My Thoughts on Facebook and Cambridge Analytica

It has been almost a month since the massive Cambridge Analytica x Facebook improper-user-data-ex-filtration mess (don’t call it a data breach) came to light. The news is settling down despite the real numbers coming out of Facebook and a possible 600,000 Canadians possibly affected.

I’ve been mulling over how I feel about it and I’ve finally come to a conclusion.

As much as I’d like to see this as a catalyst for people to start finding (and building) alternatives to Facebook’s walled garden of exploitation, I don’t think they did anything wrong.

The basic narrative of the Cambridge Analytica story seems to be that Facebook tricked average Americans opting to share all their facebook data with some benign looking app (like a quiz); which in turn gave the app maker further access to the victim’s friends data. Without the victim’s friends’ permission. In other words, if your friends fell for this ploy, Facebook’s API gave the app maker access to your data without your permission.

I don’t believe there is any truth do this assumption. Facebook’s API never granted access to this level of data about friends (let alone friends-of-friends). They are not that stupid.

I was involved in building Facebook app integration during the time that Cambridge Analytica gathered their data, I read Facebook’s Open Graph API documentation numerous times. Unfortunately that version of the API no longer seems to be available online, but I was able to find some old how-to videos referencing it.

As far as I can piece together, the only data about your friends that Facebook ever provided via the API was their full name and user id. Any data about your likes, political affiliation, family connections, marital status, or anything else that could be used for “psychographic” modelling was never available via your friends.


These personal details were available to anyone and everyone via your public profile! Assuming that you hadn’t opted out of sharing this info (and I really doubt most user were giving their privacy details much thought before they learned the name Cambridge Analytica).

In order for Cambridge Analytica and others to mine this data they would have had to write bots to scrape data directly from your public facing profile. In the past, it was very easy to gain access to these profiles in a programmatic way. Anybody could simply load with your ID to see your public profile. Even a non-programmer can see how easy it would be to generate a list of targets for a bot to crawl.

At some point, Facebook started closing this “profile.php” access point as they rolled out username (I’m ohryanca). Once that was locked down, it became more complicated to scrape content and the bad actors became more clever.

I’m pretty sure I’m right

In a blog post yesterday Facebook announced an enormous array of restrictions to their APIs (which are undoubtedly pissing off a lot of sketchy developers). Regarding account recovery, they mentioned the following:

…malicious actors have also abused [account recovery] features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.


As much as I hate to say it, I don’t think Facebook did anything wrong. Their APIs never fed this data to any and every app developer who wanted. Cambridge Analytica and friends had jump through additional hoops. They took actions that were outside of the normal/approved methods Facebook expected and allowed app makers to access our data.

Facebook simply built a reasonable public profile feature meant to allow you to use Facebook as a home on the web. A URL to share outside the platform.

They built a reasonable account recovery feature, that allowed users to recover their logins in standard non-controversial ways.

There is no evidence that Facebook’s APIs allowed access to the type of data Cambridge Analytica took advantage of. They were just outplayed by an opponent who thought of clever ways to get what it needed.


In case the mainstream media has lulled you in to a false sense of whatever; the democrats have this data too (and then some).

Here is footage of Carol Davidsen (VP of political technology at Rentrak) at a conference in 2015 gleefully explaining how the Obama campaign mapped THE ENTIRE SOCIAL GRAPH OF THE UNITED STATES who were on Facebook at the time of the 2012 election. The techniques she describes are strikingly similar to what Cambridge Analytica is accused of.

Nobody blogs anymore and this is a bad thing

To confirm my suspicion about lack of blogging, I took some time to compile some stats on the roughly 450 normal non-celebrity human beings who follow on twitter. I counted all the people I follow how list a blog in their bio or within 1-click of the link in their bio (to account for “about me” landing pages).

I found that only 93% had a functioning blog attached to their account. Of those 93, only 42 had published one or more blog posts in 2018. 55% of the real humans I follow have abandoned blogging. A small handful of the blogs I looked at had not even been updated in the past 5 years (why you would even bother linking this to your bio is beyond me).

Here’s the really interesting thing though…
I had never read a post by nearly any of those 42 active bloggers I identified. I simply wasn’t aware they existed.

Blogging has always suffered from discoverability issues. Discoverability is hard without a centralized platform like Twitter, Tumblr,, etc. But I think it’s a solvable problem.

We need blogging…

I’m sure many more smarter people have shared their thoughts on the importance of blogging.

Very simply put, decentralized, self-published content, free of corporate or advertiser control, is kinda sorta the dream of the internet.

In 2018, it’s easier than ever.

Is shadow work ruining the job market?

A recent episode of the Every Little Thing podcast discusses the rise of self-checkout machines. It’s a fascinating tale, one that I would have never guessed started over 100 years ago with the opening of the Piggly Wiggly chain.

Self-checkout is a commonly used example of the impending threat of automation. I know I personally worry that robots in the form of advanced self-checkout machines are robbing my kids of the future first jobs they’ll be searching for in the next 5 or so years.

Well the episode ends with an interview with author Craig Lambert who has a totally unique take on the self-checkout process. He believes that the self-service economy is a system wherein we are performing unpaid work.

When we use a self-checkout, robots haven’t replaced a worker, we are replacing the workers ourselves. He’s completely correct! A self-checkout at the grocery store is effectively a complicated cash register, it doesn’t do much more than a regular cash register would do. As the self-checkers, we do all the work ourselves. We scan. We bag. We move the money.

It’s incredible, my mind has been blown!

I’ve embedded the episode here:

The show full show is here.


Reconsidering Net Neutrality

When Net Neutrality concerns started to rise up 5 – 10 years ago, it seemed like an open and shut case. Obviously we want the net to remain neutral, but at what cost?

The Internet is humanity’s most powerful instrument of free speech and commerce, legislation that has power over the content of internet traffic has the potential to impact our speech and pretty much everything we do.

It is extremely important that we are extremely sure we want governments to have legislative power over content. Maybe we should get down from our soap boxes to really make sure we’re getting behind the right cause here and we’re not pushing for something we’re going to regret.

In the beginning…

The original hysteria surrounding net neutrality in the mid-to-late-00s was a reaction to throttling and network management practices ISPs were implementing at the time. Bittorrent  and video streaming were gaining momentum, eating up larger and larger heaps of bandwidth and ISPs weren’t having it. They enacted network policies to throttle certain types of packets, limiting our ability access content.

Us nerds weren’t having it! We believed we should be able to access anything on the internet we damn well pleased. We cried chicken little.

If Comcast was throttling bittorrent, what was going to stop them from slowing down competing video content when they bought NBC? What would stop them from charging a new startup for the fastest access to their customers?

We demanded the government step in to regulate this impending problem! We demanded a neutral network! “All bits are equal!” we proclaimed.

For the sake of innovation and progress, the internet should be a level playing field for all. Reddit and the New York Time should get the same treatment over the network. Bittorrent and Bitcoin should both flow easily.

All of this is perfectly reasonable and I’m not about to argue against it. But I question whether net neutrality actually accomplishes the level playing field we desire.

Level Playing Field

The history of the internet has shown that reliable (fast, unencumbered) access to a popular service is not a key factor to their success. Every success app or service has gone through a growth period when servers constantly grind to a halt and access becomes difficult. We put up with fail whales for years! Years before Twitter, I distinctly recall when Livejournal was facing such growth pressure that they charged a small fee for access to premium servers guaranteed to be faster and more reliable. Even tonight HQ Trivia Live continues to have major server lag while hundreds of thousands of people compete for prizes. Hell, the horrendously throttled bittorent that we all complained about in 2010 is as popular as ever.

If history continues to repeat itself, then reliable, fast connections will continue to play only a minor role in the popularity of an internet service.

An unregulated network could lead to artificial and long term connectivity issues for young and/or competing services. But, corporations have a much simpler, old school tool at their disposal. A tool that is completely legal, completely out of scope of the net neutrality discussion. Marketing and cooperative agreements.

Here are just a few real wold examples of business practices that are currently happening:

These are just a few examples from Canada, where we have some semblance of Net Neutrality. Promotions like this have a huge impact on which players win and lose in the marketplace.

Stop The Presses

Imagine it’s the 19th century and you run a number of printing presses. Imagine you have discovered a magical supply of parchment, ink, and a mechanism that magically runs the presses automatically, pumping copies of any newspaper, handbill or pamphlet you feed in. It’s neutral.

You have the capacity to produce more paper every month than could be read by the world’s population. You’re presses are in high demand and you have contracts with your clients to provide them unlimited printing services.

Once your business has been running for a while, you start to inspect some of the documents your clients have been printing. You discover that some of them are advertising a service that competes with your brother-in-law, get rich schemes, pages full of one word “spam” (whatever that is) and other complete and utter garbage. You can’t print this stuff!

But you know that if you completely refuse to print your client’s publication, they will be quite upset, they might even leave for that other supplier. Instead, you decide to print their copies slightly slower and hope they don’t notice the bundle is a little smaller the next time the picks up a shipment.

When your clients eventually catch on, they are furious! Freedom of the Press has been a thing for quite some time now and they believe their rights are being violated.

Imagine your country is governed by a reasonable king, who rightly agrees, your clients freedom of the press is being violated. A new law is passed demanding that all presses print whatever papers they are handed, regardless of content, under penalty of death.

This is a good thing! Trolls and merchants alike rejoice in the streets!

A couple of years pass and the law has come up for review. In this time the king’s advisors have caught wind that these printing presses have been used print all manner of nonsense that the King would find displeasing: somehow has smuggled out his prized book collection and is making copies for anyone to read! A clever foreigner has devised a scheme whereby the presses themselves act as a sort of currency, nobody is able to explain exactly how it works, but it’s become quite valuable.

The King is very unhappy. At the stroke of midnight as the law is about to expire, a small little clause to the law “*Under the discretion of His Royal Highness.”

Is this still a good thing?

Slippery Slopes

The premise of Net Neutrality is based on a slippery slope that imagines a worst case scenario where ISPs:

  • provide preferential “fast-lanes” for favorable service and/or throttle
  • charge differing access fees for different sites
  • outright block competing services
  • all of the above
  • something even worse that I’ve totally missed.

I’m not so sure this slippery slope is plausible.

As I understand it – from the years 2005 – 2015 US ISPs operated within a framework where they had a lot of leeway to discriminate over packets. There are numerous examples of ISPs (ahem Comcast) attempting bandwidth throttling schemes during this period. Everytime they eventually caved to consumer pressure… despite very poor competition.

So, history leads me to believe that with a vigilent group of watchers and a small amount of competition, we can successfully keep this worst case scenario at bay.

In the future, I wonder if net neutrality becomes less and less of an issue as bandwidth capacity continues to increase year-over-year. An ISP has little incentive to throttle bandwidth when even the slowest of slow speeds are fast enough to serve content with minimal network impact. I think it might be happening already. For example, my ISP (kudos Shaw) which previously had soft bandwidth caps and various levels of throttling, now just have totally unlimited access. For no reason, they have no real competition, there was no market pressure.

Re-evaluating the equation

By definition, net neutrality legislation gives the government oversight over the content of bits traveling across the internet. A best case scenario, blanket law that said “All packets are to be treated equal, no blocking, no throttling. Peroid. No questions asked.” is a judgement call. It is a call in our favour, but it is also a framework whereby the government will discuss and attach future internet freedom related issues. It is a slippery slope into the danger zone of internet censorship.

The real debate should not be surrounding whether or not we want a neutral internet.  Of course we do.

The real debate should be about which slippery slope we consider more dangerous:

  • Cooperate interests shutting down the free and open internet in favour a closed toll-way of terror.


  • Current and future governments using internet legislation as a stepping stone to hamper our freedoms.

In this bloggers opinion, history has shown us that voting with your wallet is much more effective than… actual voting.

Mr. Shodan

Mr. Robot season 3 is off to a great start. As per usual, the episode features tonnes of Easter eggs for hacker nerds.

But I have to admit I was a little surprised to see a cameo. Shodan is a search engine for things connected to the web that isn’t a web server.  Web cams, network equipment, industrial controls and other hardware that relies heavily on security through obscurity.

Here’s a fun video from Defcon 20 demonstrating what fun can be had.

Bonus: The search Mr. Robot performs org:”Evil Corp” product:”Apache Tomcat”,  returns real results with show relevant data.

Bonus Part 2:

The domain in question has an open SNMP (file sharing port).

No guest account unfortunately. If only I could remember some of the logins from the show.

The rabbit whole goes deep this season! Hack the planet.