Facebook Privacy Glitch Gave 5K Developers Access to ‘Expired’ Data

facebook privacy developers

Facebook has fixed a privacy issue that gave developers access to user data long after the 90-day “expiration” date.

Facebook is facing yet another privacy faux pas in how its users’ data is collected and used by third-party apps. The social media giant said that it recently discovered that 5,000 developers received data from Facebook users — long after their access to that data should have expired.

In 2018, on the heels of the Cambridge Analytica privacy incident, Facebook debuted stricter controls over data collection by third-party app developers. As part of that, Facebook announced it would automatically expire an app’s ability to receive a user’s data if they hadn’t used the app in 90 days.

However, recently, “we discovered that in some instances apps continued to receive the data that people had previously authorized, even if it appeared they hadn’t used the app in the last 90 days,” said Konstantinos Papamiltiadis, vice president of Platform Partnerships with Facebook, in a Wednesday post.

For example, “this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn’t recognize that some of their friends had been inactive for many months,” he said.

Facebook estimates that 5,000 developers were able to continually receive information (such as language or gender) on “inactive” app users, in this manner. It has since fixed the issue.

The company said it hasn’t seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook, however.

Facebook’s privacy troubles began in 2018 after its Cambridge Analytica privacy snafu. After that, the company said it suspended tens of thousands of apps as part of its ongoing investigation into how third-party apps on its platform collect, handle and utilize users’ personal data. And then in 2019, Facebook found that 100 third-party app developers improperly accessed the names and profile pictures of members in various Facebook groups.

“Facebook is a data-aggregation company first and foremost. Given this, it’s of no surprise that slip ups occasionally occur around the handling of the vast amount of raw and post-processed data they house,” Jonn Callahan, principal AppSec consultant at nVisium, told Threatpost. “This is especially true given their track record. It’s clear that proper handling of the collected data comes second to the monetization of the data.”

To bolster its privacy policies, earlier in June, Facebook said it had started to report its privacy practices to a newly formed, independent Privacy Committee. The creation of the independent committee was part of the company’s settlement a year ago with the Federal Trade Commission (FTC) over data-privacy violations, which came in addition to a $5 billion fine (which was derided as “chump change” by lawmakers and privacy analysts).

Facebook said on Wednesday it would attempt to further tighten its policies around third-party data collection by providing developers with clearer guidance around data usage and sharing.

“Today we’re also introducing new Platform Terms and Developer Policies to ensure businesses and developers clearly understand their responsibility to safeguard data and respect people’s privacy when using our platform,” Papamiltiadis said. “These new terms limit the information developers can share with third parties without explicit consent from people. They also strengthen data security requirements and clarify when developers must delete data.”

Brendan O’Connor, CEO and co-founder of AppOmni, said Facebook does deserve some kudos for its recent steps in attempting to control data collection by developers. “Raising awareness of unused applications and helping users make better data privacy decisions is a big step in the right direction, and Facebook deserves some credit for their approach,”  he told Threatpost.

Threatpost has reached out to Facebook for further comment on the privacy flaw, as well as its new privacy policies for developers.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles