Facebook is entering a tough transition period where it won’t take chances around data privacy in the wake of the Cambridge Analytica fiasco, CTO Mike Schroepfer tells TechCrunch. That’s why it’s moving up the shut down of part of the Instagram API. It’s significantly limiting data available from or requiring approval for access to Facebook’s Events, Groups, and Pages APIs plus Facebook Login. Facebook is also shutting down search by email or user name and changing its account recovery system after discovering malicious actors were using these to scrape people’s data. “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way” Schroepfer writes.
Instagram will immediately shut down part of its old platform API that was scheduled for deprecation on July 31st. TechCrunch first reported that developers’ Instagram apps were breaking over the weekend due to a sudden reduction in the API call limit. Instagram refused to comment, leading to developer frustration as their apps that analyze people’s followers and help them grow their audiences stopped working.
Now an Instagram spokesperson tells TechCrunch that “Effective today, Instagram is speeding up the previously announced deprecation of the Instagram API Platform” as part of Facebook’s work to protect people’s data. The APIs for follower lists, relationships, and commenting on public content will cease to function immediately. The December 11th, 2018 deprecation of public content reading APIs and the 2020 deprecation of basic profile info APIs will happen as scheduled, but it’s implemented rate limit reductions on them now.
The announcements come alongside Facebook’s admission that up to 87 million users had their data improperly attained by Cambridge Analytica, up from early estimates of 50 million. These users will see a warning atop their News Feed about what happened, what they should do, and see surfaced options for removing other apps they gave permissions to. Facebook CEO Mark Zuckerberg plans to take questions about today’s announcements during at 1:00pm Pacific conference call.
Regarding the Facebook APIs, here’s the abbreviated version of the changes and what they mean:
- Events API will require approval for use in the future, and developers will no long be able to pull guest lists or post sto the event wall. This could break some event discovery and ticketing apps.
- Groups API will require approval from Facebook and a Group admin, and developers won’t be able to pull member lists or the names and photos associated with posts. This will limit Group management apps to reputable developers only, and keep a single non-admin member of a closed Group from giving developers access.
- Pages API will only be available to developers providing “useful services”, and all future access will require Facebook approval. This could heavily restrict Page management apps for scheduling posts or moderating comments.
- Facebook Login use will require a stricter review process and apps won’t be able to pull users personal information or activity, plus they’ll lose access if after 3 months of non-use. Most login apps should still work, though, as few actually needed your religious affiliation or video watching activity, though some professional apps might not function without your work history
- Search by phone number or email will no longer work, as Facebook says it discovered malicious actors were using them to pair one piece of information with someone’s identity, and cycling through IP addresses to avoid being blocked by Facebook. This could make it tougher for people in countries where people have similar names find each other. Of all the changes, this may be the most damaging to the user experience.
- Account Recovery will no longer immediately show the identity of a user when someone submits their email or phone number to similarly prevent scraping. The feature will still work, but may be more confusing. Facebook believes all its users’ could have had their data scraped using the search and account recovery tricks.
Schroepfer says that Facebook’s goal is to lock things down, review everything, and then figure out which developers deserve access and whether any of the functionality should be restored. The announcements raise questions about why it took the Cambridge Analytica scandal for Facebook to take data privacy seriously. You can expect the House Energy and Commerce Committee may ask Mark Zuckerberg that when he comes to testify on April 10th.
Facebook’s bold action to reform its APIs shows it’s willing to prioritize users above developers — at least once pushed by public backlash and internal strife. The platform whiplash could make developers apprehensive to build on Facebook in the future. But if Facebook didn’t shore up data privacy, it’d have no defense if future privacy abuses by outside developers came to light.
Schroepfer tells me Facebook is taking its responsibility super seriously and that company is upset that it allowed this situation to happen. At least he seems earnest. Last week I wrote that Facebook needd to make a significant act of contrition and humility if it wanted stabilize the sinking morale of its employees. These sweeping changes qualify, and could serve as a rallying call for Facebook’s team. Rather than sit with their heads in their hands, they have a roadmap of things to fix.
Still, given the public’s lack of understanding of APIs and platforms, it may be tough for Facebook to ever regain the trust broken by a month of savage headlines about the social network’s privacy negligence. Long-term, this souring of opinion could make users hesitant to share as much on Facebook. But given its role as a ubiquitous utility for login with your identity across the web, our compulsive desire to scroll its feed and check its notifications, and the lack of viable social networking alternatives, Facebook might see the backlash blow over eventually. Hopefully that won’t lead back to business as usual.