15 April Webinar: Horangi Director of Cloud Security Engineering presents Tackling The Biggest Blind Spots In Cloud Security

This is why Singaporeans data get breached everyday on Facebook

As the mainstream press unfolds the Cambridge Analytica scandal, I wanted to step back a bit, give some perspectives and some viewpoints on API (Application Programming Interface) authentication and how important it is to implement best practices in access rights and authorization, especially in a nation that enforces strict rules of data transfer outside of Singapore as per the 2012 PDPA (Personal Data Protection Act) Section 26.

As the mainstream press unfolds the Cambridge Analytica scandal, I wanted to step back a bit, give some perspectives and some viewpoints on API (Application Programming Interface) authentication and how important it is to implement best practices in access rights and authorization, especially in a nation that enforces strict rules of data transfer outside of Singapore as per the 2012 PDPA (Personal Data Protection Act) Section 26.

So let’s clarify upfront that regarding its Policy, the extent of facebook’s responsibility hasn't been proven yet and is actually unclear.… but it seems that the misuse of the data shared by facebook via its API is commonplace.

Companies that consume this data are mostly unregulated and facebook has no effective method to detect or control proper use of its data.. Now has Facebook itself done anything unlawful… nobody really knows.. yet. Did they enforce access policies with concern for protecting their users…  not really, they can’t!

This is not the first PR crisis highlighting facebook and its moral principles. However, as users, we keep coming back to use Facebook's Apps despite aggressive on-boarding tactics as per the 2014 messenger backlash when it was forcing full access permissions on Android. 

As Facebook kept growing the ecosystem, the social network maintained as a place of innovation with third party Apps adding new features and new capabilities in the social media space. This ultimately established its supremacy in customer segmentation and targeted marketing fields.

We are so obsessed with connectivity, productivity, and smarter features capable of anticipating our every need that we tend to forget about privacy and cyber security until something major happens; in this case, an alleged breach of trust and potentially of users data. This crisis is just the tip of the iceberg, and we have to understand that cyber security and privacy does not go along well with our current social media sharing behavior and our demand for one-click social login functionalities. So let’s review the basics of API authentication and App permissions: 

1. How Facebook API works

  • When you think about Facebook, it’s where you have most of your relationships; a network with all your interactions on every bit of public news and personal events you attend. Facebook has organised Likes, Comments, Events, Pages and all other type of status posts in a very structured manner so that it can profile preference data to be easily marketable. After all, that’s their business model: “if you’re not paying for it, you’re the product being sold”.
  • After reaching a critical mass, Facebook opened up access to this information to App creators so that they could increase the community and of course, most digital companies & startup apps rely on Facebook's API to connect with their users on a daily basis.
  • When looking at the Facebook developer policy most of it is based on trust; trusting that the app players leveraging Facebook data will play fair. And there are many considerations as the developer API onboarding process requires the creator of those applications to justify reasonable access to personal info to the extent that it adds value in terms of features and functionality, but ultimately, there are so many apps out there that it would be impossible for Facebook to actually control due diligence.
  • Ultimately it’s your responsibility to review apps that you have authorised, and just like doing a yearly spring-cleaning, it’s a healthy process to review your app authorisations and you’ve come to the right place for the crash course.

2. How To clean up your authorisation

  • The first step is to review your app permissions, you can find them here and for Google Accounts here
  • For Facebook there are 2 ways to review permissions, one were you can “remove” and another where you can “edit” permission. But let's not get ahead of ourselves in both case you will notice that facebook warns you that these Apps “may still have data you shared with them. For details about removing this data, please contact [App Name] or visit the [App Name] Privacy Policy”. I will let you be the judge of that...
  • When I did this, I found apps that I have authorized years ago and that potentially started tracking my lifestyle and network informations.
  • Here's how to see everything Facebook knows about you and how to download your own archive of that information. It might be useful, especially if you're planning to quit and take some of those memories with you.
  • Getting a picture of what Facebook gathered about yourself in few steps on"Accessing Your Facebook Data" and here’s a preview we gathered at Horangi of the type of data stored by the social network:
  • It's kind of surprising how much data there is (Special mention to , but it includes everything from check-ins to chat conversations, credit card numbers you've saved, phone numbers, photos and more.

3. Security is not User Experience

  • In the end everyone does it, it’s not just Facebook, Google manage much more data dimensions that combined together could help third party create Psychographic profiles just like Cambridge Analytica did, and last year a study by Virginia Tech researchers found out that 100,000 Android apps can collude with each other to obtain information without permission. I am personally astonished by how much is accepted and until it becomes mainstream news and Horangi's researcher built up this knowledge base by exploring Hacker's research blog and specialized forums.
  • Now if you think you are protected in Singapore you’ll be surprised to know that there are many local Apps that are farming Bots, Scrapper and Cookie aggregator and I wonder how much the PDPA is actually enforced? If you are an SME or Start-up in Asia I’m sure you have come up with MQL companies and although there are plenty that apply very rigorous identity management policies, there is still a good number that use social engineering techniques and bots are used to illegally gather data from Linkedin, and at Horangi we recognize these same techniques as they are used by hackers in automating cyber attacks.
  • But I have to admit that I'm impressed with Linkedin, which is one of the tech company that has taken their engagement regarding privacy very seriously and recently updated their Privacy Policy even before the Cambridge Analytica scandal by restricting access to their API with a strict validation process and they will not hesitate in permanently suspend user profiles when they breach Terms and Services by using forbidden Software & extensions.
  • Privacy is a concern that have decreased over the years and with the digital explosion exponentially connecting people and the forthcoming of machine connectivity with IoT, the API landscape and all the network of authorization is about to grow bigger and bigger.
  • In Asia privacy tends to come second in preoccupation, but it’s time for us to review our own acceptation level in private information disclosure, for example the Singapore Government will soon be sharing our contact information and possibly our IRAS revenue data…so how can we ensure it’s protected?

4. What About Singapore?

In the end, Cambridge Analytica and its partners may have been in violation of Facebook’s terms of service but as we will learn more about the modus operandi a question will emerge: will business data capture resume or will we see a massive reshuffle in the Open API Economy.

The vast Open API & Marketing landscape has created so many ways to track data points and correlate people digital fingerprints that we can be sure that breaches will happen again, it's a ticking bomb and Eric Schmidt, CEO of Google strongly believe that in the future every young person will be allowed to change their name.

Where will it come from is the big unknown but we may have a few clues… 

Have you ever experienced Apps that requested unreasonable permissions or access to personal information? Please share your experience... we would be more than happy to review your App privacy & security policies...


Idir Hillali
Idir Hillali

Marketing guy @Horangi Cyber Security. Entrepreneur for Postal.sg API Digital Strategy & Omni-channel vision empowering startups

Subscribe to the Horangi Newsletter.

Hear from our Horangi tech experts as we go deep into up-and-coming cyber threats, new solutions, and talk about the future of cybersecurity.