Facebook recently shared a progress report on its app audit measures announced by Mark Zuckerberg, revealing that the company has suspended 200 apps which were suspected of collecting data for malicious purposes. But according to a Facebook app developer, these measures are ineffective at preventing another Cambridge Analytica-like data harvesting scandal, thanks to Facebook’s inadequate measures when it comes to verifying a developer’s identity and data collection policies of their apps.
In an interaction with the Business Insider, the developer revealed that aside from the ‘This is your digital life’ app which was at the center of the Cambridge Analytica scandal, there have been thousands of other apps which have accessed data of users as well as their friends. But now that Facebook is auditing all apps which have access to user data, it is not known whether the company will also investigate the other apps which had the same privilege in the past.
The developer pointed that Facebook allowed apps to collect data of user’s friends between 2007 and 2014, but it is not known whether the company investigated what kind of data, and how much of it, was collected in that span. Moreover, the bigger question is that whether that data is still stored on some third-party server?
“It’s possible developers set up shadow profiles on Facebook to be the administrators of their apps. More recently, Facebook is stricter about requiring identity documents, but that’s not always been the case. If it’s just a fictional person, who will Facebook pursue?”, the developer said.
He added that if an app’s ownership has been transferred to another company/person, who will Facebook investigate? A prime example is Slide, a company which developed social apps for Facebook. Slide shut down operations a year after it was acquired by Facebook. But now, if Facebook decides to investigate what user data was collected by Slide’s apps back then, Facebook will be in serious trouble. On one hand, it can investigate Slide’s founder who sold his company to Google, or Google itself, which shut down all the apps created by Slide.
Another weak point is Facebook not doing a proper review of the developer policies. The anonymous developer agreed with Aleksandr Kogan’s revelations, who claimed that ‘you can change the name, you can change the description, you can change the terms of service, and you just save changes. There is no obvious review process’.
It must be noted that Kogan was questioned by the court in 2018, which means until the end of 2017, Facebook was not even aware of, or chose to ignore, the lax security measures when it comes to analyzing the privacy policies submitted by developers. And even after Facebook started asking developers for a URL of their privacy policies, the company only checked whether the URL was valid or not, and did not review the actual terms.
In such cases, the developer is not the only party to blame for putting unacceptable or borderline illegal terms in their privacy policies, as Facebook should bear equal responsibility for not reviewing them properly. And even though Facebook has now become more vigilant, its past mistakes still pose a risk of another Cambridge Analytica.