from the it's-not-a-bug-it's-a-feature dept.
Submitted via IRC for SoyCow1984
Facebook has disclosed yet another privacy flub. This time around, it says a bug in the Photo API led to third-party apps being able to access not only timeline photos (which users had permitted them to do), but Stories, Marketplace images and photos people uploaded to Facebook but never actually shared.
"For example, if someone uploads a photo to Facebook but doesn't finish posting it -- maybe because they've lost reception or walked into a meeting -- we store a copy of that photo so the person has it when they come back to the app to complete their post," Engineering Director Tomer Bar explained in a post.
The bug affected as many as 6.8 million people across up to 1,500 apps, Facebook says, and it was active for 12 days before it was detected and fixed on September 25th. Companies are supposed to disclose data breaches within 72 hours under EU General Data Protection Regulation rules, though Facebook told TechCrunch it needed some time to investigate the bug's impact and prepare a notice for affected users in various languages. Still, the delay could land Facebook in hot water with EU regulators.
Source: https://www.engadget.com/2018/12/14/facebook-privacy-bug-photos-timeline-stories-marketplace/
Related: Facebook Keeps Unposted Videos
Related Stories
Ever change your mind while composing a video to post on Facebook? If you used Facebook's tools, they kept it anyway.
Earlier this week, like many people around the world, my sister Bailey downloaded her Facebook data archives. Along with the contact lists and relationship statuses was something unexpected: several different videos of her attempting to play a scale on a wooden flute in her childhood bedroom. Each video, she discovered, was a different "take" — recorded on Facebook, but then, she assumed, discarded before she posted the final version to a friend's wall.
[...] Facebook's current data policy says that the company can "collect the content and other information you provide when you use our Services, including when you sign up for an account, create or share, and message or communicate with others." "Create" is the operative word in there. By that logic, Facebook technically could save any video a user filmed but did not publish because you created it on the platform.
(Score: 0) by Anonymous Coward on Thursday December 20 2018, @12:34AM
That was always my thinking.
(Score: 3, Insightful) by Virindi on Thursday December 20 2018, @12:47AM (2 children)
Does 'data breach' include simply finding a bug, without evidence that someone has used it to steal data? That would seem unlikely since it might even discourage developers from looking for bugs which might be hard to exploit.
So it isn't necessarily a given that there was some violation of EU regulations here.
(Score: 3, Interesting) by rigrig on Thursday December 20 2018, @01:53AM (1 child)
"Your data was exposed, and we don't know who took advantage of it"
I'd say that classifies as a breech, and if it was my data I'd want to know about it.
Which is the whole point of the 72-hour deadline: Facebook had three days to figure out how bad this was, after which they were required to at least inform people that their photos might have been visible. Two months seems a bit long to make a list of apps and translate a message.
That only works until the first time someone does manage to exploit a bug you decided not to investigate.
No one remembers the singer.
(Score: 2) by Virindi on Thursday December 20 2018, @08:08PM
But then, wouldn't you have to make such a notification basically anytime you ran security updates on a server which contained a fix for an exploit? That happens constantly.
(Score: -1, Troll) by Anonymous Coward on Thursday December 20 2018, @03:35AM
Most programmers are female. That is a fact.
(Score: 4, Interesting) by captain normal on Thursday December 20 2018, @03:49AM (6 children)
"Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.
The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier."
https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html?module=inline [nytimes.com]
https://www.nytimes.com/2018/12/19/technology/facebook-data-privacy-criticism.html?partner=rss&emc=rss [nytimes.com]
The Musk/Trump interview appears to have been hacked, but not a DDOS hack...more like A Distributed Denial of Reality.
(Score: 2) by takyon on Thursday December 20 2018, @04:39AM (3 children)
Oh, is that the scandal I was hearing about on CBSN earlier?
It's becoming hard to track these Facebook scandals. Especially when we are at a 1 scandal per 3 days pace.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by edIII on Thursday December 20 2018, @05:46AM (1 child)
The one you allude to is HUGE. Basically Facebook has argued to US regulators that no privacy was breached, because users had given consent. That consent being to "integrated partners, affiliates, sisters-cousins-friends-roommate, etc.". They argued that this partners were "effectively extensions of Facebook itself, and therefore legal". The depth and breadth of what was being accessed was fucking staggering. Banks having the ability to both see and AUTHOR private messages on the person's behalf.
In other words, a FB user never had any privacy at all.
I'm. Just. Shocked. It's shocking that a major tech company, that is essentially a glorified marketer and the defacto leader of Big Ad, would performing activities in furtherance of corporate profits with complete disregard for consumer privacy.
Who could've seen that coming?
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by takyon on Thursday December 20 2018, @06:00AM
https://www.investopedia.com/news/facebook-google-digital-ad-market-share-drops-amazon-climbs/ [investopedia.com]
At best it's a co-leader. At worst, you can call it half of GOOG.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Thursday December 20 2018, @07:29AM
It's kinda fun to watch Facebook being MySpaced by the media. Zuckerberg looks like he aged a lot recently.
(Score: 0) by Anonymous Coward on Thursday December 20 2018, @11:23AM
Nice to know someone's allowing Bing to do something. I won't even allow it to do a search.
(Score: 2) by Freeman on Thursday December 20 2018, @04:40PM
Personally, I assumed you signed away any right to privacy, etc for anything you shared with Facebook. What lawyer would have not told them to cover their backsides?
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 1, Funny) by Anonymous Coward on Thursday December 20 2018, @11:14AM (1 child)
What kind of shitty jobs do these Millennials have where they're not allowed to walk into meetings and continue posting to Facebook?
(Score: 2) by Freeman on Thursday December 20 2018, @04:43PM
You say that like it's sarcasm / funny, but I've seen "Definitely Not Millenials, because they're way too old for that." people playing games on their phone while in a pretty small meeting with the boss. Some people just don't live in reality.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"