Facebook alerts 14M to privacy bug that changed status composer to public

Facebook has another privacy screw-up on its hands. A bug in May accidentally changed the suggested privacy setting for status updates to public from whatever users had set it to last, potentially causing them to post sensitive friends-only content to the whole world. Facebook is now notifying 14 million people around the world who were potentially impacted by the bug to review their status updates and lock them down tighter if need be.

Facebook’s Chief Privacy Officer Erin Egan wrote to TechCrunch in a statement:

We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts. We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time. To be clear, this bug did not impact anything people had posted before – and they could still choose their audience just as they always have. We’d like to apologize for this mistake.

[Clarification: No existing status updates had their privacy setting changed. The composer’s setting was changed, so any posts published by affected users during the bug might have been shared publicly when users assumed their composer was still set to something more private.]

The bug was active from May 18th to May 22nd, but it took Facebook until May 27th to switch people’s status composer privacy setting back to what it was before the issue. It happened because Facebook was building a “featured items” option on your profile that highlights photos and other content. These featured items are publicly visible, but Facebook inadvertently extended that setting to all new posts from those users.

The issue has now been fixed, and everyone’s status composer has been changed back to default to the privacy setting they had before the bug. The notifications about the bug leads to a page of info about the issue, with a link to review affected posts.

Facebook tells TechCrunch that it hears loud and clear that it must be more transparent about its product and privacy settings, especially when it messes up. And it plans to show more of these types of alerts to be forthcoming about any other privacy issues it discovers in the future.

Facebook depends on trust in its privacy features to keep people sharing. If users are worried their personal photos, sensitive status updates, or other content could leak out to the public and embarrass them or damage their reputation, they’ll stay silent.

With all the other issues swirling after the Cambridge Analytica scandal, this bug shows that Facebook’s privacy issues span both poorly thought-out policies and technical oversights. It moved too fast, and it broke something.