Profile picture
Brent Allpress @BrentAllpress
, 29 tweets, 15 min read Read on Twitter
FB says “malicious actors” used FB search to scrape data using “ph numbers or email they already have” with “scale & sophistication.” Nikulin allegedly hacked LinkedIn, Formspring & DropBox in ‘12, hosted on LeakedSource. These contacts were potentially matched with FB user data.
Nikulin’s alleged hacks were hosted on LeakedSource, “a database of 3 billion personal identity records & passwords.” It’s likely these hacked contacts were matched with FB profiles through automated FB searches to scrape user data. LeakedSource shifted to .ru after being raided.
In 2011 Schrems complained to the DPC over FB apps accessing friend data. DPC made recommendations in 2012 to stop this, finally adopted by FB in 2014 with a further 1 year delay for existing users. Kogan/CA got the data of 87 million FB users in 2013. techcrunch.com/2018/03/24/fac…
Schrems “FB illegally distributed data of users to dodgy apps without consent. In 2011 we sent a legal complaint to DPC. Now after outrage surrounding CA (FB) feels betrayed. FB knew about this for years and previously argues these practices are legal.” noyb.eu/wp-content/upl…
Zuckerberg’s statement on CA is misleading as it doesn’t disclose the changes to friend data access on apps that FB implemented in 2014/15 were in response to DPC recommendations in 2012 after a complaint in 2011. CA/Kogan Got the data of 87 million FB users in 2013.
In 2013 Bennett Haselton also warned FB that the ph number search tool could be abused to harvest names & profiles for virtually all its users. This was in addition to similar warnings from researchers Prakash & Borland 2012, Copley 2013 & Moaiandin 2015. thedailybeast.com/facebook-knew-…
Bennett Haselton, “Facebook Lets You Harvest Account Phone Numbers,” Slashdot, Jan 18 2013. yro.slashdot.org/story/13/01/17…
FB API v1.0 access to friend data was restricted in 2014-15 after Schrem’s DPC complaint in 2011. Kogan/CA accessed 87 million FB users’ data in the interim, including DMs: “v1.0 apps could request users’ private messages (FB DM inbox) via read_mailbox.”
medium.com/tow-center/the…
FB API v1.0 Apps friend data included: DMs, about me, actions, activities, b-day, education, events, games, groups, hometown, interests, likes, location, notes, online status, tags, photos, questions, relationships, religion/politics, status, subscriptions, website, work history.
Paper compares Friend data access of FB API v1.0 (2010-15) Apps like Kogan/CA’s & V2.0 Apps. Both raise privacy concerns. “Collateral damage of Facebook Apps: an enhanced privacy scoring model,” Iraklis Symeonidis, Pagona Tsormpatzoudi, Bart Preneel. 2017. eprint.iacr.org/2015/456.pdf
In 2011 Schrems complained to DPC over API App access to Friend data. DPC made recommendations in 2012. FB finally restricted the API in 2014, deferred till 2015 for existing clients like CA.

“Here's the kind of information apps could access in 2014.”
businessinsider.com/what-data-did-…
FB API Friend data access by Apps like CA’s was described in the “Allow” request to the App user as “basic information.” This included private messages.

“FB/CA: Privacy lessons & a way forward.” Nathaniel Fruchter, Michael Specter, Ben Yuan. MIT, 2018. internetpolicy.mit.edu/blog-2018-fb-c…
Sandy Parakilas’ warnings over FB App Friend data access included a presentation to senior executives in mid-2012 “that included a map of vulnerabilities for user data. Bad actors included foreign state actors & data brokers.” FB ignored the concerns. theguardian.com/news/2018/mar/…
“What I saw from the inside was a company that prioritized data collection from its users over protecting them from abuse.”
“We Can’t Trust Facebook to Regulate Itself.” Sandy Parakilas (FB Operations Manager 2011-12). NYTimes. Nov 19, 2017. nytimes.com/2017/11/19/opi…
A complaint about API App Friend data access in 2011 led to DPC recommendations in 2012. FB restricted this in 2014 but selectively extended existing App access to Friend data till 2015.
Parakilas (FB):
“Kogan’s app was one of the very last to have access to friend permissions.”
FB was warned about API App Friend data access by Schrems 2011, DPC 2012 & Parakilas 2012. FB didn’t act till 2015 after CA scraped 87 mill users.

FB was warned about email/ph search tool by Prakash & Borland 2012, Copley & Haselton 2013 & Moaiandin 2015. All users were scraped.
Thread/blog giving examples of how much of your personal information Facebook and Google currently store about you incl FB messages, files, likes, logins, apps, media...
This was just misleading:

Zuckerberg: “in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to [reverse searches based on public info like phone numbers].”

finance.yahoo.com/news/zuckerber…
“someone you’ve corresponded with by email or ph has let FB’s spiders crawl through their correspondence, allowing your contact data to be assimilated without knowledge or consent. FB says it uses the data to power its friend recommendation feature.” 2013. techcrunch.com/2013/06/24/cre…
“The breach exposed info FB harvested on 6 mill users... even if you’re not on FB, your data likely is because (FB) is building a shadow profile of you by data-mining other people... a zombie you sewn together from scattered bits of your personal data.” Techcrunch, 24.6.13.
FB admits CA scraped private DMs: “people who logged into This Is Your Digital Life shared news feed, timeline, posts & messages which may have included posts & messages from you.” The read_mailbox permission used by Kogan/CA App didn't end till Oct 2015.

wired.com/story/cambridg…
In 2010 Palantir formed Themis with HBGary Federal & Berico after being solicited by Lawyers H&W to gather intelligence on progressive opponents of the US Chamber of Commerce. Themis proposed using personal data scraped from FB by an HBGary app & loaded into Palantir’s platform.
“Berico, Palantir, & HBGary conspired to store info scraped from social media sites on Palantir’s servers” to profile critics of the US Chamber of Commerce.

“ChamberLeaks: Pro-Chamber Conspiracy Illicitly Scraped Facebook“ ThinkProgress, Feb 14, 2011
thinkprogress.org/chamberleaks-p…
In 2010 Palantir formed Themis with HBGary Federal & Berico for a contract to get intel on critics of US Chamber of Commerce. Personal data scraped from FB by an app was loaded into Palantir’s platform.

“ChamberLeaks Timeline”
ThinkProgress, Feb 16, 2011
thinkprogress.org/chamberleaks-t…
Palantir’s Themis partnership with HBGary Fed in 2010 used an app to scrape FB data on Chamber of Commerce critics. This foreshadows Palantir’s employee working with scientists building CA’s profiling technology who suggested they create their own FB app. nytimes.com/2018/03/27/us/…
Zuckerbergs unanswered questions: lack of consent for data sharing by friends, in breach of the 2011 Federal Trade Commission settlement on consent; invasive ad targeting; shadow profiles; tracking logged out users; & Palantir’s data scraping & profiling.
LeakedSource hosted 167 mill LinkedIn pws & emails allegedly hacked by Nikulin in 2012. Zuckerberg’s Twitter was hacked twice in 2016 using his LinkedIn pw & then his gmail pw. The email hack raises blackmail risks. The reference to Zuckerberg on the LeakedSource site is telling.
Does Russia have Kompromat on Zuckerberg through Nikulin’s LinkedIn hack hosted on LeakedSource? The site refers to him: “we triple checked, Mark Zuckerberg isn't in this data set. It's not just companies that can be hacked, users need to be careful too.” leakedsource.ru/blog/twitter
“unroll”
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Brent Allpress
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!