Ever find yourself wondering how many times Facebook will drop the ball when it comes to data privacy? The answer is at least one more time, apparently. In a blog post, Facebook admitted it uncovered a flaw that allowed thousands of third-party app developers to access data that they should not have been able to.
You may recall that Facebook co-founder Mark Zuckerberg sat before Congress and answered a bevy of questions about data collection practices, privacy practices, and so forth, after the whole Cambridge Analytica scandal. Zuckerberg has gone on record multiple times saying government regulation of these things is not necessarily a bad idea.
One of the criticisms he faced when answering questions was Facebook’s history of screwing up, apologizing, and then screwing up again…rinse and repeat. This latest incident is not going to do anything to quell the criticisms.
So, what happened? As part of an ongoing and expanded effort to do a better job at respecting privacy, Facebook in 2018 tweaked things so that apps would stop receiving updates about a user’s non-public information after 90 days of app inactivity. This includes things like email addresses and birthdates. Something went wrong. Again.
“But recently, we discovered that in some instances apps continued to receive the data that people had previously authorized, even if it appeared they hadn’t used the app in the last 90 days. For example, this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn’t recognize that some of their friends had been inactive for many months,” Facebook said.
Based an audit of data from the last several months, Facebook estimates the issue allowed around 5,000 developers to continue receiving information past the 90-day mark. Facebook says it not has seen any evidence that this resulted in sharing information inconsistent with the permissions people gave when logged into Facebook, but that does not come as much consolation.
Facebook said it fixed the issue the day after this was discovered, and promised to keep investigating. Beyond that, it is anyone’s guess how or why this stuff happens.
Going forward, Facebook added new terms and developer policies that “limit the information developers can share with third parties without explicit consent from people.” The social network also says its updated terms “strengthen data security requirements and clarify when developers must delete data.” Sounds great, until the next time something goes wrong.