Security news that informs and inspires

Facebook Moves to Restrict Access to User Data

Facebook is making a number of changes to the way that apps can connect to its APIs and what data those apps can access, as well as how apps can access personal information during the login process. The changes are the result of backlash from the revelations that data belonging to tens of millions of Facebook users was improperly shared with Cambridge Analytica.

Among the modifications Facebook is making, two of the bigger ones are the change to the login process and a change to the way that the search and account recovery process works. The largest shift is in the amount and kind of personal data that apps can get to during user login.

“Starting today, Facebook will need to approve all apps that request access to information such as check-ins, likes, photos, posts, videos, events and groups. We started approving these permissions in 2014, but now we’re tightening our review process — requiring these apps to agree to strict requirements before they can access this data,” Facebook CTO Mike Schroepfer said in a post Wednesday.

“We will also no longer allow apps to ask for access to personal information such as religious or political views, relationship status and details, custom friends lists, education and work history, fitness activity, book reading activity, music listening activity, news reading, video watch activity, and games activity. In the next week, we will remove a developer’s ability to request data people shared with them if it appears they have not used the app in the last 3 months.”

On the search and account recovery side of things, Facebook has disabled a feature that allowed people to search for users by phone number of email address. Schroepfer said the feature was useful in countries where many people have the same name, but the company found that it also was being used in large-scale data-gathering operations.

"Malicious actors have also abused these features to scrape public profile information."

“However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well,” Schroepfer said.

Facebook has been under even more scrutiny than usual for the last few weeks after a series of stories revealed that an app used by a third-party company collected large amounts of data from what Facebook now says was 87 million users. The revelation drew the ire of not just privacy advocates and civil liberties groups, but also many Facebook users who were unaware of the amount of data-gathering going on. The API and privacy changes announced this week are the second set of changes that the company has made since those revelations became public.

Last week Facebook announced that it would be cutting ties with several data brokers, including Experian, TransUnion, and others. That move was meant to "help improve people's privacy on Facebook”, according to the company.

However, many privacy concerns remain. A Facebook spokesperson told Bloomberg that the company uses automated technology to scan Facebook Messenger messages that are unencrypted. The app has an encryption option, but users have to enable it manually.