In 2016, Facebook announced they would shut down the BaaS company Parse, which they acquired less than 3 years earlier for $85 million. At the time that just did not make sense. In light of Mark Zuckerberg’s testimony to Congress, that decision seems obvious. It was the death blow to our app right at the time of finalizing development. Mark stated that they do not share user data with app developers. This was absolutely not the case in the days of Parse, when they had an API to do just that. To be clear, not aggregate data, but rather specific user data. Interestingly, Zuckerberg made a comment suggesting that he still feels that there are situations where users would want Facebook to share data between apps or sites while adamantly insisting they did not do that. And though he may have exonerated himself from that issue, Facebook does get user data beyond what users are volunteering to the site. I wanted to write this to quickly explain what a BaaS does, why they flew too close to the sun, and hit on a few security issues that I think everyone should think about. I think people generally understand there is an issue, but are not entirely clear what the issue is and I want to elaborate on the issue as I see it.
All Your BaaS Belong To Us
BaaS is a database hosting service or Backend As A Service. I have asked a number of developers to explain why a BaaS is better than just rolling your own. Parse was using a NoSQL database called Mongo, which is open source. So like MySQL, you can install and run Mongo for free without paying any kind of software license. So why Parse? It manages permissions and is made to work very easily with Javascript frameworks like React. It does other things, but as I understand it, the user permissions were the primary reason we wanted to use it. Facebook also had an API so you could let (and to some degree this still is happening) users log into an app with their Facebook account and thereby skipping filling out the form that comes with creating an account. It is super easy for users, but app developers were also getting access to user data. You had to give some notice of what data you were getting access to, but if people don’t read terms of service agreements, they likely wouldn’t notice this either.
It would have been beautiful
But wait! There’s more! Google is developing a JavaScript framework called Angular. And Facebook is developing a very similar JavaScript framework called React. Like Facebook’s Parse, Google has a BaaS called Firebase. And these tools make it really easy to write code for any device in 1 single language. Before that, you had to write one set of code for the iPhone and one for Android and one for desktop…these frameworks made it simple to develop in one language…JavaScript. Otherwise, you would need developers for each device you wanted your app to work on. And Google and Facebook were in an arms race to get developers on their frameworks and/or BaaS. The developers on my team sold the concept to me like this, “they could be developing a platform where the framework, BaaS, and the user data API all work together and that cuts our development time substantially.” You see, ultimately we wanted to build artificial intelligence tools that make recommendations. User data is key to that. Such a platform would be a shortcut to all the data we could possibly want. It was the data holy grail.
“I think the mistake we made is viewing our responsibility as just building tools…”
Shutting down Parse now makes total sense. It was the Silicon Vally version of shredding documents. All these app companies had evidence of Facebook user data on databases hosted by Facebook. If sharing user data is seen as an invasion of privacy, shutting down the database that had evidence of that was and is a no-brainer. Mark said multiple times that “…we do not share user data with anyone.” That statement is only true in the present tense.
I also want to explain why other statements were incredibly misleading, especially to a non-technical Senator. Mark said he thinks about user data in two buckets: user data on your profile like name, age, favorite bands, and images that users gave Facebook. The other is anything you post to be seen by others in the feed. But there is another bucket! The dark bucket! Mark alluded to a conspiracy theory (which Reply All has a fantastic episode on titled Is Facebook Spying On You?) that posit they are using mobile phones to record personal conversations to better target ads. He unequivocally denied that. As the Reply All episode pointed out, it would probably be too much data anyway. But then, how does Facebook know that you want Charcoal Toothpaste after only just hearing about it at a random marketing conference? I didn’t search that! Or browse to a page selling it! Answer: the data trinity: location data, browsing/search history, and knowing how you are connected with people around you. I was at a marketing conference and Facebook saw several people also at that conference searching for Charcoal Toothpaste and maybe one even bought some (which is actually pretty awesome after all) so they put all that together and now you see those f*&^ing ads all over the internet until you get you some. See, Facebook has data that extends beyond what you give that site and they get it from cookies on your browser when you search on Google or shop on Amazon. It’s like a venereal disease. That little detail was left out. Facebook has given us the internet equivalent of herpes simplex 10.