it to some database and keep it there.

FB provides since ~10 years widgets for showing who else is liking xy. I know these Social Widgets are not so customizable and thus not pretty enough to match some custom design but at least they provide some safety nets.

Maybe Facebook could just provide more Social Widgets/CSS customizability instead of letting people write their own "Facebook Extensions".

They stopped most data access via apps in the 2014 clean up they did.

But yes, you are right that I’m sure lots of apps kept that data and sold it.

Minor point of confusion -- this article refers multiple times to a "data breach". ("...one of the largest-ever breaches of Facebook data...", "At the time of the data breach...", "...first reported the breach...")

As far as I can tell, there is no data breach, right? It sounds like CA got facebook data through an app they wrote, thisisyourdigitallife, which did some shady things.

Also, "The New York Times is reporting that copies of the data harvested for Cambridge Analytica could still be found online".

The link is: https://www.nytimes.com/2018/03/17/us/politics/cambridge-ana...

Anyone know what they're talking about? I haven't heard of any 50-million-profile data dump, and I really like collecting corpora...

Exactly it's confusing how they're using the word data breach like something wrong happened.
It wasn't a breach as we know it.

Basically FB gave the data away. Apps have access to the data but they're not allowed to give/sell it to third parties. In this case the rules were ignored. Probably many other companies with API access have also ignored the rules. In this case FB didn't make much of an effort at all to prevent it from happening so it's reasonable to assume the practice is rampant. There's likely many copies of large parts of FB data out there (left on laptops on trains or on unprotected FTP/HTTP servers, etc.).

It's a 'breach' from the users' perspective.

Nothing new about Campaign Data companies. In fact knew of a South San Francisco company called 'Campaign Data' in the '90s that ran a SAS on DECUnix. They collected voter registrar data from counties for targeted voting campaigns. Usually for passing more restrictive laws or raising taxes. Like raise property taxes for schools; send flyers to renters with kids and send nothing to homeowners with no kids. It was always in a way, unfair and evil.
This is hardly news... Facebook ads cannot target specific users, they only target audience segments.

It's actually far easier to create ads targeted at segments with likely political beliefs, and Marketers have access to aggregate numbers of niche segments today.

There's no need to scrape people's profiles or get down to the individual level.

EDIT: As more is revealed about Cambridge Analytica, this clearly is "news" that requires more investigation.

My original comment was more in response to user vs segment level targeting.