How Zuckerberg will prevent future Cambridge Analytica scandals at Facebook: Rein in third-party apps

Facebook and CEO Mark Zuckerberg discussed the data privacy scandals involving Cambridge Analytica, outlining nine ways it will restrict your information to third-party developers. Only one will have any immediate impact.

Mark Hachman Apr 05th 2018

In light of revelations that data from 87 million Facebook users was improperly harvested for use in targeting American voters, Facebook could have simply pledged to turn off the spigot to third-party developers. Instead, the company is fixing the plumbing. The company outlined nine initiatives to change how Facebook manages data given to third-party apps.

There's one potential change users will actually see: Beginning April 9, Facebook will show a link at the top of the News Feed where users will be able to see what apps are using what data—and turn them off if they want. 

"As part of this process we will also tell people if their information may have been improperly shared with Cambridge Analytica," Facebook added. 

What actions you should take: If you've resigned yourself to using Facebook, at least it'll be easier for you to access granular controls about what apps are using your data. Check out our guides to how to download your Facebook data. And if you're really fed up, here's how to delete, disable, or limit your Facebook account. Remember, it isn't enough just to stop using the app if your data is already being used.

Zuckerberg performs spin control

Two major storm clouds currently hover over Facebook: first, the rise of fake news; and second, information that was collected by Facebook and provided to third parties. 

Facebook chief executive Mark Zuckerberg took questions from reporters Wednesday afternoon on both topics. Zuckerberg, who rejected several suggestions that he might step down, has also said that he'll testify on the issue of user privacy in front of Congress. 

"At the end of the day, this is my responsibility," Zuckerberg said. "There have been a number of questions about that. I started this place. I run it. I'm responsible for what happens here."

Zuckerberg identified three sources of "fake news" that have helped influence elections and will continue to do so in the future unless Facebook makes changes: "economic actors," who make up fake news for clicks and advertising money; large state accounts like the Russian-funded Internet Research Agency, which Facebook attacked by removing accounts; and "legitimate" media, who simply cherry-pick arguments to support a position. Zuckerberg said that Facebook is working against ad networks that fund fake news, and also trying to promote sources of trusted journalism instead.

"I think at this point I clearly made a mistake of dismissing fake news as crazy," Zuckerberg said.

But American users were supplied fake news precisely because those third parties, as well as Facebook, understood so much about their users. Many of the changes outlined Wednesday were an attempt to limit the collection and use of such information, even though Zuckerberg reiterated several times that Facebook never "sold" personal information to third parties. However, Facebook didn't put in place sufficient safeguards to prevent such information from being collected. Zuckerberg said that Facebook had concentrated on protecting itself from traditional attacks, such as phishing.

One attack, Zuckerberg said, involved using recovery tools to track down other users. Although Facebook put rate limits on such a procedure, limiting the number of times this technique could be used, attackers hopped from IP address to IP address to automate the procedure. 

"I would assume that if you had that setting turned on [making your public information searchable] that someone at some point has accessed your public information in this way," Zuckerberg said. He also said that users understandably can't help feeling like there's been a "massive breach of trust".

Zuckerberg noted that for all of the outrage regarding privacy, there has been "no meaningful impact that we've observed." But then he rather hastily added, "But look, it's not good."

Facebook's list of proposed changes

The changes, outlined in a Facebook blog post, address the use of APIs by third-party developers. Here's a short list:

1. Facebook will restrict apps using its Events API from accessing the guest list of others attending events. Only apps that Facebook approves, with "strict requirements," will be able to use the Events API.

2. All third-party apps using the Groups API will now need approval from Facebook and an admin to ensure they benefit the group. Apps will no longer be able to access the member list of a group. Facebook will also remove personal information, such as names and profile photos, attached to posts or comments that approved apps can access.

3. Apps that could read comments on posts using the Pages API will need to be approved by Facebook.

4. Facebook will need to approve all apps that request access to information such as check-ins, likes, photos, posts, videos, events and groups, and there will be "strict requirements" to access this data. Apps will no longer be able to ask for personal information such as religious or political views, relationship status and details, custom friends lists, education and work history, fitness activity, book reading activity, music listening activity, news reading, video watch activity, and games activity.

5. The Instagram API will be deprecated, effective today. (Facebook owns Instagram.)

6. People have been able to enter another person's phone number or email address to help find them. But because this can be maliciously used, Facebook has removed this capability, it said.

7. Facebook will delete call and text histories for people using Messenger or Facebook Lite on Android. It won't store the time of calls.

8. Facebook will shut down Partner Categories, which enabled third-party data providers to offer their targeting directly on Facebook.

9. Finally, Facebook will show the apps that have connected to Facebook, and what data they've shared. 

Facebook elaborated on how it will give users more control over apps. "Starting on Monday, April 9, we’ll show people a link at the top of their News Feed so they can see what apps they use—and the information they have shared with those apps," Facebook wrote. "People will also be able to remove apps that they no longer want. As part of this process we will also tell people if their information may have been improperly shared with Cambridge Analytica."

"Overall, we believe these changes will better protect people’s information while still enabling developers to create useful experiences," Mike Schroepfer, Facebook's chief technology officer, concluded. 

This story was updated at 2:41 PM with comments from Mark Zuckerberg.