> On one hand, forcing Facebook to open up its social graph would have serious privacy implications.
There shouldn't be much additional privacy concern with a Facebook user saying "I trust user Alice and service example.com, so please send all my posts to alice@example.com using ActivityPub."
Similarly, Alice should be able to tell example.com that she trusts the Facebook user Bob with ID 123456789, so that example.com sends her posts to Facebook addressed to Bob (perhaps authenticated with a pre-shared key that Bob emailed her).
Once users are free to move between providers, those providers can compete based on their level of privacy and security, which right now Facebook has little incentive to improve.
I'd agree with you in theory, but in practice, those API endpoints end up being exploit vectors for data leakage in various ways - either through actual security vulns or through the security vulnerability that exists between the monitor and the chair.
It's worth noting that part of Facebook's culpability regarding Cambridge Analytica is that the CA "personality survey" was able to gather "personally identifiable information such as real name, location and contact details" of participating users, and also "the app did the same thing for all the friends of the user who installed it".[0]
I suppose that a lot of personal data could be gleaned about someone (and their friends) from a rogue ActivityPub node reading the posts that were federated with it, but people would be suspicious if, for example, Mastodon suddenly started asking users for their phone number, Social Security number, and a picture of their driver's license.[1] And people would be very unlikely to sign up to a node which was actually run by Cambridge Analytica, right?[2]
There shouldn't be much additional privacy concern with a Facebook user saying "I trust user Alice and service example.com, so please send all my posts to alice@example.com using ActivityPub."
Similarly, Alice should be able to tell example.com that she trusts the Facebook user Bob with ID 123456789, so that example.com sends her posts to Facebook addressed to Bob (perhaps authenticated with a pre-shared key that Bob emailed her).
Once users are free to move between providers, those providers can compete based on their level of privacy and security, which right now Facebook has little incentive to improve.