Cambridge Analytica used the Facebook API to ask users to share data about them & their friends. Stupid users agreed to that.

The argument here isn't that Facebook is playing fast and loose with tracking & user data (which would be a legitimate argument), it's that Facebook is allowing people to grant access to their data to third-parties and Facebook should somehow be faulted for that. Facebook is a neutral carrier here, and they acted on behalf of the user - he decided that Cambridge Analytica should have had access to his data. Facebook should not be forced to somehow be the arbiter of this.

This lawsuit will give even more reasons to platforms to restrict API access which would impact legitimate usage much more than nefarious abuse (stupid people will always find a way to screw up, API or not - if the API is gone they'd happily enter their Facebook credentials directly instead).

According to Facebook, this is not what happened and CA's collection of this data represented a breach in their platform policies [0]:

In 2015, we learned that a psychology professor at the University of Cambridge named Dr. Aleksandr Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge Analytica ... He also passed that data to Christopher Wylie of Eunoia Technologies, Inc.

[Kogan] did not subsequently abide by our rules. By passing information on to a third party, including SCL/Cambridge Analytica and Christopher Wylie of Eunoia Technologies, he violated our platform policies.

0 - https://about.fb.com/news/2018/03/suspending-cambridge-analy...

> The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.

Users knowingly _agreed_ to share their data with Dr. Kogan. Dr. Kogan was contractually prohibited from passing that information on to third parties (Cambridge Analytica) but did so anyway and was banned as a result.

Consider the alternative: the laptop you bought on Amazon catches fire and burns down the school of your daughter. The school contacts your insurance, who now has to contact a component supplier in Shenzen (who supplied the power supply), and sue them under Chinese law, instead of Amazon.

1. Proprietary customer information, privacy, just generally not talking.

As an anecdote on this topic.... I recall having a long necked jacket as a kid where the zipper wore down heavily around the collar since the neck was so long that it ended up being too tall for normal day-wear - and thus a lot of unnecessary stress was put on the zipper mechanism when it was partially zipped up. After a few months the teeth had weakened in that area to the point where the zipper would frequently come off the tracks there. In this specific case fitting a jacket with a four inch collar caused a zipper failure - the zipper was probably cheaply made anyways but if the cut of the jacket had been different there likely wouldn't have been an issue.

Can you sue them for this, though? Your contract would need to say "if I personally turn my data over to a third party, that third party will not misuse it". And in the unlikely event that it did say that, misuse of your data by the third party still wouldn't violate the contract, because... the third party is not party to the contract.

Even if you don't buy that argument, at the very least the people who were FB friends of people who sent shared their lists with Kogan should still be able to sue FB, as they had absolutely no relation with Kogan or his app and still some of their data ended up sold.

FB doesn't just hand users' data over without user confirmation... Users see UI permission dialogs and have to explicitly agree to it first (similar to an iPhone app asking for permission to use your microphone or location -- how is Apple responsible if said app gets hacked and leaks your microphone recordings?).

Facebook is either:

1. a neutral party, acting on the wishes of its users, who asked to grant CA access to their data. The victims are users and the aggressor is CA for misusing data.

Or:

2. a victim party, after CA went against their policies. CA is the aggressor in this scenario, and the users are not part of the equation.

This is the problem (quote from op article). Facebook collected data on people and than shared this data to third parties without their consent. That friends gave consent to this has no relevance. They don't have the right to do so and they didn't do it themselves. Facebook did - on the request of CA (or rather that 'researcher'), with the approval of friends.

If you share your friend's data, it's primarily your fault.

You know your friend's email, and you decide to share it with someone else.

Now I agree that FB should bear some responsibility since it's such a large platform.

But it's you who is mainly at fault for sharing.

If you shout your friend's email in a hotel's lobby, you wouldn't blame the hotel, right?

I wouldn't. But if my friend went to reception and told the staff "Hey, you know my friend in room 101? Please share their mail with the stranger in room 301. Thank you." I very much would.

You bear no responsibility at all?

A better example would be "could you tell the stranger in room 301 that my friend's email is ABC?"

Then, later, your friend sue the hotel for telling the stranger about their email.

Yeah.... You should at least bear the majority of responsibility here, no?

No but your friend would be quite in the right to blame you if they got threatening emails as a result of it. Depending on whether actual harm came from the act and whether you shouted their email with an intent to cause harm (even a different harm like a cascade of d** pics) then you could be held liable for damages.

If you act in a manner intended to cause harm and harm results - even if not in the manner you intended - then you can be held liable. Greasing a sidewalk so that folks will fall on their ass for the giggles and then causing someone to break their spine still leaves you liable for damages - even if you were unable to foresee the potential outcome of someone breaking their spine.

The hotel lobby example is likely to not result in liability due to difficulties in showing you acted maliciously but there certainly is a possibility there.

Sure, but, at some point, the users need to take blames for their own actions too.

"I'm too stupid" can't be the defense for everything.

Also, no need to set up a false dichotomy. There are other possibilities. Usually, figuring out liability is a function of the court, thus this legal action. You'll probably get the answer to your question when the suit has been concluded.

Asking for a victim to find the "root cause" of a problem is too much to ask. If X wronged Y causes a wrong to happen to Z... the legal system is largely designed for "Z sues Y" then "Y sues X".

Asking for Z to sue X directly is asking for too much. There's no way for Z to even know that X exists.

Other than the time that X explicitly and directly asked Z for access to their data, you mean.

This isn't similar to a case where I stored my users' info in a database on Cloud Hosting Service Inc machines, CHS's lax security allowed the data to be hacked, and I am now accountable to my users because I used an insecure service. Facebook's role in this situation was, literally speaking, a permissions broker between the end users and Dr. Kogan. The end users granted Dr. Kogan permission with every opportunity to learn about Dr. Kogan.

Edit: Correction that users had a chance to learn about Dr. Kogan, not CA.

Asking for Z to sue X has a number of issues:

1. Z doesn't know Y's policy towards X. Is the problem truly Y's fault or X's fault? "Z sues Y" doesn't necessarily implicate Y as the root cause, it just proves that Y was "along the way" towards the root cause.

2. Y sues X is a totally separate question. Consider the case where a car-parts company creates a suspension ("X"), who sells their suspensions to Ford (aka: Y). Sometime while customer "Z" was driving, the suspension fails. Z sues Y for a million bucks to cover the cost of back surgery or something. Y then has to argue with X to figure out who was responsible for the suspension failure. Depending on the agreements / contracts Y could be the root cause, or X. (Maybe it's Y's fault: if Y was using the suspensions incorrectly and X can prove it, then the Y-sues-X case will fail).

In this #2 case: if Z sues X directly, Z will fail (because X is not at fault). Its safer for Z to sue Y... and its also the morally sound way to move things forward.

----------

For better or worse, Z (the typical user) has a relationship with Facebook (Y). Cambridge Analytica is X. Whether X or Y is at fault is still ambiguous from Z's perspective (no reason for Z to come up with legal arguments and determine the "right person to sue").

All Z has to prove is someone wronged him, and that Y is the next person up the chain. Let Y's lawyers figure out if Y or X is responsible. Z just needs compensation for Z's issues alone.

That's because you keep making points that ignore that the end users knowingly granted permission to Dr. Kogan.

If I buy a car, I don't expect the transmission manufacturer to be part of the specs or shopping process, so yes, I would sue Ford. But if Ford says "comes with Goodyear tires", and then one of those tires proves faulty, I'll be suing Goodyear, not Ford.

But if you really want to use comparisons, let's use one that's appropriate:

I purchase an iPhone from Apple. In this scenario, Apple has a policy that app developers can't share data with 3rd parties. I download an app and grant it permission to my data. The app developer then shares that data with someone else. Who is at fault? Who is the victim? Should I sue Apple? Should I sue the app developer? Can I really sue anyone considering I myself downloaded the app and granted it access to my data?

Cambridge Analytica asked user A for permission. Facebook allowed CA to gather information about B (A's friend), and B NEVER provided consent. B now is wondering who to sue: Facebook or CA.

My opinion: (IANAL). B sues Facebook. Then, Facebook sues CA.

This leads to a few results:

1. If B loses its case against Facebook, the game is over.

2. If B wins its case against Facebook, Facebook continues and sues CA.

3. If Facebook loses vs CA, then the game is over and Facebook is found to be at fault. If Facebook wins vs CA, then CA was at fault.

4. If CA was at fault, then maybe CA will then sue its consultant over the issue, and it may continue. So on and so forth until the root cause is discovered, wherein the game ends.

Simple process. At least... simple if everyone could afford the proper legal process. B probably can't afford it and many "Bs" need to gather together for a class action lawsuit and all that jazz.

The hardest part of the puzzle is what exactly B would be suing over. It feels like B was damaged as a whole, since Facebook leaked B's information to CA. But its hard for me to formalize the complaint. Then again: that's a lawyer's job to find out.

B sues A for sharing their information, then A sues Facebook, then Facebook sues CA. That would be the full cycle, no? If B is allowed to skip suing A in favor of suing Facebook directly, why shouldn't they also skip suing Facebook and sue Dr. Kogan directly? Or maybe it doesn't even get to go that far: B just needs to sue A, Facebook gets to sue Dr. Kogan, and that's all we see.

B interacts to A through Facebook, do they not?

If Facebook wants to sue A as the next leg in the chain, they're certainly welcome to try. That's the joy about just following the edge of the graph: its Facebook's job to figure out if A is more at fault (and should be sued) or if Cambridge Analytica is more at fault.

This "chain" methodology further demonstrates which lawsuits are likely fruitless. The concept of Facebook suing A, or even Cambridge Analytica for suing A (if it goes that far) is clearly improper at face value. Breaking things up one-step at a time allows us to seek justice.

IE: the entire point of the justice system.

And what impact does that have?

> its Facebook's job to figure out if A is more at fault (and should be sued) or if Cambridge Analytica is more at fault.

No, it's not Facebook's job to figure that out. If this was an investigation, then it would be the investigating office's job to figure out that. But it's not an investigation, it's a lawsuit, an accusation by one party against another party. The only thing to figure out here is if the accusation is legitimate. This thread started with the GP remarking that the accusation shouldn't be found valid.

To say that it should be found valid because the accused can then separately try to sue another party is not a proper evaluation of the accusation, nor is it demonstrative of a productive legal process (at least in my opinion), nor is it "the entire point of the justice system".

B shared some data with Facebook. That data has somehow leaked to CA, which B never agreed to. Without doing any investigation of their own, B can pretty easily accuse FB of losing their data.

FB can defend itself by saying B shared their data with A, and it is A who misplaced it.

Or, it could be ruled that A could not be expected to understand that they are sharing non-public data about B with a 3rd party, so the ball could be back in FB's court. Perhaps FB should not have offered this option to A at all.

Or perhaps that was well withing FB's and A's rights, and the problem instead is that A never agreed to share this data with CA, they only shared it with Dr Kogan.

In this case again, it could be Dr Kogan alone who is at fault for sharing the data improperly, or it may also be FB's fault for not vetting app developers enough before giving them access to user's data.

Of course, there could also be many more nuanced decisions as well. But for B, the chain can only really start with suing FB - the only entity that B shared their data directly with. B can't know whether it got to CA through A or through D or E, or whether FB was hacked and the information was stolen from them etc., and they have no right to demand this information from FB outside of a lawsuit.

B consented to sharing their information with A (by accepting a friend request or making specific data items public-readable), who granted Facebook the right to share that information with (edit) not CA, Dr. Kogan.

> Edit: Correction that users had a chance to learn about Dr. Kogan, not CA.

The end users granted Facebook the right to share the friend data that their friends had granted them access to.

Is there a screenshot of the 'Authorize App' screen at the time? Indeed, what did the fine print say?

I can draw a chord chart of my friend graph using only user IDs and names.

You can analyze my personality with what data that I explicitly grant access to?

https://i.imgur.com/nti4ShY.png

The print wasn't very fine; it was very clear about what information was shared.

Indeed, where is a screenshot of the 'Authorize App' consent dialogue that users were presented with.

- A agrees to sharing info with B by accepting a friend request. Explicitly per the terms of service, and implicitly because technically anyone can take a screenshot or a photo or a video and share whatever's shared with them (even in DRM'd systems with limited key distribution).

- B authorizes C to retrieve the data available to B.

- C then reshares, sells, distributes, or otherwise transmits information to D.

F enabled A to share data with B, given explicit user consent. F enabled B to share data with C, given explicit user consent.

If you don't want people to know things, don't put that information on the internet; and don't authorize friends to share information you haven't volunteered.

Ethically, if I tell you my email address, and you sell my name + email address to advertisers without telling me, you've done me wrong. You violated my reasonable expectation of privacy. I have the same expectation if I make a private post to facebook, visible only to my (curated) list of friends. That content is for your eyes only.

Violating that expectation probably has no repercussions under US law. But it is almost certainly illegal under the GDPR. I installed Clubhouse the other day and clubhouse asked me to share my contacts with the app. Saying yes without checking with everyone on my contacts' list was probably illegal in europe. (Rightfully so, in my opinion.)

In this case, A shared information (posts, etc) with B (A's friend) on Facebook. B authorized app X to access their information - which in turn passed that information to Z (Cambridge Analytica) with neither A nor B's consent. Things that went wrong here:

- B should not have been able to pass A's information to a third party (X) without A's explicit consent.

- X should not have passed information to Z (Cambridge Analytica)

- Facebook shouldn't have built a platform which permitted / encouraged such obvious and blatant abuses of privacy. If a user told facebook that some content was private, facebook violated user's trust by sharing that information with a random 3rd party app. B's consent isn't relevant wrt A's data. (Permission isn't transitive.)

Who's legally at fault here? I have no idea, and I'm glad the courts exist to figure all this out.

Meanwhile, our technology is utterly failing user's expectations of privacy - which, yes, actually exists in much of the rest of the world.

> If you don't want people to know things, don't put that information on the internet

What a ridiculous sentiment. No. I want to use the internet and have an expectation of privacy. I will not settle for mediocrity so that facebook can make more money.

BTW, the SOLID project believes that data portability is a privacy advantage of their competing, open source federated system.

If you don't want people to know something, don't put it on the internet; regardless of TOS.

We shouldn't expect or rely upon information asymmetry holding over time.

Facebook certainly required users (who are not paying customers) to sign data sharing agreements.

Facebook did not commit the crimes of Cambridge Analytica (Steve Bannon, Trump's campaign guy; Ted Cruz). Facebook was fined $5b. Cambridge Analytica went bankrupt and Nix is barred from serving on the board of any UK company for 7 years.

Facebook's expenses related to Russian misinformation campaigns, Facebook's expenses related to the administration's denial of ongoing foreign information operations paid for by advertisers who don't want a spot next to sleaze.

Even so you wrote yourself that users shared data about their friends. Why does Facebook allow people to share the data of others who didn't agree to this?

I have names, email addresses, phone numbers, birthdates, email contents, and more for most of my friends. There's no centralized arbiter of this information; I have the ability to share this data in any way I choose.

And I do! I switch email providers, install apps on my phone, use calendaring systems, tell our friends where to meet for surprise birthday parties, etc. I don't need your consent for any of it, because even though the information may be about you, we understand that it's "my" data.

Inserting Facebook in this process doesn't really change the dynamic.

Not really; it's their data, and you're allowed to use it.

> Inserting Facebook in this process doesn't really change the dynamic.

Yes it does, because while you (the individual) are allowed under GDPR to use the personal data of your friends for personal purposes, that doesn't automatically entitle Facebook to use it for their purposes. Only on your behalf for your purposes.

Let me shed some light. Facebook/Google have nothing to do with it except they are breaking the law because of you that have planted data from you friends without their consent.

Following the GDPR, the one who gave personally identifiable information (PII) to the Google/Facebook/whatever, makes HIM/YOU/HER responsible for whatever they do with it.

(Or in other words - if you are gathering the personal data on your website for a 3rd party, you better be sure that the 3rd party has a strong legal bond with you regarding the information you have "traded" to it or you might have troubles.)

Even if "your friend" has given his/hers PII to you, you dont have any consent to share it with whatever 3rd party application you are using and is stealing your data based on "I Agree button". This is making you, as a controller of PII responsible for his PII. If the 3rd party application ("Facebook/Google/...) took it from you for whatever "reason", those information were not yours to share and you have zero comfort in not being given consent. You have decided, for your friend, that you will share his/hers information with 3rd party application. Due to negligence (you didn't read the "I Agree" text, you didn't care (negligence),... whatever. It really doesn't matter.)

You have two troubles here.

- The application was violating GDPR. Clearly. Without any doubt. They slurped in the PII data from your friends which gave no consent. They might argue that you have misleaded them. In this case all guilt is on you. Unless they are well known for their acts. Which against paints a big red text "negligence" over your forehead.

- YOU were violating GDPR by not taking care for PII of your friend and giving it to 3rd party without consent, approval, anything ("Hey I just took his phone number").

Not only can 3rd party application be held guilty of stockpiling PII without consent, in same manner can YOU be guilty of giving them PII data (oh yeah, "I Agree" button) and your "friend" has all the law support in EU to sue you for this - EU wont, they have larger fish to fry but your friend can and might.

[1] - GDPR defines a controller as: >>> the natural <<< or legal person, public authority, agency or other body which, alone or jointly with others, >>> determines the purposes and means of the processing <<< of personal data

You do need content though, if I provide my email in a social setting I implicitly give consent to birthday parties etc. I didn't consent to you selling my email as part of a bundle. If people found out you were providing data to random people at least a stern talking to would happen.

Under GDPR it works this way for business too, just because I gave you data for a specific purpose doesn't mean you can do whatever you want with it. I'm not aware of other jurisdictions.

GDPR also prohibits me from making a list of my friends' addresses and then trading that list to the Girl Guides in exchange for biscuits.

Freely sharing your friends' data without their permission may be a GDPR violation.

> because even though the information may be about you, we understand that it's "my" data.

That's just not true. Why would you think that?!

Absurd, how would an email provider or social network even work if you couldn't enter your friends contact information.

You're joking, right? Ever played a video game before? Add by user name. Share a link... There are tons of options without sharing real-world data.

If you go back to the Wild West of the Facebook apps, shortly after platform launch there was an app for everything - apps for fancy birthday cards with birthday reminders, as well as polling apps telling you which one of your friends is the biggest cheesecake lover.

Every piece of data can be spun into being essential.

Which is what CA has built.

Not just them - any survey app claiming to help you find out “which Game of Thrones characters you and your friends are” can arbitrarily claim those data points as necessary.

An app to help you find out "which Game of Thrones characters you and your friends are" can arbitrarily claim those data points, and then use them to discover which Game or Thrones character you and your friends are. On that case, even storing the data looks like a violation, even more sharing it with anyone.

This goes a bit sideways on Facebook in two main ways, I think:

1. People are way too fast and loose with who they keep as "friends" on Facebook

2. Facebook has way too much data to warrant a blanket "Yeah, please share -all- of that at once" agreement. Something more granular, like "The phone numbers of your friends who have themselves granted permissions for their friends to share their numbers" would be more reasonable.

    In a very limited way, you kind of expect this
    (your friend giving your number to someone who they 
    think you'll get along with, or whatever).

"Why did Facebook allow" - they changed the practice on friends' data sharing a few years ago.

Every app that implores you to import your phone contacts does this.

Not reading a 1000 page EULA doesn't make users stupid. It makes Facebook predatory.

At that point, why just stop at friends? Why not go to any transitive relationship with the argument "well, you trusted that person, so it's just like them sharing the data you already gave to them". Of course, the absurdity of that is that one person can share the whole world. I do not think this is a slippery slope argument at all, given that FB already went halfway down the slope before there was outrage.

I despise Facebook, but I really don't understand this whole Cambridge Analytica thing. There doesn't appear to be an endgame for those criticizing Facebook over the ordeal. Of all the despicable things Facebook has done, why is this the one that everyone clings to?

In the end, it's still Facebook who handed over my data. That my friend decided that was OK doesn't change much.

Unless there's a major security vulnerability, you can only delegate access to data you have access yourself. So your friend did the equivalent of giving Cambridge Analytica your data - the technical implementation of it (as to whether CA got the data off your friend's phone or from Facebook directly) doesn't really change the outcome.

https://www.zdnet.com/article/facebook-sues-two-chrome-exten...

That is false:

https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Ana...

I wrote this comment for people in this conversation to see. Yet you allowed Google Chrome access to the comment. You let your adblocker see it. You let lots of software companies scrape it. You shared the data with a wider audience than I intended.

Sure, the argument doesn't hold much water on the public internet. But now consider HN was an invite-only forum, in fact an invite-only forum just like my facebook page...

I think a lot of people are forgetting that you were also able to get tons of data on a user's friends, just from that user accepting. No consent on the friends part. If you and I were FB friends and I accepted one of those requests, CA now also knows your profile info and likes.

Do you think if they knew the full scope of Cambridge Analytica's work they would've allowed them to access the data?

> Do you think if they knew the full scope of Cambridge Analytica's work they would've allowed them to access the data?

Honestly? I'm not sure - a lot of people already dismiss privacy concerns and ad tracking as "I've got nothing to hide" or "it's just ads, no big deal". Unfortunately I wouldn't be surprised if people opted in even if CA was fully transparent with their intentions.

However, CA even broke Facebook's API terms of use, so at least if CA was transparent Facebook wouldn't have allowed them API access to begin with (though I'm sure they would've worked around that, with malicious apps/browser extensions or just asking for raw Facebook credentials, bypassing the API completely).

There's even a Gaping Void cartoon memorializing the sentiment: http://vhirsch.com/blog/2011/10/06/walled-gardens/

Now, sure. Less so in 2010 or whenever.

To the best of my knowledge CA abused a free feature (API access) designed for legitimate usage to collect user data for nefarious purposes. Facebook was acting as a neutral carrier here and respected the user's intention of sharing their data with CA.

Hilarious.

The Cambridge Analytica scandal is in regards to a nefarious 3rd party using Facebook's pipes in a way that violated Facebook's policy. There are emails to show that Facebook knew about this, and did not act to remove CA's access to said pipes (no, [1] there are literally emails about this that were found during discovery).

You even mentioned it

> To the best of my knowledge CA abused a free feature (API access) designed for legitimate usage to collect user data for nefarious purposes

Yes. They abused it. They abused it and were allowed to continue abusing it because Facebook's business model is data, not user privacy. You're blaming CA for what FB quite literally (and I mean quite literally) allowed them to do, told them to stop doing, then turned a blind eye when CA _continued_ to do it.

Again. Not my opinion. It's a matter of factual record.

Links - https://www.businessinsider.com/facebook-emails-show-workers... - https://www.nbcnews.com/tech/social-media/newly-released-mes...

Edit: Formatting

It's not clear to me that they shouldn't be faulted. How many people read terms and conditions? How many people lack the technological literacy to understand what it means to share their facebook data with third-parties?

It seems to me like we should make our systems robust to the average user, especially systems as big as Facebook.

> Facebook should not be forced to somehow be the arbiter of this.

I kind of agree, but at the same time Facebook has some moral responsibility as the holder of the data. Perhaps it's not on Facebook to implement regulatory mechanisms, but if these mechanisms are implemented (e.g. by the "State") then it should probably be on Facebook's dime.

I'm not trying to argue here, but I see this argument pop up often when discussing big tech and user data. I'm curious why the tone is so different when it comes to mortgages or auto loans, for example. It seems society is content with the notion that I must do my ow due diligence when buying a home, but for whatever reason that responsibility seems to slide away when I'm dealing with social media. Why is that?

To clarify, I'm being sincere, not argumentative. I'm not a normal internet user and never have been. I haven't been on social media for a decade, use all the ad blockers, and so on.

If you are sincere, you should compare more people trying to make payday loans illegal with the fight against Facebook's EULA. Banks have always showed much more diligence to receive meaningful consent for a mortgage than Facebook even comes close to. With Payday loans, a predatory lender is trying to rope someone into a contract and then wants to use the courts to extract much more money out of individuals knowing that the individual may be so far in debt that they have no more disposable income. There are many people who would argue that such things should be illegal (or already are) in the same grain as loansharking. Once upon a time people signed contracts whereupon they became slaves or indentured. Clearly not all contractual terms should be honored by a just society. Facebook is seen by some as closer to the predatory lender than a typical mortgage provider. People are free to disagree with where to place the line, but clearly society places the line somewhere on the acceptability of contractual terms.

Well, for one afaik mortgages and auto loans are regulated and have been for a long time. They're also simpler to understand for _most_ people, since most people interact with money daily, they see their income, they understand interest, etc.

Most people don't need to understand how banks trade mortgages and such because in all likelihood, well except in 2008, it will only affect them marginally.

I suspect that most people similarly only have a very superficial functional understanding of data. They see other people's data daily, they understand that if they post something, other people will see it.

Where this differs is that, at scale data is not well regulated, and can affect users much more directly and non-marginally, in non-obvious ways. Targeted ads, political manipulation, identity theft, etc.

Counterpoint: I'm not content with opaque mortgage or auto loan terms (although my last auto loan was actually quite simple). I don't think you can generalize how "society" feels in this way.

This also happens to be a recent hot button issue. If you talked to someone in, oh say, late 2008, mortgages might've been on the front of their mind.

That's a legitimate and good question.

And the answer is that the mortgage industry is highly regulated, and so there are things that the federal government demands (if we're talking about the U.S.) and additionally that states demand. So if you sign a mortgage paperwork in my state, for example, there are Riders that have to be provided. Same with signing up for a credit card. One page information sheets MANDATED by the government that the consumer gets to see, before having to sign contracts.

You don't need to be a lawyer to not get screwed.

Another good example. Residential leases are long, technical contracts. However, the state law overrides what's in it. So even if someone signs something that violates their rights, it won't apply. In some cases, the landlord can be sued for damages. Additionally, Riders are often mandated by the state that the landlord should provide, that summarizes rights.

The problem is that individual user data privacy is NOT regulated.

The lack of regulations and laws are why we're all arguing right now.

Anyway, You are making an argument for regulations requiring disclosures, like in mortgages and nutrition labels, not an argument that Facebook is at fault for letting users interact with 3rd parties, which could have been a browser extension that scraped the same data that the FB API provides.

CA lied to both their users and even to Facebook itself (I think they breached FB API's terms and conditions), why should it be Facebook that's at fault?

In your argument, if a car is used in a robbery, should the car dealership or manufacturer be also at fault, even though the manufacturer had no idea this particular customer was going to use the car for malicious purposes?

I'm not saying CA shouldn't be held accountable, I'm saying Facebook also has part of the blame.

Can we not do this, please? People are being manipulated like never before. Almost anyone is susceptible.

Cambridge Analytica may have lied about their intentions, but when requesting access, the Facebook consent prompt is very clear about what data would be shared. Why should Facebook be on the hook for CA's lies?

I think that argument is fatally flawed.

The issue with all these user data cases is that the license between the user and Facebook does not restrict how Facebook can use the data. Not simply the data the user submits[1] but the data that Facebook involuntarily collects from the user.

1. This always seems to be how outside observers define "the user's data". They believe it is the data (e.g., photos, etc.) that the user has submitted to Facebook. Facebook may be an optimal place to store photos, etc. Regardless of whether that is true, that is not what is at issue. The issue is what use Facebook is permitted. Can it use the data a user submits any way that it chooses. Yes, it can. Can Facebook collect data on the user, based on their usage, and other sources. Yes, they can. The user has no control over how Facebook uses that data. This is the "loss of control".

It is not always concerned with "transfers" of data, necessarily. It is concerned with how Facebook may use the data it receives from users (knowingly/voluntarily or unknowingly/involuntarily) to support its business. Users pay nothing to Facebook so obviously the data, Facebook's primary asset, is going to be used in ways that generate revenue for Facebook. Users have no say in the decisions over how the data will be used, yet it is "their data" (or data about them). Can it be used in academic research. Yes, it can. Market research. Yes. Users have no control over these uses. It is not simply a matter of changing some setting, which Facebook is constantly fiddling with. It is a matter of the the license the user has with Facebook. The user has no enforceable rights throught that license to control how the data is used.

I remember Facebook permissions for Apps in the past were quite laxes. I wonder even if theren't were data accessible to apps that were not visible from the browser interface.

Stupid users aren't allowed to say yes to share personal information on their friends. Only the friends are. That is how it should be. An API should never give access to other users data than the one who agreed. Luckily because of GDPR they now can't, though the same rules were there in most of the EU already so it was always illegal at least some of it. IMO the rules should be even tighter and the punishments harsher.

You say that like it's okay that anyone else can press a button and then share my data. It's not my friends' to share, I'd say fb is at fault here for providing this to third parties.

Only user B has the right to consent to such processing.

Do people really want their doctor to invest several hours a week understanding the latest shenanigans and dangers of technology? Or should we just let our doctors be good doctors? Replace "doctor" by any other non-tech profession you respect, and you get my point.

This isn't even about protecting "stupid" people, it's about letting people be useful members of society even if they're not tech experts.

However, I disagree with modifying/removing a legitimate feature (API access) just because it can be abused. Otherwise, why not go further and also ban knives (or go after supermarkets that sell them) to solve knife crime?

That sounds like a very slippery argument, but no, the way to solve knife crime is not to ban knifes, it's to understand and "fix" the reasons (systems) why people do knife crimes in the first place (e.g. poverty, poor mental health resources).

In this case, we need to understand how the systems (e.g. the API) allowed for this to happen, and perhaps yes, get rid of it (or perhaps some other solution, I don't know, but beyond CA it seems that even a "legitimate" use of the API can easily cause harm).

This lawsuit is explicitly not about the big tech giant's (Facebook) data processing (which I agree is a problem).

The lawsuit is about how Facebook should've somehow been able to predict the future malicious actions of a company and prevent users from sharing their data with them against their own will (again nobody's data was shared without consent - people explicitly opted to share their data - which includes basic info about their friends, which I'd argue is their data too - with Cambridge Analytica).

If there's a "megacorp shark" here, it's Cambridge Analytica and not Facebook.

You frame this as if it was a logical train of thought but it isn't to me (and apparently I'm not the only one). You're not to decide what the UK courts determine to be acceptable or not and imho you're reasoning is rotten from the get go so any conclusions you draw from it are equally invalid. "consent" isn't a free pass, I can give you the explicit consent to kill me and it would still be illegal for you to do it in every country I know of.

Facebook has a systemic issue with the way they harvest, handle, share and monetise their users data, this case is just a drop in the ocean of sketchy things they've done, I'm not going to cry for them when they finally get a slap on the wrist

> Facebook has a systemic issue with the way they harvest, handle, share and monetise their users data, this case is just a drop in the ocean of sketchy things they've done

How did Facebook benefit from this? Facebook got duped just like everyone else. CA did not disclose their intentions when they got access to the Facebook API because they wouldn't have got that access otherwise as their actions were against the FB API terms of use.

There's a bit of a witch hunt going on about Facebook, and while I despise that company and want to see it gone too, this is just an outraged mob clutching at straws. They can't go after Cambridge Analytica nor the people behind it (and I guess can't be bothered to vote/lobby for a legislative change so that those people can be prosecuted) so they're venting their anger on the next best thing: Facebook, even though they're a neutral party in this case.

But again, you're missing the forest for the tree. You discuss the symptoms while I discuss the root cause. A phone shouldn't let third party randomly siphon arbitrary data about you and your friends without making public the full scope of their project. A consent isn't consent if you're being tricked into giving it for nefarious use

This may be true technically, but if it was not made clear to the users what they were sharing and what their data would be used for then the users cannot legitimately agree.

Facebook, as platform owners, can force organisation to be clear about what will be disclosed and what for.

This is one of the goals of European GDPR and personally I don't think it needs to hinder legitimate usage. It just forces you to consider why you're collecting data, have a legitimate reason and disclose it to the user. Without that, companies have been hoovering up any user data they can get their hands on. User data should be a liability, rather than an asset.

The Facebook OAuth consent prompt is pretty clear.

> what their data would be used for

This is an issue with Cambridge Analytica, not Facebook. Similarly, if a seller on eBay asks you to wire them money and then scams you, why should the bank be liable?

Furthermore, Cambridge Analytica's actions apparently broke the Facebook API terms of use. There's nothing Facebook could've done here unless they can predict the future and retroactively deny access to companies that they know will break the rules in the future.

CA abused a legitimate feature that allowed users to delegate access to their accounts. My comment is about how this lawsuit will set a bad precedent and restrict API access even further (hindering legitimate usage) without doing much to prevent abuse (because people can just share their credentials instead).

Facebook is not your parent. That logic, that others need to be "held accountable" and that voters are children who cannot be trusted to make up their own minds is far more dangerous to democracy than the Cambridge Analytica ratfucking.

I don't think voters are children and I agree with you that that is dangerous thinking, but I do think that showing advertisements based off of data they didn't know they gave in order to change their vote is not the way to allow them to make their own decisions.

Recently I've felt the benefit of this, when sharing my Twitter following with Clubhouse. Clubhouse can grow and challenge other networks because these APIs exist. (We can argue about the degree to which sharing your data should be allowed, but setting an overly restrictive precedent is a real possibility)

[1] https://news.ycombinator.com/newsguidelines.html

Guess the cost-benefit analysis checks out

That was really messed up.

Facebook screwed up, now they need to pony up and compensate its users.

If this lawsuit goes through then expect more all over the world.

It's open season on social networks and it's perfectly justified. Facebook's role in bringing 4 years of Trump was punishment enough.

I guess I'm stupid too if I have a stupid friend or relative.

My friend might technically send that information to Cambridge Analytica, but my friend can't give them permission to use it, CA would be required to acknowledge that they don't have the legal permission to use that data and discard it. My friend can tell Facebook "I permit you to give that information to Cambridge Analytica" but Facebook is not allowed to act based on that "permission" since it's not something my friend can permit.

It's pretty well accepted that Cambridge Analytica acted unethically, and potentially even unlawfully.

> My friend can tell Facebook "I permit you to give that information to Cambridge Analytica" but Facebook is not allowed to act based on that "permission" since it's not something my friend can permit.

This seems like an unnecessary technicality - if CA wasn't allowed to access your data directly they would just proxy it through the original user's device via an app or something. The end result would be the same.

I don't grant API access to people that my friend grants API access to.

If one grant allowed for another grant, by that logic you could chain all the way down to any connected node which is clearly not a desirable model.

Data brokers are trying to make it seem like me adding a friend is somehow not a grant so that they can "plus one" on their reach. But it is a grant. It is literally me granting my friend access to my data. Just because the company doesn't call it a grant and doesn't treat it like one on a technical level doesn't change the fact that I have granted my friend access to some data.

Either you trust your friend with that data or you don't. Anything else is just playing a game of whack-a-mole which may just give people a false sense of security.

Will the next argument be that browsers shouldn't be extensible, because it's a liability with stupid users?

Companies protect their users from themselves; they HAVE to, in case they (the users) shoot themselves in the foot. And consumer have a reasonable expectation, regardless of Facebook's terms & conditions, that their data isn't shared to third parties - or that they at least get asked when it happens, instead of being pointed to a tl;dr of T's & C's.

Plenty of people do not have the literacy level to understand terms and conditions [1]. This is a worrying trend, but it's something that companies like Facebook should (and are) aware of - people don't read terms and conditions, people don't understand them.

[1] https://literacytrust.org.uk/parents-and-families/adult-lite...

besides that fact, we also do not sue a Car manufacturer if a User of their car does go 350kph on the highway' crashes and dies.....

"open" api doesn't mean "do whatever you want", you're kind of making my point and the point of the article. There is nothing bad about Facebook going to court over that.

This isn't the result of open api, it's the result of badly designed and badly regulated open api.

Facebook will never ask you out of the blue whether you want to share your data with Cambridge Analytica. They have nothing to gain from it.

What happened is that idiots clicked on some kind of personality test (or similar) shared by one of their equally-stupid friends, the consent prompt appears as it should (and is very clear about what data will be shared) and they clicked yes. There are arguments here that these links should've been identified/marked as malicious and thus removed to begin with, but that's a separate issue.

Removing API access because some people are dumb will lead to lots of collateral damage (including towards those same idiots who expect to be able to "Login with Facebook" everywhere and are suddenly locked out of all these accounts), and will not solve the problem - malicious parties will just start asking for raw Facebook credentials or to install malicious apps/browser extensions to work around the lack of API access.

> The fact that Facebook gathered the data to begin with is already a huge problem

Which data are we talking about here? My understanding is that the data obtained by CA is data that the user explicitly put on their profile (such as photos, etc) and "friends" relationships. Ad targeting data (which is the real issue when it comes to Facebook's data collection) was not included.

---

My worry here (and the reason for the relatively harsh language) is that this lawsuit will set a precedent and give arguments for platforms to restrict API access even more and hurt potential competition as well as impose annoying & unnecessary barriers to users who know what they're doing. We already have this issue with banking where some banks insist on using a hardware 2FA device to protect against scams, and it's not really effective because people are stupid enough to use the 2FA device over the phone with a scammer despite the bold warnings about not using it over the phone printed right on the device itself.