On December 15, Meta (formerly Facebook) announced the expansion of its "bounty program" since 2011 in response to data scraping issues.
It encourages researchers to report two scenarios, one is to look for vulnerabilities, increasing the cost and difficulty of malicious crawling behavior, and the other is to find "wooden boats" of crawling datasets, meta will work with related companies to delete the datasets or seek legal action.
Digital scraping here refers to the use of automated tools to collect large amounts of personal information from user profiles, such as email addresses, phone numbers, and profile photos. Although much of this information is not confidential, crawlers can make it more widely available, centrally posted in a searchable database, quickly reaching millions of users.
Image courtesy of Meta
Meta's terms do not allow anyone to automatically access and collect data. Dan Gurfinkle, Security Engineering Manager at Meta, noted, "We are looking for vulnerabilities that allow attackers to bypass crawl restrictions and access data at a larger scale than we initially expected."
In April, the personal information of more than 500 million Facebook users was posted on a hacking forum, and even more frighteningly, the actual data scraping occurred a few years ago, although Meta had closed the relevant vulnerabilities in August 2019, but when the data began to spread online, it could do nothing but warn users to be careful of spam and scam information.
Image courtesy of Engadget
In October, more than 2.6 million Instagram and TikTok user data were compromised. Security personnel retrospectively found that the data was leaked by IGBlade, a data analytics company, whose servers and data were unprotected, resulting in a data breach that was crawled. While this Instagram data breach wasn't directly caused by Meta, it also illustrates the need to control crawling behavior.
In addition, the leakage of personal information threatens not only one account of Facebook, but also the Facebook ID and many accounts, involving the whole body, and these accounts are not difficult to find.
Image courtesy of Unsplash
Each vulnerability or dataset can be rewarded with a minimum of $500. If a dataset is found, Meta will donate the prize to a charity of the researcher's choice to prevent the researcher from "shouting to catch the thief" and grab the data before receiving the bounty; if a vulnerability is found, Meta will issue a monetary reward.
For databases, researchers will be rewarded for finding "unprotected or public public databases containing at least 100,000 unique Facebook user records," which are personally identifiable information or sensitive data such as emails, phone numbers, physical addresses, religious or political connections.
So far this year, Meta has provided more than $2.3 million in grants to researchers from more than 46 countries, receiving a total of approximately 25,000 reports and rewarding more than 800 reports.
Zuckerberg testified before Congress.
Meta claims to be the first bounty program specifically for data scraping, but it has a bad track record in terms of privacy and security, in addition to the Cambridge Analytica scandal that reached a settlement with a $5 billion fine, as well as large and small data breaches.
In October 2018, Facebook was hacked, exposing the private information of 29 million users, of which 14 million were very detailed, including relationship status, religion, education, work, people they followed, recent search and login devices, and more.
Facebook, which is "self-thief", also loves to make a fuss about data, collecting and using a large amount of user data to sell targeted digital advertising. ProPublica, a nonprofit news organization, calls it "surveillance capitalism."
In fact, when it comes to personalized advertising, the user is the real product on social platforms.
In March 2019, Zuckerberg unveiled a new "privacy-centric vision, using the example of its messaging app WhatsApp's "end-to-end encryption" model, which means that only the sender and receiver can read the message, and no one else or even WhatsApp officially can view it.
Currently, of all Of Meta's products, WhatsApp claims to have end-to-end encryption. Even WhatsApp still requires humans or AI to review messages reported by users for violations, and they also review unencrypted material, including data about the sender and their accounts.
Image credit: ProPublica
WhatsApp reported 400,000 images of possible child exploitation to authorities in 2020. WhatsApp principal Will Cathcart said in an interview with an Australian think tank: "I think we can definitely provide security for people with end-to-end encryption and work with law enforcement to solve crime problems."
All in all, few platforms are as private as we expect, whether for commercial use or security needs, and perhaps minimizing the exposure of personal information is fundamental.
Click "Watching"
It is the greatest motivation for us