To a survey user, the process was quick: “You click the app, you go on, and then it gives you the payment code.” But two very important things happened in those few seconds. First, the app harvested as much data as it could about the user who just logged on....
It also provided personally identifiable information such as real name, location and contact details – something that wasn’t discoverable through the survey sites themselves. “That meant you could take the inventory and relate it to a natural person [who is] matchable to the electoral register.”
Second, the app did the same thing for all the friends of the user who installed it. Suddenly the hundreds of thousands of people who you’ve paid a couple of dollars to fill out a survey, whose personalities are a mystery, become millions of people whose Facebook profiles are an open book.
There's something to be said about people who gloss over OAuth Permission Decks like this one, but at least OAuth enabled services HAVE them. That being said, it's entirely still too "all or...
There's something to be said about people who gloss over OAuth Permission Decks like this one, but at least OAuth enabled services HAVE them. That being said, it's entirely still too "all or nothing".
Facebook app associations didn't (and still don't I think), not only are there no controls over what data is shared, there's no visibility. This is another case of "not invented here" intentionally. It's a consistent policy of aggressive data pervasiveness at Facebook.
With more recent Android & iOS releases we've been seeing permission cross-sections like OAuth, but off by default, and enabled as needed. Something I've found really interesting is how poorly (probably intentional) a lot of apps use these.
Let's take the Camera Permission for example. An app like Instagram / Facebook requests permissions to use your camera sensor for the obvious reason of taking photos. The problem is, once I've let Facebook have that permission I can't track when it's using it. It may turn on the camera and take pictures silently from that point onward.
So I don't give it this permission, instead I take the picture using my camera app of choice and then share it through Facebook, except.... now Facebook needs storage access. Once this has been handed over Facebook effectively can scan / read / analyze everything on my phone, and probably faster than i can complete my post and to revoke the permission 9 levels deep in the system menus.
What bothers me more about this is that android solved this problem years ago. The Intent framework allows apps to request things from other apps.
The Intent.ACTION_GET_CONTENT allows you to select a single file, like say from your photos/gallery app which already has access to the storage, but pass just what you approve along to Facebook
The Intent.ACTION_IMAGE_CAPTURE allows you to call out to camera apps to capture an image, which will then let you manipulate it afterwards once the camera data has been passed.
The Intent.ACTION_PICK allows you to ask the user to pick from a list of personal data like Contacts / Appointments / Etc so they can share only what they want.
I'm annoyed more apps don't fall back to this mode when people don't give apps unfettered permissions to wide sweeping categories of permissions like Contacts, I feel like this design is intentional by the app developers to encourage unrestricted access by annoying users that aren't educated enough to understand what they're giving up.
Unfortunately I think the only way to combat this is to educate people, hopefully these very large, public fuck-ups like Cambridge Analytica will help as examples of how this shit matters enough for people to learn / understand.
ಠ_ಠ
There's something to be said about people who gloss over OAuth Permission Decks like this one, but at least OAuth enabled services HAVE them. That being said, it's entirely still too "all or nothing".
Facebook app associations didn't (and still don't I think), not only are there no controls over what data is shared, there's no visibility. This is another case of "not invented here" intentionally. It's a consistent policy of aggressive data pervasiveness at Facebook.
With more recent Android & iOS releases we've been seeing permission cross-sections like OAuth, but off by default, and enabled as needed. Something I've found really interesting is how poorly (probably intentional) a lot of apps use these.
Let's take the Camera Permission for example. An app like Instagram / Facebook requests permissions to use your camera sensor for the obvious reason of taking photos. The problem is, once I've let Facebook have that permission I can't track when it's using it. It may turn on the camera and take pictures silently from that point onward.
So I don't give it this permission, instead I take the picture using my camera app of choice and then share it through Facebook, except.... now Facebook needs storage access. Once this has been handed over Facebook effectively can scan / read / analyze everything on my phone, and probably faster than i can complete my post and to revoke the permission 9 levels deep in the system menus.
What bothers me more about this is that android solved this problem years ago. The Intent framework allows apps to request things from other apps.
Intent.ACTION_GET_CONTENT
allows you to select a single file, like say from your photos/gallery app which already has access to the storage, but pass just what you approve along to FacebookIntent.ACTION_IMAGE_CAPTURE
allows you to call out to camera apps to capture an image, which will then let you manipulate it afterwards once the camera data has been passed.Intent.ACTION_PICK
allows you to ask the user to pick from a list of personal data like Contacts / Appointments / Etc so they can share only what they want.I'm annoyed more apps don't fall back to this mode when people don't give apps unfettered permissions to wide sweeping categories of permissions like
Contacts
, I feel like this design is intentional by the app developers to encourage unrestricted access by annoying users that aren't educated enough to understand what they're giving up.Unfortunately I think the only way to combat this is to educate people, hopefully these very large, public fuck-ups like Cambridge Analytica will help as examples of how this shit matters enough for people to learn / understand.