Facebook told the BBC that the social network has recently uncovered a privacy flaw that lets app developers access group data, which they should not have.
Following the Cambridge Analytica scandal that exposed the data of over 80 million users, Facebook restricted how much information that developers could obtain from individual profile and groups. However, it said that about 100 developers have had access to group data and have been able to obtain their names and photos. The social network did not say how many people have been affected.
“We can be in little doubt that there are groups out there that seek to abuse these kinds of flaws to artificially shape debate, manipulate voters and influence election results,” Mike Beck from the cyber-security company Darktrace said.
Initially, before the Cambridge Analytica scandal, Facebook provided an application programming interface that allowed app developers connect their own creations to the social network. The links appear on peoples’ timelines and they can easily click on whatever they like. In 2018, however, it was discovered that Cambridge Analytica abused the access by harvesting the personal data of millions of users by creating a personality quiz on Facebook. The harvested information was used for political advertising.
The UK’s data protection watchdog imposed a £500,000 fine for its role in the scandal, after which Facebook restricted access to many of its APIs, including the one that allows app developers connect to Groups.
App developers can connect with groups and access the name, number of members and the contents with permission from Facebook. However, members’ names and their photos can only be accessed if the members voluntary opted in.
Nevertheless, Facebook revealed in a blog post that about 100 partners retained their access following the restrictions.
“As part of our ongoing review, we recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than we intended. We have since removed their access.”
Facebook said further that it will conduct an investigation to see that there was no form of misuse of data. “Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted”, the social network said in a statement.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
