Naked Security Naked Security

Facebook has booted tens of thousands of data-grabbing apps

400 developers have been naughty with user data, noncompliant with policy, and/or have ignored Facebook's audit, it says.

Facebook announced in May 2018 that to date, it had suspended 200 apps in the app investigation and audit that it promised after the Cambridge Analytica scandal.

A few months later, in August 2018, it announced that the number of yanked apps had doubled to 400.

On Friday, Facebook updated its ongoing App Developer Investigation, which it launched in March 2018.

It said that the current roster of castigated apps is in the “tens of thousands”… or long enough to make a swing out of if you tie them together to fly into Congress, next time you get hauled in to chat with lawmakers about data-scraping, election security, Facebook’s role in society, censorship of conservative voices, regulation, an impenetrable privacy policy, racial discrimination in housing ads or what have you.

Facebook didn’t give specifics on the exact number of suspended apps, but it did say that they’re associated with 400 developers. Ime Archibong, VP of Product Partnerships, said in the post that all those tens of thousands of apps aren’t necessarily all creepster apps. Many, he said, weren’t actually live and were instead being tested when Facebook suspended them. Others simply never bothered to respond to Facebook’s audit, so out they went.

Archibong:

It is not unusual for developers to have multiple test apps that never get rolled out. And in many cases, the developers did not respond to our request for information so we suspended them, honoring our commitment to take action.

The “commitment to take action” was declared in March 2018 by CEO Mark Zuckerberg. In a Facebook post, he announced a crackdown on abuse of Facebook’s platform, strengthened policies, and pledged an easier way for people to revoke apps’ ability to use their data.

There were a number of other changes made at that time, including disabling the ability to look people up by their phone numbers or email addresses, plus cracking down on third-party data access by yanking apps’ ability to see personal information about users.

In Friday’s post, Archibong said that some of the tens of thousands of suspended apps have been banned completely, for a range of reasons, including that they slurped up Facebook user data, then made it publicly available without protecting people’s identity.

Which brings us to Archibong’s reference to Facebook taking legal action “when necessary.”

It found it necessary in May 2019, when it filed a suit against Rankwave, a South Korean social media analytics firm, alleging that the company abused Facebook’s developer platform’s data, that Rankwave refused to cooperate with the platform’s mandatory compliance audit, and that it likewise spurned Facebook’s request to delete data.

In Archibong’s post on Friday, he also pointed to other contexts in which the platform has gone after app developers. Last month it went after two app developers – LionMobi and JediMobi – for putting apps onto Google Play that allegedly installed malware on users’ phones. The malware then created fake user clicks on Facebook ads, making it look like the phones’ owners had clicked on ads that they hadn’t actually touched.

Facebook says that it refunded advertisers for the phony clicks. In a separate case, in March 2019, it sued two Ukrainians – Gleb Sluchevsky and Andrey Gorbachov – for allegedly scraping private user data through malicious browser extensions that masqueraded as quizzes.

There’s more to our app-dev eyeballing

Stay tuned, there’s more to come, Archibong said:

We are far from finished. As each month goes by, we have incorporated what we learned and re-examined the ways that developers can build using our platforms. We’ve also improved the ways we investigate and enforce against potential policy violations that we find.

Example: beyond the investigation, Facebook has also improved how it evaluates and sets policies for all developers that build on its platforms. It’s also removed a number of application programming interfaces (APIs): the channels that developers use to access various types of data. It’s also fattened up the teams it’s dedicated to investigating bad actors and to slapping/litigating them into shape.

That sets the stage for Facebook to annually review every active app with access to more than basic user information, Archibong says, and to pick from a range of enforcement actions when it finds violators.

For one, Facebook’s cooked up new rules to more strictly control a developer’s access to user data:

Apps that provide minimal utility for users, like personality quizzes, may not be allowed on Facebook. Apps may not request a person’s data unless the developer uses it to meaningfully improve the quality of a person’s experience. They must also clearly demonstrate to people how their data would be used to provide them that experience.

Archibong said that Facebook has also clarified that the platform can suspend or revoke a developer’s access to any API that it hasn’t used in the past 90 days. Beyond that, it’s barring apps that request what it deems a “disproportionate amount of information from users relative to the value they provide.”

We can expect yet more app developer requirements to come out of the company’s recent agreement with the Federal Trade Commission (FTC): the one from July 2019, where Facebook got fined $5 billion for losing control of users’ data.

The FTC said at the time that the new, 20-year settlement order will overhaul how Facebook makes privacy decisions and boosts accountability at the board level. It called for establishment of an independent privacy committee of Facebook’s board of directors, thereby removing “unfettered control” by Zuckerberg over decisions affecting user privacy. The new agreement also requires developers to annually certify compliance with Facebook policies. Archibong said in Friday’s post that any developer that doesn’t comply “will be held accountable.”

A bit of perspective

Facebook didn’t bumble into this mess by accident, critics have stressed. As Senator Ron Wyden told the New York Times on Friday, it was asking for it:

Facebook put up a neon sign that said ‘Free Private Data,’ and let app developers have their fill of Americans’ personal info.

App developers aren’t simply a plague of privacy locusts sucking Facebook dry without its permission or its knowledge. Rather, Facebook has apparently used access to user data sometimes as a carrot, and sometimes as a stick, depending on whether a developer or company was seen as a friend or a rival.

This was illustrated in December 2018, when Facebook staff’s private emails were published by a fake news inquiry in the UK. One example: after it limited the data on users’ friends that developers could see in 2014/2015, it kept a whitelist of certain companies that it allowed to maintain full access to friend data.

Facebook said its investigation into app developers, their use of user data and their adherence to Facebook policies, will continue.

Leave a Reply

Your email address will not be published. Required fields are marked *