Following the Cambridge Analytica controversy and Mark Zuckerberg’s consequent Congress testimony, Facebook is putting – or at least trying to put – measures in place to reduce data abuse through its platform.
On March 21, Facebook announced the following developments as part of its crackdown on platform abuse:
- Investigate all apps that had access to large amounts of information before 2014 and ban developers that misused personally identifiable information
- Inform affected users and in the future inform any users of apps that are banned
- Turn off access for apps that haven’t been used in the last three months
- Apps requesting a Facebook login will only receive the user’s name, profile photo and email address. Any more data will require Facebook’s approval.
- Make it easier for people to manage their apps
- Expand the existing ‘bug bounty’ program that encourages users to report a “security vulnerability” on Facebook or any of its other platforms
Now, Facebook has announced the expansion of the ‘bug bounty’ program with a new program called the ‘Data Abuse Bounty Program’. Facebook explains that it differs from the bug bounty program “in that it “follows the data” even if the root cause isn’t a security flaw in Facebook’s code. Bad actors can maliciously collect and abuse Facebook user data even when no security vulnerabilities exist. This program is intended to protect against that abuse.”
In order to submit a report, users must submit the potential through a form on the website. The submission will then be vetted and if Facebook finds it credible it will ask the user for more details to launch a “deeper investigation”. And finally, “We will choose the appropriate enforcement, which may include shutting down the offending platform app, taking legal action or an onsite forensic audit of the company selling or buying the data.”
The bounty amount starts at a minimum of $500, which is applicable if at least 10,000 users have been affected. “We determine bounty amounts based on a variety of factors, including (but not limited to) impact, data exposure, number of affected users and other factors. The higher the impact and/or number of affected users, the higher the bounty.”
“This program will reward people with first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people’s data to another party to be sold, stolen or used for scams or political influence. Just like the bug bounty program, we will reward based on the impact of each report. While there is no maximum, high impact bug reports have garnered as much as $40,000 for people who bring them to our attention,” says Collin Greene, head of product security, Facebook, in a blog post.
He also added that the program is the first of its kind and will be updated and expanded based on feedback.