Facebook quietly admits they let Cambridge Analytica read your private messages

Originally published at: https://boingboing.net/2018/04/10/holy-zucking-hell.html


I get that there’s a tradeoff between protecting privacy and giving third-party apps access to enough information that they can be useful. But why on Earth would anybody for any reason want to share their PMs with an app? Anyone who agrees to do so is almost certainly confused about what they’re sharing. This should never have been an option.

1 Like

Eventually they’ll get around to telling us that this wasn’t Cambridge Analytica’s only channel into Facebook’s data.


Sorryberg looks like a rabbit trapped in the headlights at the senate hearing. Unfortunately, few of the senators seem to have any idea what they’re asking or even asking anything that is not totally irrelevant.

ETA: Sorryberg is consistently offering up a platter of hot bullshit.


Mark my words this will be a huge blow to Facebook.

Many people only stick around due to Messenger.

(Funnily enough, not trusting FB with my conversations is what led me to leave FB and encourage my friends to use Signal to message me)

1 Like

There are huge perverse incentives in the “Privacy Abuse and Manipulation” industry. It makes big bucks. It works. It is easy. It is cheap. Ultimately, if we wish to regain personal privacy and limit manipulation, we must examine legislative fixes that alter the economy of the Personal Data marketplace.

This is not simple or easy. Fixes at the economic level are painful and invasive. I apologize for the long post. But, meaningful protections must be robust and non-trivial.

For example, we can increase the expense of collecting, storing and exchanging personal data by:

  • Require accurate tracking information on the collection, storage and exchange of personal data. This should include identifying information for every entity that handled the data. This should be coupled with large mandatory fines for any data that is missing past transaction history. Currently, data brokers have low overhead and bear no responsibility for their behavior. They are selling goods worth billions. Their activity should be tracked as completely as credit card transactions. Requiring accurate documentation of the personal data marketplace will increase the expense of reselling personal data.
  • Impose aggressive taxes on collected, stored and exchanged personal information. It obviously has value. It is a major asset of Google and Facebook. It should be taxed like real estate or an economic transaction. The higher the taxes, the less incentive to collect, store and exchange personal information.
  • Forbid exporting personal information from the country of origin. If an entity wishes to collect, store, or exchange personal information, they must do it in the country of origin.
  • Add more teeth to “data breach” legislation. Remove any “due diligence” protection. Impose mandatory fines for data breach. Fines should be based on the number and severity of personal “facts”. Exporting personal information from the country of origin IS a breach. The higher the fines, the less incentive to collect and store personal information.
  • Impose full breach liability on every upstream entity in the data collection stream. Currently, data collectors and brokers get rich by selling to a wide market and experiencing no liability. Imposing liability for the behavior of down-stream purchasers of personal data will greatly increase the expense of collecting, storing and exchanging personal data.

Then we must work to harden our society against the manipulative effects of collected personal data. This is a continual challenge. Things we might consider include:

  • Require search engines and social media to unmistakably indicate if we are viewing “Relevant, tailored for us illusion” or “Verify-able Consensus Reality”.
  • Consistently penalize search engines and social media when they inaccurately represent “Verify-able Consensus Reality”
  • Require search engines and social media to provide a simple, always on-screen method to easily switch between “Relevant, tailored for us illusion” or “Verify-able Consensus Reality”.
  • Impose meaningful, effective restrictions on our government’s ability to attempt to manipulate “Verify-able Consensus Reality”
  • Require our government to protect it’s citizens from other government’s or corporation’s attempts to manipulate our access to search engine/social media “Verify-able Consensus Reality”
  • Impose mandatory penalties on the enabling parties for every occurrence of identity theft. This means penalize the banks, the credit reporting agencies, and even the IRS. If identity theft occurred, then their process must have immediate, corrective feedback.
  • Educate our society that multi-factor authentication is required when authenticating to critical resources.
  • Educate our society that biometrics might be identifiers, but should never be an authentifier.

If we keep our eyes on the money, and assert economic control over the Personal Data marketplace, we might be able to achieve meaningful protection against invasive privacy threats and manipulation.


I got (edited to add, an hour ago) a facebook questionnaire and decided to full it out thoughtfully. I mentioned I’d prefer a feed of just actual people I actually know, very very explicit opt ins with multiple checkboxes, and default settings that respect privacy -and- dignity. Also mentioned they had been arrogant about this, and needed to stop that, and I kid you not Facebook just offered me 25 bucks if I would take their phone call.

No thanks, but I believe this is what boot quaking looks like?


It blows my mind that people still think giving away ones birthday is benign. The birthday plus a name form a unique key that can be used to link up all sorts of records. It used to be that every app that used fb login inexplicably requested (and required) birthday. But it seems they are starting to do that less. Keep telling them with actions that subjecting is to identity theft is not a valid trade off for the convenience of not having to use a password manager.

This topic was automatically closed after 5 days. New replies are no longer allowed.