Facebook has been the subject of a privacy controversy for weeks now, and they are responding by making several drastic changes to their platform in order to improve data privacy. These changes come after announcing that as many as 87 million users may have had their information improperly shared with Cambridge Analytica. The New York Times initially reported that about 50 million people had been affected.
As part of their precautionary actions, the scheduled deprecation of some of Instagram’s APIs have been moved up, and Facebook is restricting APIs. Thus, restricting developers’ access to data, or requiring approval for a number of Facebook APIs. Moreover, they are abandoning search by email and phone number, as well as changing their Account Recovery, in order to protect users from having their data scraped by “malicious actors”.
“The changes in the Groups API will especially come as a real ‘downer’ to a lot of affiliates – likely more than the other changes.”
Here are some of the most critical changes they have announced today:
According to Instagram, they have accelerated the deprecation the of Instagram API platform which was previously scheduled to take place on July 31, 2018 or December 11, 2018. The following changes are effective immediately:
- The APIs for follower lists, commenting on public content, and relationships will be deprecated
- Rate limit reductions will be imposed on public content reading APIs and basic profile info APIs.
As indicated by Facebook, the following are some of the most important changes they will be making to Facebook APIs:
Events API: Effective immediately, apps using the events API will no longer be able to access guest lists or posts on the event wall. The Events API will also require approval for its use. Only apps that have been approved by Facebook and have agreed to strict requirements will be allowed to use the Event API.
Groups API: As of today, all third-party apps using the Groups API will require approval from Facebook and a Group admin. Additionally, apps will no longer be able to pull member lists from groups, and they will be removing all personal information such as photos and names from posts and comments. This means only reputable developers will have access to group management apps, and non-admin members of a closed group will be restricted from giving developers access.
The changes in the Groups API will especially come as a real “downer” to a lot of affiliates – likely more so than the other changes. For a while now a lot of affiliates were “abusing” Facebook’s API to extract the personal information of selected groups members, and then either marketing to them directly via email or phone, or using the data to build look-a-like audiences.
Why was this useful?
Facebook doesn’t allow you to target specific groups’ members with their advertising platform. For example, if you wanted to target people interested in Cryptocurrency, unfortunately you weren’t able to use “The Crypto Watch” groups’ members as a targeting option.
However, people were abusing the API as a way around this. You could use the groups API to pull the Facebook Profile ID’s of all particular groups. You could then feed each of these ID’s into a different Facebook API endpoint, and retrieve their name, email, and phone number for a certain percentage of groups’ the members (it didn’t work for everybody, depending on their privacy setting). You were then free to upload this data again as a custom audience and build a lookalike from it.
They did this using automated tools, such as https://fbaudienceblaster.com/, which can extract “unlimited real email and phone numbers” from Facebook.
Technically this was already breaking Facebook’s TOS, but as we all know – pushing the boundaries does not often phase affiliates.
Pages API: The Pages API will only be available to developers that are approved by Facebook. They want to ensure that Page information is only accessible to developers who provide services that Facebook deems “useful”. In turn, this will likely impact Page management apps that moderate posts and schedule comments.
Facebook Login: Going forward, Facebook will have a much stricter review process. They will need to approve all apps that request access to information such as check-ins, photos, likes, and posts. Apps will no longer be able to ask for access to personal information, like religious views, relationship status, education and work history. Furthermore, in the next week developers will not be able to request data that users have shared if they have not used the app within the last three months.
Search and Account Recovery: Search by phone number or email has been disabled due to “malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery.”
Similarly, Facebook will be making changes to Account Recovery in order to prevent data scraping. It will no longer show the identity of a user immediately after an individual enters their phone number or email to recover their account.
According to Facebook, “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.”
App Controls: Finally, Facebook announced that they would be showing a link at the top of user’s news feed as of April 9th. In doing this, users will be able to see which apps they are currently using, and what information they have shared with them.
They also stated that they would notify individuals whether their personal data might have been shared with Cambridge Analytica.