from Hacker News

ICO investigation into use of personal information and political influence [pdf]

by esseti on 10/8/20, 12:12 PM with 26 comments

• by fareesh on 10/8/20, 4:58 PM

  All Facebook apps at the time could request the same permissions as the CA apps - I know this because I built many of them for ad campaigns, such as contests and games.

  A lot of game/contest mechanics relied on things like posting on friends' timelines, or your own timelines, etc.

  In my case there was no real interest from our customers in taking the data and doing something with it, but if the intent was there, it could have very easily been done.

  Furthermore, when my firm did security and pentesting projects, we routinely found exploits that could eventually lead to us getting the access tokens and secrets for their user database, or the app token and secret. If I had to guess - 70% of the game/contest applications that we audited had these vulnerabilities after they had been launched leading to companies approaching us us panicked, asking for help with users who were cheating. Many were aghast to learn of what could have potentially happened over and above rigging the leaderboards.

  It's not enough that there were apps out there who had the ability to get this data. It's also not enough that there were apps who wanted to get the data intentionally. You also have to consider the number of apps that had this data and had weak security. Someone could have just broken in, taken the keys, and taken their users' data that way. Nobody would have known. At best it may have emerged in Facebook's "auditing process" in 2017 that they conducted to see which apps performed these kinds of queries - does anyone believe they did this in good faith and disclosed 100% of such apps which looked at social graph, friend posts, messages, etc?

  I am pretty sure the Obama 2012 campaign did something similar with their outreach Facebook apps too, as it was reported in the press at the time (https://www.theguardian.com/world/2012/feb/17/obama-digital-...)

  Most users were uninformed and blindly hit accept at the permissions screen because they could win a car or an iPad or a Playstation by entering the contests.

  In my view, the entire story was exaggerated and turned into a public spectacle, for very obvious reasons that nobody likes to admit to.

• by esseti on 10/8/20, 12:13 PM

  some twitter extracts https://twitter.com/benedictevans/status/1313872314245808128