This is The Download, a weekday recap of the top technology headlines. It’s April 11, 2018, here’s what you need to know:
The Facebook, Cambridge Analytica scandal
Today was a big day for news in the Facebook-Cambridge Analytica scandal, as Facebook CEO Mark Zuckerburg begun his testimony before Congress in a five-hour session before a joint session of the Senate Judiciary and Commerce committees. We’ll begin with what we learned from the hearing before moving to miscellaneous news from the scandal.
Conspiracy that Facebook taps microphones shot down
Despite official denials dating as far back as 2016, Zuckerburg still faced suspicions that Facebook secretly records audio through phone microphones in order to better target ads.
In response to the question, posed by Sen. Gary Peters (D-MI), Zuckerburg responded with an adamant no before adding that Facebook does have access to audio when people record videos on their devices for Facebook, but not otherwise.
Palmer Luckey not fired because of anti-conservative bias
Senator Ted Cruz (R-TX) asked Zuckerburg about 2016 reports that the company removed conservative leaning political news from its trending stories box, and followed up with questions on moderators’ political views. When Zuckerburg said that he didn’t ask employees for their political views, Cruz followed up by asking why Palmer Lucky, an Oculus employee that the Daily Beast reported in 2016 was secretly funding a pro-Trump political activism group called Nimble America. The group was dedicated to the idea that “shitposting is powerful and meme magic is real.”
“That is a specific personnel matter that seems like it would be inappropriate to speak to here.”
Mark Zuckerburg; Facebook CEO, in response to Cruz’s question
Cruz then asked if it was accurate that Facebook didn’t make decisions based on political views as Zuckerburg claimed earlier. Zuckerburg then committed that “it was not because of a political view.”
Proposed Senate bill would require Facebook to get opt-in consent for data collection
A new bill proposed by Senators Richard Blumenthal (D-CT) and Ed Markey (D-MA) would place significant restraints on data collection from Facebook and other services.
The Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT Act) requires explicit opt-in consent from users to use, share, or sell any personal information, along with clear notification any time data is collected, shared, or used. The bill would also add new security and breach reporting requirements.
Crucially, the CONSENT app relies on the Federal Trade Commission to enforce any violations of those new rules.
During today’s testimony, Blumenthal asked Zuckerburg if This is Your Digital Life (the app used to mine the data eventually given to Cambridge Analytica)’s terms of service conflict with the FTC order Facebook was under at the time.
“It certainly appears that we should have been aware that this app developer submitted a term that was in conflict with the rules of the platform.”
Blumenthal followed up by specifically asking if Zuckerburg believed that the breach was a violation of the consent decree. Zuckerburg responded saying that his understanding was that it wasn’t “a violation of the consent decree.”
Sen. Markey later pressed Zuckerburg on whether it would support the bill and the principles of opt-in consent generally. Zuckerburg called the principle “exactly right.”
Paid version of Facebook not ruled out
During questioning by Sen. Orrin Hatch (R-UT), who recalled a 2010 meeting as part of the Senate Republican High Tech Task Force where Zuckerburg said that Facebook would always be free, Zuckerburg hinted that a paid version of Facebook isn’t out of the cards entirely.
“There will always be a version of Facebook that is free. It is our mission to try and help connect everyone around the world and bring the world closer together. In order to do that, we believe we need to deliver a service that everyone can afford.”
Facebook-backed lawmakers pushing to gut privacy law
Outside the Capitol, Facebook is fighting against a new amendment to the Biometric Information Privacy Act (BIPA) in Illinois that could give Facebook free rein to run facial recognition scans without users’ consent.
The amendment would carve out significant exceptions to the bill, which currently requires explicit consent before companies can collect biometric data like fingerprints or facial recognition profiles. Companies would be allowed to collect biometric data without notice or consent as long as it’s handled with the same protections as other sensitive data. Companies could also be exempted if they don’t sell or profit from the data, or if it’s used only for employment purposes.
Roughly 1,500 users’ private Messenger messages involved in Cambridge Analytica breach
In the company’s notification to users affected by the Cambridge Analytica breach, Facebook dropped the news that users might have had their private Messenger messages leaked.
According to researcher Jonathan Albright, the vulnerability dates back to the first version of Facebook’s Graph API that allowed apps to request massive amounts of users’ friends info with a single prompt. Once permission was granted, apps could continue to pull data for years until either the app was deleted or when Facebook killed the 1.0 version of the API for a more limited 2.0 version in 2015.
Included in the data that those early Graph API apps could pull was the ability to read users’ private Facebook messages through a “read_mailbox” API request.
Facebook confirmed to Wired that 1,500 people gave the “This is Your Digital Life” app permission to access the data, but anyone who messaged or received messages from those 1,500 people could also be affected.
In a tweet posted Tuesday afternoon, Cambridge Analytica denied that it had access to private message data.
Data Abuse Bounty rewards those that report app developers’ misuse of data
Facebook has launched a Data Abuse Bounty that would reward people who find cases of data abuse on its platforms. Payouts start at $500, and people can receive over $40,000 for big discoveries.
“It will help us find the cases of data abuse not tied to security vulnerability. … This will cover both hemispheres, and help surface more cases like Cambridge Analytica so we can know about it first and take action.”
Alex Stamos; Facebook chief security officer, to CNBC
Cases that are brought to Facebook’s attention and submitted with evidence will be vetted by its bug and data abuse bounty team. The company will investigate the report and decide the right course of action, whether it’s shutting down the app, suing the data leaker, or conducting an onsite audit of the company selling or buying unauthorized data.
The company currently has 10 people on the bug bounty team, but plans to hire more people and involve other teams to investigate unsubstantiated claims.
To be eligible, the case must involve at least 10,000 Facebook users, show how data was abused, and Facebook must not have been made aware of the specific issue before. Companies that scrape data, anyone who users malware to get people to install apps, social engineering projects, and apps on other Facebook-owned platforms aren’t eligible. Facebook is open to expanding the program in the future.
“A door is always open if a whistleblower wants to say there’s something sketchy here.”
Collin Greene; Facebook head of product security, to CNBC
Help Center page, News Feed notification details if you were affected by Cambridge Analytica breach
Facebook has begun sending out News Feed notifications to notify users that might have been affected by the breach. However, you can also visit this Help Center page to verify immediately if you haven’t gotten a notification yet.
Instagram rolls out Focus portrait mode feature for videos, photos
Instagram is rolling out Focus, a new feature that blurs the background of photos and videos while keeping someone’s face sharp for a stylized, professional photography look.
“Focus mode leverages background segmentation and face detection technology.”
An Instagram spokesperson
Focus can be found in the Stories camera alongside Boomerang and Superzoom in both the front and rear-facing cameras on the iPhone 6s and newer along with select Android devices.
Meanwhile, the app is rolling out Mentions sticker that let you tag friends in a story with a stylized graphic similar to Snapchat’s Snapcodes. Just like adding emoji to photos and videos, the Mention sticker can be added with the typeahead being used to find a friend’s username and tag them in a resizable sticker that sends people to their profile and generates a notification to the tagged user.
It’s an expansion of the text mentions launched soon after Stories in November 2016.
Vimeo launches Mac app for Final Cut Pro users
Vimeo has launched a new Mac app that will give Final Cut Pro users more control over their file formats and video codecs. The app expands upon the existing integration within Final Cut Pro that already offered the ability to upload to Vimeo. With the new app, creators can upload multiple files at once, track progress in a status bar, and get instant access to video links, video review pages, and embed codes, among other things.
According to Vimeo, users can also add captions in Final Cut Pro, play videos natively in the app, and adjust the metadata for their videos.
Apple ordered to pay $502M to VirnetX in patent battle
Apple was ordered to pay $502.6 million to VirnetX after a Texas grand jury found that the company infringed patents related to secure communications.
VirnetX filed three lawsuits in 2010 alleging that Apple’s FaceTime, VPN on Demand, and iMessage features infringed four VirnetX patents.
VirnetX spokesperson Greg Wood called the verdict “fair and appropriate,” but the judgment may ultimately have little impact as the Patent Trial and Appeal Board ruled the patents invalid in 2016.
Chrome, Firefox will support new standard for password-free logins
The W3C and FIDO Alliance standards bodies have announced WebAuthn, a new open standard that is currently supported in the latest version of Firefox and will be supported in upcoming versions of Chrome and Edge slated to launch in the next few months.
Apple hasn’t commented on whether Safari will be updated for the standard, but the company is part of the group that developed the standard.
The announcement is another step towards moving away from passwords in favor of more secure login methods like biometrics and USB tokens. The system is already in place on services like Google, and Facebook, where you can log in with a Yubikey token built to the FIDO standard.
WebAuthn will make that feature easier for smaller services to implement, whether using those devices as a second factor or replacing the password entirely.
“Previously, the work to support tokens was happening amongst big companies like Google, Microsoft, and Facebook, which would implement their own drivers. With WebAuthn, you’ll be able to use commonly available libraries.
“What this really enables is switching from using passwords to using a device, and getting to a world where it’s impossible to phish users. Now we’re not there yet. It’s our glorious future. But that’s the path we all want to be on.”
Selena Deckelmann, Mozilla Firefox Runtime director
Because the FIDO standard is built on a zero-knowledge proof, no single string of characters can guarantee access to an account that makes it harder to pull a conventional phishing attack. Those logins are still rare, even on services that do support FIDO.
Piper Jaffray: 82% of American teens currently own an iPhone, 84% say next phone will be an iPhone
According to a report from Piper Jaffray, 82 percent of American teenagers use an iPhone – a figure that’s up from 60 percent in 2014. “Thousands” of teenagers in 40 states took part in the survey.
Vevo YouTube hack hits popular music video
Vevo’s YouTube account fell victim to hackers, leading to a number of high-profile music videos being defaced. The videos affected include Luis Fonsi and Daddy Yankee’s Despacito, which disappeared for YouTube briefly after being defaced by hackers. The video’s image was altered and replaced with the masked gang from Netflix’s La Casa de Papel holding guns, with the description was changed by hackers that called themselves Prosox and Kuroi’sh.
Music videos from artists including Chris Brown, Shakira, DJ Snake, Selena Gomez, Drake, Katy Perry, and Taylor Swift were also defaced. All of the affected videos were on the artists’ Vevo YouTube channels. At least one of the hackers claimed on Twitter that they used a “script” to alter the video titles.
Vevo confirmed the breach in a statement to The Verge, and said that it was contained.
“We are working to reinstate all videos affected and our catalogue to be restored to full working order. We are continuing to investigate the source of the breach.”
A Vevo spokesperson
In other news…
- In a Reddit thread announcing the platform’s 2017 transparency report findings, Reddit CEO Steve Huffman announced that the company identified and listed close to 1,000 accounts that are suspected to be linked to Russia propaganda and responded to a user’s question asking if obvious open racism was against the platform’s rules with a no.
- Bellus3D is bringing its 3D selfie camera to the iPhone X with a new app that’s currently in beta with a full App Store release planned for later this year.
- According to a memo from Apple’s Eddy Cue, Apple Music has officially hit 40 million paid subscribers this week. The news comes as the company named former vice president of Apple Music & International Content Oliver Schusser head of Apple Music Worldwide.
- The US’ Food and Drug Administration has approved an AI-powered device that can be used by non-specialists to detect diabetic retinopathy in adults with diabetes.
- Netflix will not be screening anything at the Cannes Film Festival this year, after a new rule banned any movie from competition that didn’t have a theatrical run.