Industry Observations

Facebook, APIs, and Application Data Mining

I’m a great big ol’ hater of most memes and the mining of PII data from them. I’ve ranted about them before in terms of sharing information that could be used to determine specific information about you, your bank accounts, and other areas you’d rather a hacker didn’t know you fully.

The application vulnerabilities we find at WhiteHat in Authentication have everything to do with people harvesting such information – then going to work. I even put out some advice on how to design better security questions to protect your users from themselves and their compulsive need to overshare details on their favorite sports team, their favorite teacher, their first data points – oops – first date information on social media.

I even pointed out that allowing social media applications to share authentication processes with smaller, less security-minded companies can be a mistake.

If you don’t want to go back to read me preaching at you, here’s the summary: Stop with the oversharing personal data on Facebook, and don’t let your mobile bank apps authenticate with any other social media platform. Now there’s a whole new level to it, about application companies sharing your demographic and likes/dislikes information via API to and from one another in order to gather information.

Here is the story of your demographic information, not illegal to collect, but shared inappropriately via Facebook’s connection to information and marketing company Cambridge Analytica. It is the missing link of ominous stalking that I hinted at before, where personal information can be misused. You may think that you are a rock, a bastion of opinionated virtue that would never be influenced by anyone or anything else. Pardon my directness, but you are wrong.

Your heartstrings are tugged by images of abused animals. Your outrage is fanned by political rants for or against your own. You are uplifted and soothed by pleasant images of people sitting in bubble baths drinking wine, and smile at pictures of kittens or corgis doing adorable things. You, my friends, are a commodity for people who want to influence what you think, how you feel today, and your general emotional reaction to multiple current affairs in politics and business.

If you’re ready to disconnect other applications from using Facebook information via the API from your feed, or more to the point, your users and the Facebook social pages you’re in charge of, the instruction sheet is here. I highly recommend doing this for any group page you manage, as well as your own.

Me, I’m staying on Facebook because that’s how I find substitute goalies for ice hockey games coming up. It’s how my friends and I coordinate camping and other activities, and I can stay in touch with family when we all hate the phone. But I stay aware of what kinds of ideas I’m being fed. I don’t ever click “Like” on anything – because that feeds the marketing machine and tells them how to advertise at me and more. When I last checked, the Facebook algorithm thinks I’m a 14-25 year-old boy gamer, and I’m good with that because of the ads it shows me.

Beware where you get your news, and Google everything to find primary sources. And guard your APIs, people!