Facebook admits to yet another shocking example of leaking user data

Facebook has sneakily used a blog post purportedly about "protecting people's data" to reveal that it has failed to do precisely that. In a post in its almost ironically titled Privacy Matters series, Facebook admits that it shared private user data with thousands of app developers when it should not have. Two years ago, Facebook implemented a privacy policy that stopped apps that had not been used for 90 days from sharing data with developers, but it turns out that data was in fact still shared.

The social media giant shamelessly tries to save face in saying that while the way in which this user data was shared ran counter to its own privacy policy, the "issues" didn't result in the sharing of personal information which people had not previously given permission to be shared. This is either deliberately missing the point, or treating users with a callous off-handedness, sharing little in the way of meaningful information about the incident.

See also:

• Facebook removes Nazi Trump ads while Twitter flags up 'racist baby' tweet
• Facebook buys GIF service GIPHY and will integrate it with Instagram
• Trump threatens to close social media platforms following Twitter spat

Facebook has not given any indication of how many users may have been affected by the data sharing issue. On top of this, and despite using the blog post to insist that it "will continue to prioritize transparency", there is no word about what data may have been shared with developers, nor any suggestion that affected users will be informed that their data was involved.

The company explains the policy it introduced two years ago: "In 2014, we introduced more granular controls for people to decide which non-public information -- such as their email address or their birthdate -- to share when they used Facebook to sign into apps. Later, in 2018, we announced that we would automatically expire an app's ability to receive any updates to this information if our systems didn't recognize a person as having used the app within the last 90 days".

The company goes on to reveal a little information about the data leakage:

But recently, we discovered that in some instances apps continued to receive the data that people had previously authorized, even if it appeared they hadn't used the app in the last 90 days. For example, this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn't recognize that some of their friends had been inactive for many months.

From the last several months of data we have available, we currently estimate this issue enabled approximately 5,000 developers to continue receiving information -- for example, language or gender -- beyond 90 days of inactivity as recognized by our systems. We haven't seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook.

We fixed the issue the day after we found it. We'll keep investigating and will continue to prioritize transparency around any major updates.

So, what is Facebook doing to improve things? Konstantinos Papamiltiadis, vice president of Platform Partnerships, explains:

As part of our efforts to provide developers with clearer guidance around data usage and sharing, today we’re also introducing new Platform Terms and Developer Policies to ensure businesses and developers clearly understand their responsibility to safeguard data and respect people’s privacy when using our platform.

These new terms limit the information developers can share with third parties without explicit consent from people. They also strengthen data security requirements and clarify when developers must delete data.

Given Facebook's track record in violating its own policies, these changes are unlikely to fill anyone with a great deal of optimism.

Image credit: kovop58 / Shutterstock