Facebook has rolled out an extension to its security bug bounty, offering rewards to anyone with proof or first-hand knowledge of a policy violation of the type that led to the Cambridge Analytica scandal.
Facebook announced the new Data Abuse Bounty today as CEO Mark Zuckerberg was Washington preparing to testify before Congress about how the company handles user data, election meddling and what it's doing to act against threats before they occur.
Facebook COO Sheryl Sandberg said the program was aimed at exactly the type of behavior that led to Cambridge Analytica acquiring personal data on as many as 78 million Facebook users.
“We’re looking for cases where people or groups have collected data using an app connected to Facebook and then sold or transferred that data to another company where it can potentially be abused. This type of behavior is unacceptable and violates our policies,” wrote Sandberg.
Facebook is interested in data collected legitimately from a Facebook platform app that was then sold, stolen or transferred to another company without Facebook’s authorization.
Anyone who submits a report will need to have direct first-hand knowledge that data has been transferred to a third-party and proof that it has occurred in the form of personal user data from Facebook, emails, contracts and company names. Facebook won't accept illegally acquired evidence.
To be eligible for a reward, reporters will need to find a case Facebook didn’t already know about and where more than 10,000 Facebook users are affected. The case can’t just involve data collection, but “definitive abuse of data”. Facebook says it may take up to 6 months or even longer to investigate an accusation.
The data abuse bounty is part of a slew of platform changes Facebook has announced over the past month in response to criticism over how it’s handled what it calls a “breach of trust”. These include its new Privacy Shortcuts, new restrictions on APIs, shutting down Facebook targeting using third-party brokers’ data, and informing users that were affected by Cambridge Analytica.
Today it also announced changes to user access tokens for apps that use Facebook Login for signing in. Over the next two weeks any apps with tokens for users who haven’t logged in in the last 90 days and consented to the app’s permissions will expire. And from now on users will need to login through the Facebook Login process every 90 days and provide consent for the app’s permissions.