> The crucial point here is that the users authorized the app to collect the data
A quarter of a million people authorized the app to collect their data. It then gained access to fifty million peoples' data. Those extra data were accessed without proper authorization. All of the data were then used in an unauthorized manner.
> What technical measures did he need to circumvent in order to get access to the data that you say constitutes a “breach?”
"Breach" isn't constrained to technical vulnerabilities. If an FSB agent walks out of Langley with a bunch of sensitive CIA documents, that constitutes a breach.
I get the point you’re trying to make, but I’m skeptical that a breach can be non-technical if there exists a technical framework whitelisting what apps can and cannot do. By implementing an explicit system for granting app access to user accounts, Facebook is effectively setting the boundaries of apps within that system. How can Facebook then arbitrarily pick an app utilizing the system that Facebook setup to protect user data, and say the app is breaching user data? If it’s a breach, the problem is the system by Facebook. If that’s true, then there must be a “bug” (technical or not) that Kogan exploited in the system. In that case I would expect Facebook to fix the “bug.” Yet the bug is the system itself. There is nothing to fix.
> If it’s a breach, the problem is the system by Facebook. If that’s true, then there must be a “bug” (technical or not) that Kogan exploited in the system
Kogan exploited Facebook's lack of verification around restricting third parties' data access to that which users had authorized to be accessed by third parties. He should have only been able to collect a quarter of a million users' data. He was given access to more than he was properly authorized to access.
Kogan also exploited Facebook's lack of verification around his use and retention of the former's users' data.
Regulation to say what? That people can't freely give away their own data? To tell Facebook not to share people's data with other apps, even if the users themselves authorize it?
GDPR would not have permitted the disclosure of users' "facebook friends" data to a third-party automatically without explicitly asking those users first. That is an example of a relevant regulation which would've prevented this.
I don't really care if you want to give a lot of your personal data in exchange for filling out a quiz that is unrelated to what your personal data will be used for, but the network effect (combined with how many things your "facebook friends" can see) of Facebook means that other people in your social graph should care.
(FWIW, I agree that "breach" is the wrong word. It's far too soft on Facebook. "Exploitation of the soon-to-be-criminal disrespect for users' privacy" is much more accurate IMO.)
A quarter of a million people authorized the app to collect their data. It then gained access to fifty million peoples' data. Those extra data were accessed without proper authorization. All of the data were then used in an unauthorized manner.
> What technical measures did he need to circumvent in order to get access to the data that you say constitutes a “breach?”
"Breach" isn't constrained to technical vulnerabilities. If an FSB agent walks out of Langley with a bunch of sensitive CIA documents, that constitutes a breach.