Facebook: Look at our latest bug bounty that proves we're serious!

As Cambridge Analytica launches new site 'CambridgeFacts'

Continuing its charm offensive, Facebook has published the details of its data abuse bounty, ahead of Mark Zuckerberg’s appearances in front of US lawmakers.

The programme - which offers a minimum of $500 (and no maximum) for cases that prove to be true - will reward people who can prove an app has slurped up users’ data for nefarious means.

The move comes as the biz is under fire for playing fast and loose with users’ data, as it dawns on people just how much information they have handed over to the Zuckerborg and the apps using its platform.

Meanwhile, Zuckerberg himself is making up for an extended period of silence by issuing so many apologies it’s hard to keep up - with more expected when he gives evidence to US lawmakers later today and tomorrow.

The data abuse bounty, which was trailed at the end of last month, is the latest addition to Facebook’s PR toolkit as it tries to prove Zuck’s words aren’t just empty promises.

It will work alongside the existing bug bounty programme, but with the aim of protecting against abuse of data, regardless of whether the collection and abuse has happened because of a security vulnerability.

To report an issue, people must provide “first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people’s data to another party to be sold, stolen or used for scams or political influence”.


Facebook crosses off one legal headache, another pops up: Server blueprint theft spat with Bladeroom settled, but...


However, it only applies to Facebook - other platforms, like Instagram, aren’t included.

If data abuse is confirmed, Facebook said it would shut down the app, “take legal action against the company selling or buying the data, if necessary”, and initiate a forensic audit of related systems - as well as telling affected users.

As with Facebook’s bug bounty programme, the payout will be based on the impact of the report - the biz noted that the highest impact bug reports have pulled in $40,000.

In order to qualify, Facebook said the situation must be one the biz wasn’t aware of, involve more than 10,000 users and have evidence of abuse - not just collection - of data.

They also have to comply with its responsible disclosure policy, including that the bounty-hunter gives Facebook time to investigate before making any information about the report public.

As well as non-Facebook data, other situations that are explicitly out of scope are: scraping, malware and scenarios where social engineering is a major component. However, Facebook added that it “hope to expand the scope of this program soon”.

The biz also emphasised that people couldn’t make a quick buck by illegally obtaining Facebook data, whipping the all-caps out to really hammer home the point:

“Any data that you obtained illegally or without proper authorization. DO NOT SHARE SUCH DATA WITH US - you will not be rewarded for doing so.”

Life is so unfair, stamps Cambridge Analytica

Meanwhile, the other company at the heart of the scandal - Cambridge Analytica - has taken a rather more petulant approach to the furore and bad press it's been getting.

“It has become open season for critics to say whatever they like about us based on speculation and hearsay,” said acting CEO Alexander Tayler (who took over from Alexander Nix after the former boss was caught on camera discussing honey traps and more with what turned out to be undercover Channel 4 presenters).

“It would be impossible to address the hundreds of articles and broadcast segments that have misrepresented Cambridge Analytica or replicated false statements made by those focused on creating a political scandal,” he said.

gold abacus via shutterstock

Facebook can’t count, says Cambridge Analytica


And so it has decided to cherry-pick just a few of the statements to refute - and has created a separate website, CambridgeFacts.com consisting of just one page, on which to do it.

Topping the list, are claims the biz had “hacked Facebook” - when actually it gained the information in “good faith”, through a license from a company (GSR) under a contract that had stated the information must be obtained legally.

And anyway, Cambridge Analytica added, that data (which they were willing to pay up to $1.5m for, according to contracts published last month) was “disappointing”, so the company used its own research to train its models.

The biz went on to say that it had deleted the raw data from its file server as soon as Facebook asked it to - and that it certainly wasn't used for the 2016 presidential election.

Rather, it said, that information came from voter files, polling data, data from the campaign and from commercial data brokers. This data was used to identify “persuadable” voters, it said, along with a polling tracker and dashboards for the campaign.

"In truth, we used the same kind of political preference models used by the Obama and Clinton campaigns; however, we started five months out from election day and did it with far fewer resources and less data," the biz said.

Finishing up the list are the statements that Cambridge Analytica is politically neutral and that Chris Wylie (the pink haired former CA researcher) “is not a whistleblower”. The firm would prefer it if everyone saw him as a one-time contractor whose account is “based on pure conjecture and guesswork, while his own motivations in this saga have remained unexplored”. ®

Other stories you might like

  • Meta agrees to tweak ad system after US govt brands it discriminatory
    And pay the tiniest of fines, too

    Facebook parent Meta has settled a complaint brought by the US government, which alleged the internet giant's machine-learning algorithms broke the law by blocking certain users from seeing online real-estate adverts based on their nationality, race, religion, sex, and marital status.

    Specifically, Meta violated America's Fair Housing Act, which protects people looking to buy or rent properties from discrimination, it was claimed; it is illegal for homeowners to refuse to sell or rent their houses or advertise homes to specific demographics, and to evict tenants based on their demographics.

    This week, prosecutors sued Meta in New York City, alleging the mega-corp's algorithms discriminated against users on Facebook by unfairly targeting people with housing ads based on their "race, color, religion, sex, disability, familial status, and national origin."

    Continue reading
  • Metaverse progress update: Some VR headset prototypes nowhere near shipping
    But when it does work, bet you'll fall over yourselves to blow ten large on designer clobber for your avy

    Facebook owner Meta's pivot to the metaverse is drawing significant amounts of resources: not just billions in case, but time. The tech giant has demonstrated some prototype virtual-reality headsets that aren't close to shipping and highlight some of the challenges that must be overcome.

    The metaverse is CEO Mark Zuckerberg's grand idea of connected virtual worlds in which people can interact, play, shop, and work. For instance, inhabitants will be able to create avatars to represent themselves, wearing clothes bought using actual money – with designer gear going for five figures.

    Apropos of nothing, Meta COO Sheryl Sandberg is leaving the biz.

    Continue reading
  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading

Biting the hand that feeds IT © 1998–2022