The CanaryTrap Method Helps Identify Data Misuse
Fortunately, a group of academics has created a method which can aid the identification of Facebook app developers that share user data with third-parties. The method has been dubbed CanaryTrap. Let’s see how it works.
There are plenty of examples of data misuse of third-party app developers. In general, single sign-on (SSO) apps on Facebook usually require access to a user’s personal details, such as email address, date of birth, gender, and likes.
The problem is that third-party apps with access to personal details of a large number of users have a high potential for misuse, the researchers point out in their white paper. The number of high-profile incidents of data misuse by third-party apps on online social networks is bigger than it should be. Let’s not forget the Cambridge Analytica scandal.
There is a lack of methods to systematically detect data misuse by third-party apps. The main issue is that online social networking platforms lose control over their data once it is retrieved by third-party apps. These third-party apps can store the retrieved data on their servers from where it can be further transferred to other entities. Neither users nor online social networks have any visibility on the use of data stored on the servers of third-party apps. This makes the problem of detecting data misuse extremely challenging since itis hard to track something not under your control.
So, how will the CanaryTrap method help against the issue of data misuse?
CanaryTrap Method Explained
The CanaryTrap method revolves around something called a honeytoken. Honeytokens are described as fictitious words or records, added to legitimate databases. Honeytokens allow administrators to track data in cases they wouldn’t be able to track. Honeytokens can be email address or credit card details which can be leaked or shared intentionally to detect their unrecognized or potentially unauthorized use, the paper explains. This detection is done with the help of different monitoring channels:
For example, if an email address is shared as a honeytoken then received emails act as the channel for detecting unrecognized use of the shared email address. We design and implement CanaryTrap to investigate misuse of data shared with third-party apps on Facebook. We share the email address associated with a Facebook account as a honeytoken by installing a third-party app and then monitor the received emails to detect any unrecognized use of the shared email address. We conclude that a honeytoken shared with a third-party app has been potentially misused if the sender of a received email cannot be recognized as the third-party app.
The researchers also leverage the fact that advertisers on Facebook have the ability to use email addresses to target custom audiences. The team uses Facebook’s ad transparency tool, called “Why Am I Seeing This?” to observe advertisers who have used the shared honeytoken to run ad campaigns to custom audiences on the social platform. The conclusion is that honeytokens which were shared with a third-party app have been misused in case the advertiser can’t be recognized as the third-party app.
The researchers said they tested 1,024 Facebook apps of which they found 16 apps sharing email addresses with third-parties. This resulted in users receiving emails from unknown senders. Only 9 of the 16 apps disclosed they were associated with the email sender. The low number of such detected apps is because of the small sample of 1,204 apps which were used in the research. The team believes that if more apps are investigated, the number of apps misusing user information will be much bigger.
Facebook’s Mishandling of User Data Is Not News
In April 2019, UpGuard Cyber Risk researchers discovered half a billion records of millions of users of Facebook which were openly available to the public internet. The records were found on unprotected Amazon cloud servers. Apparently, two third-party developed Facebook app datasets were exposing users’ details to the public internet.
All the data sets had something in common – they all originated from Facebook users and presented sensitive information in detail, such as interests, relationships, and interactions. These details were available to third-party app developers.
In May 2020, Facebook faced another penalty over false data privacy claims. According to Canada’s Competition Bureau, Facebook has mishandled user information by creating the false feeling that users could control who could see and access their personal information via privacy features. The penalty is estimated at CAD 9 million, which equals USD 6.5 million, and EUR 5.9 million.