MIT Team Says Facebook Profiles Could Still Be Stolen, At Scale

If your personal Facebook profile isn’t among the 50 million allegedly pilfered by the political consulting firm Cambridge Analytica, could another company still scrape it up, along with many others?

A policy research team from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) says yes.

In a blog post published today, three MIT graduate students say new malefactors could get past the barriers Facebook raised after it learned that Cambridge Analytica had obtained its trove of profiles from an academic researcher with ties to Russia, who allegedly shared it without Facebook’s consent. Cambridge Analytica is suspected of misusing the personal profiles in data research that informed its work for U.S. political candidates, including Donald Trump.

The MIT team says personal profiles could still be collected at scale from Facebook by savvy developers using a custom browser extension. And the intrusion might be hard to tell apart from regular user browsing.

“While detection is within Facebook’s technical capabilities, it would take an effort to detect specific anomalies to discover this type of automated browsing,” the team writes in the blog post. “This means that the main hurdles to executing this strategy would center on getting the extension past the browser vendor’s approval process and convincing the vendor (and your users) that your autonomous browsing is harmless. Unfortunately, this may be a low hurdle; browser extensions embedded with malware have been spotted in the wild, at scale.”

What’s more, copies of the 50 million Facebook profiles already taken without consent may still be in unauthorized hands, in spite of Facebook’s demand that Cambridge Analytica and its source destroy them, the MIT students say.

No technical measure can prevent the copying of such data, the MIT team says. “Making copies of data is ‘free,’ and doing so does not damage or otherwise affect the original information. Hence, CA (Cambridge Analytica) could have made a show of deleting one or more copies of the data, and demonstrating and certifying their destruction to Facebook’s satisfaction, without impacting any other copies they may have controlled.”

According to an MIT representative, the blog post was co-written by a team from the Internet Policy Research Initiative at MIT CSAIL, which includes Daniel Weitzner, a former White House official who served as the U.S. Deputy Chief Technology Officer for Internet Policy. The authors named on the post are graduate students Nathaniel Fruchter, Michael Specter, and Ben Yuan.

Trending on Xconomy