Архив метки: Cambridge Analytica

The real risk of Facebook’s Libra coin is crooked developers

Everyone’s worried about Mark Zuckerberg controlling the next currency, but I’m more concerned about a crypto Cambridge Analytica.
Today Facebook announced Libra, its forthcoming stablecoin designed to let you shop and send money overseas with almost zero transaction fees. Immediately, critics started harping about the dangers of centralizing control of tomorrow’s money in the hands of a company with a poor track record of privacy and security.
Facebook anticipated this, though, and created a subsidiary called Calibra to run its crypto dealings and keep all transaction data separate from your social data. Facebook shares control of Libra with 27 other Libra Association founding members, and as many as 100 total when the token launches in the first half of 2020. Each member gets just one vote on the Libra council, so Facebook can’t hijack the token’s governance even though it invented it.

With privacy fears and centralized control issues at least somewhat addressed, there’s always the issue of security. Facebook naturally has a huge target on its back for hackers. Not just because Libra could hold so much value to steal, but because plenty of trolls would get off on screwing up Facebook’s currency. That’s why Facebook open-sourced the Libra Blockchain and is offering a prototype in a pre-launch testnet. This developer beta plus a bug bounty program run in partnership with HackerOne is meant to surface all the flaws and vulnerabilities before Libra goes live with real money connected.
Yet that leaves one giant vector for abuse of Libra: the developer platform.

Facebook announces Libra cryptocurrency: All you need to know

“Essential to the spirit of Libra . . . the Libra Blockchain will be open to everyone: any consumer, developer, or business can use the Libra network, build products on top of it, and add value through their services. Open access ensures low barriers to entry and innovation and encourages healthy competition that benefits consumers,” Facebook explained in its white paper and Libra launch documents. It’s even building a whole coding language called Move for making Libra apps.
Apparently Facebook has already forgotten how allowing anyone to build on the Facebook app platform and its low barriers to “innovation” are exactly what opened the door for Cambridge Analytica to hijack 87 million people’s personal data and use it for political ad targeting.
But in this case, it won’t be users’ interests and birthdays that get grabbed. It could be hundreds or thousands of dollars’ worth of Libra currency that’s stolen. A shady developer could build a wallet that just cleans out a user’s account or funnels their coins to the wrong recipient, mines their purchase history for marketing data or uses them to launder money. Digital risks become a lot less abstract when real-world assets are at stake.

In the wake of the Cambridge Analytica scandal, Facebook raced to lock down its app platform, restrict APIs, more heavily vet new developers and audit ones that look shady. So you’d imagine the Libra Association would be planning to thoroughly scrutinize any developer trying to build a Libra wallet, exchange or other related app, right? “There are no plans for the Libra Association to take a role in actively vetting [developers],” Calibra’s head of product Kevin Weil surprisingly told me. “The minute that you start limiting it is the minute you start walking back to the system you have today with a closed ecosystem and a smaller number of competitors, and you start to see fees rise.”
That translates to “the minute we start responsibly verifying Libra app developers, things start to get expensive, complicated or agitating to cryptocurrency purists. That might hurt growth and adoption.” You know what will hurt growth of Libra a lot worse? A sob story about some migrant family or a small business getting all their Libra stolen. And that blame is going to land squarely on Facebook, not some amorphous Libra Association.
Image via Getty Images / alashi
Inevitably, some unsavvy users won’t understand the difference between Facebook’s own wallet app Calibra and any other app built for the currency. “Libra is Facebook’s cryptocurrency. They wouldn’t let me get robbed,” some will surely say. And on Calibra they’d be right. It’s a custodial wallet that will refund you if your Libra are stolen and it offers 24/7 customer support via chat to help you regain access to your account.
Yet the Libra Blockchain itself is irreversible. Outside of custodial wallets like Calibra, there’s no getting your stolen or mis-sent money back. There’s likely no customer support. And there are plenty of crooked crypto developers happy to prey on the inexperienced. Indeed, $1.7 billion in cryptocurrency was stolen last year alone, according to CypherTrace via CNBC. “As with anything, there’s fraud and there are scams in the existing financial ecosystem today . . .  that’s going to be true of Libra too. There’s nothing special or magical that prevents that,” says Weil, who concluded “I think those pros massively outweigh the cons.”
Until now, the blockchain world was mostly inhabited by technologists, except for when skyrocketing values convinced average citizens to invest in Bitcoin just before prices crashed. Now Facebook wants to bring its family of apps’ 2.7 billion users into the world of cryptocurrency. That’s deeply worrisome.
Facebook founder and CEO Mark Zuckerberg arrives to testify during a Senate Commerce, Science and Transportation Committee and Senate Judiciary Committee joint hearing about Facebook on Capitol Hill in Washington, DC, April 10, 2018. (Photo: SAUL LOEB/AFP/Getty Images)
Regulators are already bristling, but perhaps for the wrong reasons. Democrat Senator Sherrod Brown tweeted that “We cannot allow Facebook to run a risky new cryptocurrency out of a Swiss bank account without oversight.” And French Finance Minister Bruno Le Maire told Europe 1 radio that Libra can’t be allowed to “become a sovereign currency.”
Most harshly, Rep. Maxine Waters issued a statement saying, “Given the company’s troubled past, I am requesting that Facebook agree to a moratorium on any movement forward on developing a cryptocurrency until Congress and regulators have the opportunity to examine these issues and take action.”
Yet Facebook has just one vote in controlling the currency, and the Libra Association preempted these criticisms, writing, “We welcome public inquiry and accountability. We are committed to a dialogue with regulators and policymakers. We share policymakers’ interest in the ongoing stability of national currencies.”
That’s why as lawmakers confer about how to regulate Libra, I hope they remember what triggered the last round of Facebook execs having to appear before Congress and Parliament. A totally open, unvetted Libra developer platform in the name of “innovation” over safety is a ticking time bomb. Governments should insist the Libra Association thoroughly audit developers and maintain the power to ban bad actors. In this strange new crypto world, the public can’t be expected to perfectly protect itself from Cambridge Analytica 2.$.
Get up to speed on Facebook’s Libra with this handy guide:

Facebook announces Libra cryptocurrency: All you need to know

The real risk of Facebook’s Libra coin is crooked developers

Facebook mistakenly deleted some people’s Live videos

This time instead of exposing users’ data, a Facebook bug erased it. A previously undisclosed Facebook glitch caused it to delete some users’ Live videos if they tried to post them to their Story and the News Feed after finishing their broadcast. Facebook wouldn’t say how many users or livestreams were impacted, but told the bug was intermittent and affected a minority of all Live videos. It’s since patched the bug and restored some of the videos, but is notifying some users with an apology that their Live videos have been deleted permanently.
The bug raises the question of whether Facebook is a reliable place to share and store our memories and important moments. In March, Facebook COO Sheryl Sandberg told congress regarding the Cambridge Analytica scandal that “We have a responsibility to protect your data – and if we can’t, then we don’t deserve to serve you.” Between that misappropriation of user biographical data, the recent breach that let hackers steal the access tokens that would let them take over 50 million Facebook accounts, wrongful changes to users’ default sharing privacy settings, and now this, some users may conclude Facebook in fact no longer deserves to serve them.
Facebook user Tommy Gabriel Sparandera provided TechCrunch with this screenshot showing the apology note from Facebook on his profile. It reads “Information About Your Live Videos: Due to a technical issue, one or more of your live videos may have been deleted from your timeline and couldn’t be restored. We understand how important your live videos can be and apologize that this happened.”
When TechCrunch asked Facebook about the issue, it confirmed the problem and provided this statement: ““We recently discovered a technical issue that removed live videos from some people’s Facebook Timelines. We have resolved this issue and restored many of these videos to people’s Timelines. People whose videos we were unable to restore will get a notification on Facebook. We know saving memories on Facebook is important to people, and we apologize for this error.”

Facebook made a huge push to own the concept of “going Live” in 2016 with TV commercials, billboards and more designed to overshadow competitors like Twitter’s Periscope. It eventually succeeded, with Periscope’s popularity fading while one in five Facebook videos became Live broadcasts. But in its blitz to win this market, it didn’t build adequate safety and moderation tools. That led to suicides and violence being livestreamed to audiences before Facebook’s content police could take down the videos.
Nowadays, most users don’t go live frequently unless they’re some kind of influencer, public figure, or journalist. When they do see something important transpiring, Facebook has positioned itself as the way to broadcast it. But if users can’t be sure Facebook will properly save those videos, it could persuade them it’s not worth becoming a camera man instead of a participant in life’s most interesting moments.

Facebook mistakenly deleted some people’s Live videos

Facebook quietly relaunches apps for Groups platform after lockdown

Facebook is becoming a marketplace for enterprise apps that help Group admins manage their communities.
To protect itself and its users in the wake of the Cambridge Analytica scandal, Facebook locked down the Groups API for building apps for Groups. These apps had to go through a human-reviewed approval process, and lost access to Group member lists, plus the names and profile pics of people who posted. Now, approved Groups apps are reemerging on Facebook, accessible to admins through a new in-Facebook Groups apps browser that gives the platform control over discoverability.
Facebook confirmed the new Groups apps browser after our inquiry, telling TechCrunch, “What you’re seeing today is related to changes we announced in April that require developers to go through an updated app review process in order to use the Groups API. As part of this, some developers who have gone through the review process are now able to access the Groups API.”

Facebook wouldn’t comment further, but this Help Center article details how Groups can now add apps. Matt Navarra first spotted the new Groups apps option and tipped us off. Previously, admins would have to find Group management tools outside of Facebook and then use their logged-in Facebook account to give the app permissions to access their Group’s data.
Groups are often a labor of love for admins, but generate tons of engagement for the social network. That’s why the company recently began testing Facebook subscription Groups that allow admins to charge a monthly fee. With the right set of approved partners, the platform offers Group admins some of the capabilities usually reserved for big brands and businesses that pay for enterprise tools to manage their online presences.
Becoming a gateway to enterprise tool sets could make Facebook Groups more engaging, generating more time on site and ad views from users. This also positions Facebook as a natural home for ad campaigns promoting different enterprise tools. And one day, Facebook could potentially try to act more formally as a Groups App Store and try to take a cut of software-as-a-service subscription fees the tool makers charge.

Facebook restricts APIs, axes old Instagram platform amidst scandals

Facebook can’t build every tool that admins might need, so in 2010 it launched the Groups API to enlist some outside help. Moderating comments, gathering analytics and posting pre-composed content were some of the popular capabilities of Facebook Groups apps. But in April, it halted use of the API, announcing that “there is information about people and conversations in groups that we want to make sure is better protected. Going forward, all third-party apps using the Groups API will need approval from Facebook and an admin to ensure they benefit the group.”
Now apps that have received the necessary approval are appearing in this Groups apps browser. It’s available to admins through their Group Settings page. The apps browser lets them pick from a selection of tools like Buffer and Sendible for scheduling posts to their Group, and others for handling commerce messages.

Facebook is still trying to bar the windows of its platform, ensuring there are no more easy ways to slurp up massive amounts of sensitive user data. Yesterday it shut down more APIs and standalone apps in what appears to be an attempt to streamline the platform so there are fewer points of risk and more staff to concentrate on safeguarding the most popular and powerful parts of its developer offering.
The Cambridge Analytica scandal has subsided to some degree, with Facebook’s share price recovering and user growth maintaining at standard levels. However, a new report from The Washington Post says the FBI, FTC and SEC will be investigating Facebook, Cambridge Analytica and the social network’s executives’ testimony to Congress. Facebook surely wants to get back to concentrating on product, not politics, but must take it slow and steady. There are too many eyes on it to move fast or break anything.

Facebook tests ‘subscription Groups’ that charge for exclusive content

Facebook quietly relaunches apps for Groups platform after lockdown

Facebook mistakenly leaked developer analytics reports to testers

Set the “days without a Facebook privacy problem” counter to zero. This week, an alarmed developer contacted TechCrunch, informing us that their Facebook App Analytics weekly summary email had been delivered to someone outside their company. It contains sensitive business information, including weekly average users, page views and new users.
Forty-three hours after we contacted Facebook about the issue, the social network now confirms to TechCrunch that 3 percent of apps using Facebook Analytics had their weekly summary reports sent to their app’s testers, instead of only the app’s developers, admins and analysts.
Testers are often people outside of a developer’s company. If the leaked info got to an app’s competitors, it could provide them an advantage. At least they weren’t allowed to click through to view more extensive historical analytics data on Facebook’s site.
Facebook tells us it has fixed the problem and no personally identifiable information or contact info was improperly disclosed. It plans to notify all impacted developers about the leak today and has already begun.
Update: 1pm Pacific: TechCrunch was provided with this statement from a Facebook spokesperson:

“Due to an error in our email delivery system, weekly business performance summaries we send to developers about their account were also sent to a small group of those developer’s app testers. No personal information about people on Facebook was shared. We’re sorry for the error and have updated our system to prevent it from happening again.”

Below you can find the email the company is sending:
Subject line: We recently resolved an error with your weekly summary email
We wanted to let you know about a recent error where a summary e-mail from Facebook Analytics about your app was sent to testers of your app ‘[APP NAME WILL BE DYNAMICALLY INSERTED HERE]’. As you know, we send weekly summary emails to keep you up to date with some of your top-level metrics — these emails go to people you’ve identified as Admins, Analysts and Developers. You can also add Testers to your account, people designated by you to help test your apps when they’re in development.
We mistakenly sent the last weekly email summary to your Testers, in addition to the usual group of Admins, Analysts and Developers who get updates. Testers were only able to see the high-level summary information in the email, and were not able to access any other account information; if they clicked “View Dashboard” they did not have access to any of your Facebook Analytics information.
We apologize for the error and have made updates to prevent this from happening again.
One affected developer told TechCrunch “Not sure why it would ever be appropriate to send business metrics to an app user. When I created my app (in beta) I added dozens of people as testers as it only meant they could login to the app…not access info!” They’re still waiting for the disclosure from Facebook.
Facebook wouldn’t disclose a ballpark number of apps impacted by the error. Last year it announced 1 million apps, sites and bots were on Facebook Analytics. However, this issue only affected apps, and only 3 percent of them.

The mistake comes just weeks after a bug caused 14 million users’ Facebook status update composers to change their default privacy setting to public. And Facebook has had problems with misdelivering business information before. In 2014, Facebook accidentally sent advertisers receipts for other business’ ad campaigns, causing significant confusion. The company has also misreported metrics about Page reach and more on several occasions. Though user data didn’t leak and today’s issue isn’t as severe as others Facebook has dealt with, developers still consider their business metrics to be private, making this a breach of that privacy.
While Facebook has been working diligently to patch app platform privacy holes since the Cambridge Analytica scandal, removing access to many APIs and strengthening human reviews of apps, issues like today’s make it hard to believe Facebook has a proper handle on the data of its 2 billion users.

Facebook mistakenly leaked developer analytics reports to testers

WhatsApp CEO Jan Koum quits Facebook due to privacy intrusions

“It is time for me to move on . . . I’m taking some time off to do things I enjoy outside of technology, such as collecting rare air-cooled Porsches, working on my cars and playing ultimate frisbee,” WhatsApp co-founder, CEO and Facebook board member Jan Koum wrote today. The announcement followed shortly after The Washington Post reported that Koum would leave due to disagreements with Facebook management about WhatsApp user data privacy and weakened encryption. Koum obscured that motive in his note that says, “I’ll still be cheering WhatsApp on – just from the outside.”
Facebook CEO Mark Zuckerberg quickly commented on Koum’s Facebook post about his departure, writing “Jan: I will miss working so closely with you. I’m grateful for everything you’ve done to help connect the world, and for everything you’ve taught me, including about encryption and its ability to take power from centralized systems and put it back in people’s hands. Those values will always be at the heart of WhatsApp.” That comment further tries to downplay the idea that Facebook pushed Koum away by trying to erode encryption.
The move comes 3.5 years after WhatsApp’s acquisition, meaning Koum may have vested much of his stock and have fewer financial incentives to stay. It’s currently unclear what will happen to Koum’s Facebook board seat that WashPo says he’ll vacate, or who will replace him as WhatsApp’s CEO.
One possible candidate for the CEO role would be WhatsApp business executive Neeraj Arora, a former Google corporate development manager who’s been with WhatsApp since 2011 — well before the Facebook acquisition. A source described him as the #4 at WhatsApp.
Values misaligned
Koum sold WhatsApp to Facebook in 2014 for a jaw-dropping $19 billion. But since then it’s more than tripled its user count to 1.5 billion, making the price to turn messaging into a one-horse race seem like a steal. But at the time, Koum and co-founder Brian Acton were assured that WhatsApp wouldn’t have to run ads or merge its data with Facebook’s. So were regulators in Europe, where WhatsApp is most popular.
A year and a half later, though, Facebook pressured WhatsApp to change its terms of service and give users’ phone numbers to its parent company. That let Facebook target those users with more precise advertising, such as by letting businesses upload lists of phone numbers to hit those people with promotions. Facebook was eventually fined $122 million by the European Union in 2017 — a paltry sum for a company earning more than $4 billion in profit per quarter.
But the perceived invasion of WhatsApp user privacy drove a wedge between Koum and the parent company well before the Cambridge Analytica scandal broke. A source confirms that Koum had been considering leaving for a year. Acton left Facebook in November, and has publicly supported the #DeleteFacebook movement since.

WashPo writes that Koum was also angered by Facebook executives pushing for a weakening of WhatsApp’s end-to-end encryption in order to facilitate its new WhatsApp For Business program. It’s possible that letting multiple team members from a business all interact with its WhatsApp account could be incompatible with strong encryption. Facebook plans to finally make money off WhatsApp by offering bonus services to big companies like airlines, e-commerce sites and banks that want to conduct commerce over the chat app.
Jan Koum (Photo: TOBIAS HASE/AFP/Getty Images)
Koum was heavily critical of advertising in apps, once telling Forbes that “Dealing with ads is depressing . . . You don’t make anyone’s life better by making advertisements work better.” He vowed to keep them out of WhatsApp. But over the past year, Facebook has rolled out display ads in the Messenger inbox. Without Koum around, Facebook might push to expand those obtrusive ads to WhatsApp as well.
The high-profile departure comes at a vulnerable time for Facebook, with its big F8 developer conference starting tomorrow despite Facebook simultaneously shutting down parts of its dev platform as penance for the Cambridge Analytica scandal. Meanwhile, Google is trying to fix its fragmented messaging strategy, ditching apps like Allo to focus on a mobile carrier-backed alternative to SMS it’s building into Android Messages.
While the News Feed made Facebook rich, it also made it the villain. Messaging has become its strongest suit thanks to the dual dominance of Messenger and WhatsApp. Considering many users surely don’t even realize WhatsApp is owned by Facebook, Koum’s departure over policy concerns isn’t likely to change that. But it’s one more point in what’s becoming a thick line connecting Facebook’s business ambitions to its cavalier approach to privacy.
You can read Koum’s full post below.

It’s been almost a decade since Brian and I started WhatsApp, and it’s been an amazing journey with some of the best…
Posted by Jan Koum on Monday, April 30, 2018

WhatsApp CEO Jan Koum quits Facebook due to privacy intrusions