Facebook: Look at our latest bug bounty that proves we're serious!
As Cambridge Analytica launches new site 'CambridgeFacts'
Continuing its charm offensive, Facebook has published the details of its data abuse bounty, ahead of Mark Zuckerberg’s appearances in front of US lawmakers.
The programme - which offers a minimum of $500 (and no maximum) for cases that prove to be true - will reward people who can prove an app has slurped up users’ data for nefarious means.
The move comes as the biz is under fire for playing fast and loose with users’ data, as it dawns on people just how much information they have handed over to the Zuckerborg and the apps using its platform.
Meanwhile, Zuckerberg himself is making up for an extended period of silence by issuing so many apologies it’s hard to keep up - with more expected when he gives evidence to US lawmakers later today and tomorrow.
It will work alongside the existing bug bounty programme, but with the aim of protecting against abuse of data, regardless of whether the collection and abuse has happened because of a security vulnerability.
To report an issue, people must provide “first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people’s data to another party to be sold, stolen or used for scams or political influence”.
Facebook crosses off one legal headache, another pops up: Server blueprint theft spat with Bladeroom settled, but...READ MORE
However, it only applies to Facebook - other platforms, like Instagram, aren’t included.
If data abuse is confirmed, Facebook said it would shut down the app, “take legal action against the company selling or buying the data, if necessary”, and initiate a forensic audit of related systems - as well as telling affected users.
As with Facebook’s bug bounty programme, the payout will be based on the impact of the report - the biz noted that the highest impact bug reports have pulled in $40,000.
In order to qualify, Facebook said the situation must be one the biz wasn’t aware of, involve more than 10,000 users and have evidence of abuse - not just collection - of data.
They also have to comply with its responsible disclosure policy, including that the bounty-hunter gives Facebook time to investigate before making any information about the report public.
As well as non-Facebook data, other situations that are explicitly out of scope are: scraping, malware and scenarios where social engineering is a major component. However, Facebook added that it “hope to expand the scope of this program soon”.
The biz also emphasised that people couldn’t make a quick buck by illegally obtaining Facebook data, whipping the all-caps out to really hammer home the point:
“Any data that you obtained illegally or without proper authorization. DO NOT SHARE SUCH DATA WITH US - you will not be rewarded for doing so.”
Life is so unfair, stamps Cambridge Analytica
Meanwhile, the other company at the heart of the scandal - Cambridge Analytica - has taken a rather more petulant approach to the furore and bad press it's been getting.
“It has become open season for critics to say whatever they like about us based on speculation and hearsay,” said acting CEO Alexander Tayler (who took over from Alexander Nix after the former boss was caught on camera discussing honey traps and more with what turned out to be undercover Channel 4 presenters).
“It would be impossible to address the hundreds of articles and broadcast segments that have misrepresented Cambridge Analytica or replicated false statements made by those focused on creating a political scandal,” he said.
Facebook can’t count, says Cambridge AnalyticaREAD MORE
And so it has decided to cherry-pick just a few of the statements to refute - and has created a separate website, CambridgeFacts.com consisting of just one page, on which to do it.
Topping the list, are claims the biz had “hacked Facebook” - when actually it gained the information in “good faith”, through a license from a company (GSR) under a contract that had stated the information must be obtained legally.
And anyway, Cambridge Analytica added, that data (which they were willing to pay up to $1.5m for, according to contracts published last month) was “disappointing”, so the company used its own research to train its models.
The biz went on to say that it had deleted the raw data from its file server as soon as Facebook asked it to - and that it certainly wasn't used for the 2016 presidential election.
Rather, it said, that information came from voter files, polling data, data from the campaign and from commercial data brokers. This data was used to identify “persuadable” voters, it said, along with a polling tracker and dashboards for the campaign.
"In truth, we used the same kind of political preference models used by the Obama and Clinton campaigns; however, we started five months out from election day and did it with far fewer resources and less data," the biz said.
Finishing up the list are the statements that Cambridge Analytica is politically neutral and that Chris Wylie (the pink haired former CA researcher) “is not a whistleblower”. The firm would prefer it if everyone saw him as a one-time contractor whose account is “based on pure conjecture and guesswork, while his own motivations in this saga have remained unexplored”. ®
Sponsored: Becoming a Pragmatic Security Leader