• 'Cow Clicker'. (Ian Bogost / The Atlantic)
The Cambridge Analytica scandal is drawing attention to malicious data thieves and brokers. But every Facebook app — even the dumb, innocent ones — collected users’ personal data without even trying.
By
Ian Bogost

16 Apr 2018 - 1:50 PM  UPDATED 18 Apr 2018 - 4:35 PM

Why I'm Not on Facebook airs Tuesday 17 April at 8:30pm on SBS VICELAND.

For a spell during 2010 and 2011, I was a virtual rancher of clickable cattle on Facebook.

It feels like a long time ago. Obama was serving his first term as president. Google+ hadn’t arrived, let alone vanished again. Steve Jobs was still alive, as was Kim Jong Il. Facebook’s IPO hadn’t yet taken place, and its service was still fun to use — although it was littered with requests and demands from social games, like FarmVille and Pet Society.

I’d had enough of it — the click-farming games, for one, but also Facebook itself. Already in 2010, it felt like a malicious attention market where people treated friends as latent resources to be optimised. Compulsion rather than choice devoured people’s time. Apps like FarmVille sold relief for the artificial inconveniences they themselves had imposed.

In response, I made a satirical social game called Cow Clicker. Players clicked a cute cow, which mooed and scored a “click”. Six hours later, they could do so again. They could also invite friends’ cows to their pasture, buy virtual cows with real money, compete for status, click to send a real cow to the developing world from Oxfam, outsource clicks to their toddlers with a mobile app and much more. It became strangely popular, until eventually, I shut the whole thing down in a bovine rapture — the “cowpocalypse”. It’s kind of a complicated story.

But one worth revisiting today, in the context of the scandal over Facebook’s sanctioning of user-data exfiltration via its application platform. It’s not just that abusing the Facebook platform for deliberately nefarious ends was easy to do (it was). But worse, in those days, it was hard to avoid extracting private data, for years even, without even trying. I did it with a silly cow game.

Cow Clicker is not an impressive work of software. After all, it was a game whose sole activity was clicking on cows. I wrote the principal code in three days, much of it hunched on a friend’s couch in Greenpoint, Brooklyn. I had no idea anyone would play it, although over 180,000 people did, eventually. I made a little money from the whole affair, but I never optimised it for revenue generation. I certainly never pondered using the app as a lure for a data-extraction con. I was just a strange man making a strange game on a lark.

And yet, if you played Cow Clicker, even just once, I got enough of your personal data that, for years, I could have assembled a reasonably sophisticated profile of your interests and behaviour. I might still be able to — all the data is still there, stored on my private server, where Cow Clicker is still running, allowing players to keep clicking where a cow once stood, before my caprice raptured them into the digital void.

To understand why withdrawing data was the default behaviour in Facebook apps, you have to know something about how apps get made and published on Facebook. In 2007, the company turned its social network service into an application platform. The idea was that Facebook could grow its number of users and the time they spent engaged by allowing people and organisations to build services overtop of it. And those people and organisations would benefit by plugging into a large network of users, whose network of friends could easily be made a part of the service, both for social interaction and viral spread.

When you access an app on Facebook’s website, be it a personality quiz, a game, a horoscope or a sports community, the service presents you with an authorisation dialogue, where the specific data an app says it needs is displayed for the user’s consideration. That could be anything from your name, friend list and email address, to your photos, likes, direct messages and more.

The information shared with an app by default has changed over time, and even a savvy user might never have known what comprised it. When I launched Cow Clicker in 2010, it was easier to acquire both “basic” information (name, gender, networks and profile picture) and “extended” user information (location, relationship status, likes, posts and more). In 2014, Facebook began an app review process for information beyond that which a user shared publicly, but for years before that, the decision was left to the user alone. This is consistent with Facebook’s longstanding, official policy on privacy, which revolves around user control rather than procedural verification.

App authorisations are not exceptionally clear. For one thing, the user must accept the app’s request to share data with it as soon as they open it for the first time, even before knowing what the app does or why. For another, the authorisation is presented by Facebook, not by the third party, making it seem official, safe and even endorsed.

The part of the Facebook website where apps appear, under the blue top navigation (as seen above), introduces further confusion. To the average web user, especially a decade ago, it looked like the game or app was just a part of Facebook itself. The page is seamless, with no boundary between the site’s navigational chrome and the third-party app. If you look at the browser address bar while using a Facebook app on the website, the URL begins with “apps.facebook.com”, further cementing the impression that the user was safely ensconced in the comforting, blue cradle of Facebook’s care.

That’s not what really takes place. When a user loads an app, Facebook’s servers pass those requests to a remote computer, where the individual or company that made the app hosts their services. The app sends its responses to Facebook, which formats and presents them to the user, as if they were inside of Facebook itself.

The authorisation process happens once, the first time the app is accessed for a specific user. After that, every time the user loads the app, Facebook sends it a payload of basic user data to facilitate the app’s operation (additional data can be requested separately when needed). For years, these transmissions were even conducted unencrypted, until Facebook required apps to communicate with its service over a secure connection.

Beyond its own terms of service for applications, which many developers probably didn’t read or feel compelled to heed, Facebook “secured” user data shared with third-parties by requiring every app to publish a privacy policy. Because data sharing was seen as a form of user-control, not corporate policy, Facebook doesn’t appear to review platform-developer privacy policies. As far as I can tell, all the platform did was to insure that accessing the URL for an app’s privacy policy didn’t result in a page not found error. Facebook was checking that privacy policies existed as reachable web pages, not that they existed as privacy policies, let alone policies that provided any specific protections. And besides, users probably never read the policies, which were linked unassumingly from the application-permissions interface. They might easily, and reasonably, have assumed that Facebook was simply reiterating its own privacy policy when presenting new access to an app. They would have been wrong.

In essence, Facebook was presenting apps as quasi-endorsed extensions of its core service to users who couldn’t have been expected to know better. That might explain why so many people feel violated by Facebook recently — they might never have realised they were even using foreign, non-Facebook applications in the first place, let alone ones that were siphoning off and selling their data. The website always just looked like Facebook.

In the case of Cow Clicker, which only ever aimed to let people click on pictures of cows, I was able to access two potentially sensitive pieces of data without even trying.

The first is a player’s Facebook ID. This is a numeric, unique identifier attached to every Facebook account. Once I have your Facebook ID, I can look up your profile programmatically, or I can just load it in the public website by appending it to “facebook.com” — Mark Zuckerberg’s is 4.

These days, Facebook generates a unique, app-specific ID for each user, in order to prevent an app from connecting someone directly to Facebook profiles. But back in Cow Clicker’s heyday of 2010, Facebook didn’t do this, and every app got your actual ID. Those data could be correlated against other information — data collected from Facebook, fashioned by the app or acquired elsewhere. Because I collected and stored my users’ true Facebook IDs to be able to count their clicks and build their pastures and the like, I still have them and, in theory, I could use them nefariously. A 2014 terms of service update prohibits some of that activity, but not everyone cares about violating the Facebook terms of service.

The second type of information is a piece of profile data Cow Clicker received without asking for it. Back in 2010, Facebook still allowed users to join “networks” — affiliations like schools, workplaces and organisations. In some cases, those affiliations required authorisation, for example having an email address at a domain that corresponds with a university. Over time, verification became less important to Facebook, and now users can affiliate with schools or workplaces arbitrarily. The less friction, the more data.

In 2010, on my friend’s couch in Brooklyn, I noticed that Facebook was shipping user affiliation data over the wire to me, so I decided to store it. Facebook allowed apps to store data for which user permission was granted, but urged developers not to request or store more than it needed to operate. Putting affiliation data in the Cow Clicker database allowed me to provide leaderboard rankings by network, allowing my players to compete for clicks with their work colleagues or classmates.

That’s neither a terribly interesting feature nor a particularly wicked one. But because I stored the numerical identifiers for user affiliations, I still have them. Until 2016, I could use a database-query tool called FQL, Facebook Query Language, to retrieve the details of those networks and correlate them back to my users. Had I wanted to, I could have recombined that information with other data and used it for retargeting.

Cow Clicker’s example is so modest, it might not even seem like a problem. What does it matter if a simple diversion has your Facebook ID, education and work affiliations? Especially since its solo creator (that’s me) was too dumb or too lazy to exploit that data toward pernicious ends. But even if I hadn’t thought about it at the time, I could have done so years later, long after the cows vanished, and once Cow Clicker players forgot they’d ever installed my app.

This is also why Zuckerberg’s response to the present controversy feels so toothless. Facebook has vowed to audit companies that have collected, shared or sold large volumes of data in violation of its policy, but the company cannot close the Pandora’s box it opened a decade ago, when it first allowed external apps to collect Facebook user data. That information is now in the hands of thousands, maybe millions of people.

To be honest, I’m not even sure I know what the Facebook platform’s terms of service dictated that I do with user data acquired from Facebook. Technically, users could revoke certain app permissions later, and apps were supposed to remove any impacted data that they had stored. I doubt most apps did that, and I suspect users never knew — and still don’t know — that revoking access to an app they used eight years ago doesn’t do anything to reverse transmissions that took place years ago.

As Jason Koebler put it at Motherboard, it’s too late. “If your data has already been taken, Facebook has no mechanism and no power to make people delete it. If your data was taken, it has very likely been sold, laundered and put back into Facebook.” Indeed, all the publicity around Facebook’s Cambridge Analytica crisis might be sending lots of old app developers, like me, back to old code and dusty databases, wondering what they’ve even got stored and what it might yet be worth.

Facebook’s laissez-faire openness surely contributed to the data extraction free-for-all that’s playing itself out now via the example of Cambridge Analytica. But so did its move-fast-and-break-things attitude toward software development. The Facebook platform was truly a nightmare to use and to maintain. It was built like no other software system then extant, and it changed constantly — regular updates rolled out weekly. Old code broke, seemingly for no good reason. Some Facebook app developers were dishonest from the start, and others couldn’t help themselves once they saw the enormous volume of data they could slurp from millions or tens of millions of Facebook users. But many more were just struggling to eke out a part of their living in an ecosystem where people might discover them.

Millions of apps had been created by 2012, when I hung up my cowboy hat. Not only apps apparently designed with duplicity in mind, like Aleksandr Kogan’s personality quiz, which extracted data that was then sold to Cambridge Analytica. But hundreds of thousands of creators of dumb toys, quizzes, games and communities that might never have intended to dupe or violate users surely did so anyway, because Facebook rammed their data down our throats. On the whole, none of us asked for your data. But we have it anyway, and forever.

 

Why I'm Not on Facebook is streaming now at SBS On Demand:

More on SBS:
BATMANLAND 39 - Batman's Anniversary + A Riddling Controversy

Oh mon chéri, Gomez Addams himself John Astin has taken over as The Riddler for this special 2-part episode in which the people of Gotham celebrate Batman's anniversary. The BATMANLAND team give the occasion the due respect it deserves.

'What we're doing is crazy': How Sherpas helped me survive the trek to Everest
Trekking to Mount Everest is a daunting and dangerous challenge, but it’s just another Tuesday for most Sherpas.
The Good Fight SBS fan podcast - Episode 6
(SBS) On the SBS Good Fight podcast this week, Dan and Sarah discuss the character of Adrian on the show as he battles his inner angry demons. The two also explore the issue of pregnant women in the workplace, the quiet loneliness of the TV live cross, and ask whether it really is true that big heads play well on TV.
Sam Bee tries to get people to care about Puerto Rico
It's been seven months since the island was ravaged by a hurricane and 103,000 people still don't have electricity.
'Atlanta' provides a perfect satire of the music industry in 2018
While aging rock stars attack the standard corporate villains, Donald Glover’s FX show sketches an ecosystem of exploitation.
The Mysterious Cities of Gold are why you are obsessed with Aztecs, Incas, and Mayans
Now that it's at SBS On Demand, you may now understand what happened: Mesoamerica invaded your childhood, and you didn’t even realise.

This article was originally published on theatlantic.com: Click here to view the original. © 2018 All Rights reserved. Distributed by Tribune Content Agency.