WASHINGTON (AP) — A senior Federal Trade Commission official is criticizing Facebook’s move to shut down the personal accounts of two academic researchers and terminate their probe into misinformation spread through political ads on the social network.
Facebook wrongly used a 2019 data-privacy settlement with the FTC to justify shutting down the New York University researchers’ accounts this week, Samuel Levine, acting director of the FTC’s consumer protection bureau, said in a letter Thursday to Facebook CEO Mark Zuckerberg,
Levine also said Facebook failed to honor a prior commitment to notify the FTC in advance of taking such an action.
Facebook maintained that the researchers violated its terms of service and were involved in unauthorized data collection from its massive network. The academics, however, say the company is attempting to exert control on research that paints it in a negative light.
The NYU researchers with the Ad Observatory Project had for several years been looking into Facebook’s Ad Library, where searches can be done on advertisements running across Facebook’s products.
The access was used to “uncover systemic flaws in the Facebook Ad Library, to identify misinformation in political ads, including many sowing distrust in our election system, and to study Facebook’s apparent amplification of partisan misinformation,” Laura Edelson, the lead researcher behind NYU Cybersecurity for Democracy, said Wednesday.
Facebook agreed in a 2019 consent decree settlement with the FTC to pay a record $5 billion for alleged violations of the privacy of users’ personal data.
But Levine said in his letter that the consent decree allows Facebook to create exceptions to data collection restrictions “for good-faith research in the public interest.”
“While it is not our role to resolve individual disputes between Facebook and third parties, we hope that the company is not invoking privacy — much less the FTC consent order — as a pretext to advance other aims,” the letter says.
Facebook’s action against the NYU project also cut off other researchers and journalists who got access to Facebook data through the project, according to Edelson, the NYU lead researcher.
The researchers offered Facebook users a web browser plug-in tool that let them volunteer their data showing how the social network targets political ads.
But Facebook said the browser extension was programmed to evade its detection systems and vacuum up user data, creating privacy concerns.
In a blog post late Tuesday, Facebook said it takes “unauthorized data scraping seriously, and when we find instances of scraping we investigate and take action to protect our platform.”
Facebook representatives didn’t immediately respond to a request for comment Thursday on Levine’s letter.
Levine wrote that after Facebook wrongly asserting its actions against the researchers were required under the consent decree, it later acknowledged that was inaccurate. “While I appreciate that Facebook has now corrected the record, I am disappointed by how your company has conducted itself in this matter,” he told Zuckerberg.
Facebook says it makes information on political ads available through its Ad Library and provides “privacy-protected data sets” to researchers through other means.
Copyright 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.
We have updated Section 7 of the Developer Policies effective immediately. No change is required from the developers’ end, only awareness about these changes.
As part of our continuous focus on improving developers’ experience, we have made some updates to the Section 7 of the Developer Policies which covers all Facebook Gaming Products, such as Web Games on Facebook.com, Instant Games and Cloud Games. As part of this update we have removed outdated policies, and streamlined the language and structure of Section 7 to better reflect the existing state of our Facebook Gaming Products. We have also reorganized some policies under the Quality Guidelines. These updates do not introduce any product change, nor do they include any new requirements for developers.
Please review the updated Section 7 to familiarize yourself with the updated content structure.
With the goal of making Meta’s app creation process easier for developers to create and customize their apps, we are announcing the rollout of an updated process using App Use Cases instead of the former product-focused process. App Use Cases will enable developers to quickly create apps by selecting the use case that best represents their reason for creating an app.
Currently, the product-focused app creation process requires developers to select an app type and individually request permission to API endpoints. After listening to feedback from developers saying this process was, at times, confusing and difficult to navigate, we’re updating our approach that’s based on App Use Cases. With App Use Cases, user permissions and features will be bundled with each use case so developers can now confidently select the right data access for their needs. This change sets developers up for success to create their app and navigate app review, ensuring they only get the exact data access they need to accomplish their goals.
Starting today Facebook Login will be the first use case to become available to developers. This will be the first of many use cases that will be built into the app creation process that will roll out continually in 2023. For more information please reference our Facebook Login documentation.
We’ll start with generating and using a temporary access token and then replace it with a permanent access token. This tutorial assumes you’re building a server-side application and won’t need additional steps to keep your WhatsApp application secrets securely stored.
Managing Access and Authorization Tokens
First, let’s review how to manage authorization tokens and safely access the API.
Start by making sure you have a developer account on Meta for Developers. You’ll also need WhatsApp installed on a mobile device to send test messages to.
Creating an App
Before you can authenticate, you’ll need an application to authenticate you.
Once you’re signed in, you see the Meta for Developers App Dashboard. Click Create App to get started.
Next, you’ll need to choose an app type. Choose Business.
After that, enter a display name for your application. If you have a business account to link to your app, select it. If not, don’t worry. The Meta for Developers platform creates a test business account you can use to experiment with the API. When done, click Create App.
Then, you’ll need to add products to your app. Scroll down until you see WhatsApp and click the Set up button:
Finally, choose an existing Meta Business Account or ask the platform to create a new one and click Continue:
And with that, your app is created and ready to use. You’re automatically directed to the app’s dashboard.
Note that you have a temporary access token. For security reasons, the token expires in less than 24 hours. However, you can use it for now to test accessing the API. Later, we’ll cover how to generate a permanent access token that your server applications can use. Also, note your app’s phone number ID because you’ll need it soon.
Note that the Meta for Developers platform inserts your app’s phone number ID and access token instead of the and placeholders shown above. If you have curl installed, paste the command into your terminal and run it. You should receive a “hello world” message in WhatsApp on your test device.
If you’d prefer, you can convert the curl request into an HTTP request in your programming language by simply creating a POST request that sets the Authorization and Content-Type headers as shown above, including the JSON payload in the request body.
Since this post is about authentication, let’s focus on that. Notice that you’ve included your app’s access token in the Authorization header. For any request to the API, you must set the Authorization header to Bearer .
Remember that you must use your token instead of the placeholder. Using bearer tokens will be familiar if you’ve worked with JWT or OAuth2 tokens before. If you’ve never seen one before, a bearer token is essentially a random secret string that you, as the bearer of the token, can present to an API to prove you’re allowed to access it.
Failure to include this header causes the API to return a 401 Unauthorized response code.
Creating a Permanent Access Token
Knowing that you need to use a bearer token in the Authorization header of an HTTP request is helpful, but it’s not enough. The only access token you’ve seen so far is temporary. Chances are that you want your app to access the API for more than 24 hours, so you need to generate a longer-lasting access token.
Fortunately, the Meta for Developers platform makes this easy. All you need to do is add a System User to your business account to obtain an access token you can use to continue accessing the API. To create a system user, do the following:
Your test device should receive a second hello message sent via the API.
Best Practices for Managing Access Tokens
It’s important to remember that you should never embed an App Access Token in a mobile or desktop application. These tokens are only for use in server-side applications that communicate with the API. Safeguard them the same way you would any other application secrets, like your database credentials, as anyone with your token has access to the API as your business.
If your application runs on a cloud services provider like AWS, Azure, GCP, or others, those platforms have tools to securely store app secrets. Alternatively there are freely-available secret stores like Vault or Conjur. While any of these options may work for you, it’s important to evaluate your options and choose what works best for your setup. At the very least, consider storing access tokens in environment variables and not in a database or a file where they’re easy to find during a data breach.
In this post, you learned how to create a Meta for Developers app that leverages the WhatsApp Business Platform. You now know how the Cloud API’s bearer access tokens work, how to send an access token using an HTTP authorization header, and what happens if you send an invalid access token. You also understand the importance of keeping your access tokens safe since an access token allows an application to access a business’ WhatsApp messaging capabilities.
Why not try using the Cloud API, hosted by Meta if you’re considering building an app for your business to manage WhatsApp messaging? Now that you know how to obtain and use access tokens, you can use them to access any endpoint in the API.