As many as 100 developers may have had improper access to Facebook user data due to an oversight in the way permissions were revoked, according to a post on the company’s developer blog on Tuesday.
The names and profile pictures of people in certain Groups on the platform, linked with their activity in those Groups, were still accessible to some software developers — despite the company changing access parameters back in April 2018, Facebook’s director of platform’s partnerships Konstantinos Papamiltiadis wrote.
Of the “roughly 100 partners” who had retained user data access through the Groups API over the past 18 months, “at least 11 partners accessed group members’ information in the last 60 days,” the post said.
The changes were supposed to work as follows:
“Before April 2018, group admins could authorize an app for a group, which gave the app developer access to information in the group. But as part of the changes to the Groups API after April 2018, if an admin authorized this access, that app would only get information, such as the group’s name, the number of users, and the content of posts. For an app to access additional information such as name and profile picture in connection with group activity, group members had to opt-in.”
April 2018, you say? Yes, this was one of the changes made in the wake of the Cambridge Analytica revelations in March last year, as part of the company’s promise to clean up its policies and practices around user data and who has access to it.
Most recently, in September this year, Facebook suspended “tens of thousands” of apps from the platform for unspecified reasons.
While Facebook says it’s asked the developers concerned to delete any information they’ve retained and will perform “audits” to ensure follow-through, the post didn’t specify which groups were affected, how many users’ data was accessed, how many times, or which developers were involved. And unlike the app suspension news, this disclosure was made on the For Developers blog, not the more public-facing Newsroom.
Facebook assures users — or at least developers — that they’re aware of “no evidence of abuse” of this data. But given this news, it’s hard not to wonder what else they’ve missed.