Facebook says it accidentally allowed around 5,000 developers to access data from their app’s inactive users, even though that access should have been cut off. The company explained on Wednesday it recently discovered an issue that had allowed app developers to continue receiving this information beyond the 90 days of inactivity that is meant to cut off data access until the user returns to the app and again re-authenticates.
In 2018, Facebook announced a change to the way app developers would be able to access Facebook user data in the wake of the Cambridge Analytica scandal, which saw the personal data of 87 million Facebook users compromised. Among many new restrictions to Facebook’s API platform, it introduced a stricter review process for the use of Facebook Login for apps and said it would block apps’ access to users’ personal data after three months of non-use.
This latter change is the one that was not adhered to, in the case of this latest data sharing incident.
Facebook Login, by way of background, gives app developers a way to make it easier for users to sign into apps using their Facebook sign-in credentials. But it also allows developers to request access to a subset of that person’s data on Facebook, including things like email, user likes, gender, location, birthday, age range and more. It’s unclear among the 5,000 apps how many access which specific user details. Facebook says apps accessed “for example, language or gender” but Facebook Login isn’t limited to just those two attributes when requesting user data.
According to Facebook’s announcement, the issue didn’t impact all apps using Facebook Login but only occurred in certain circumstances. For example, it said, if someone used a fitness app to invite friends to a workout, Facebook didn’t recognize that some of those invited friends had been inactive for many months — meaning, beyond the cutoff date of 90 days.
The estimate of 5,000 apps comes from a review of the past few months’ worth of data. Facebook didn’t say how many users were impacted. These users had granted permissions to these apps to begin with, to be clear, but those permissions were meant to have expired.
This new issue is not the same as the one that occurred during the Cambridge Analytica scandal, when an app’s user provided access to all their friend network’s user data, due to the app’s shady use of access permissions. But it is another example of how Facebook’s friend network leads to data being compromised through someone’s personal associations. In this case, the user data was inadvertently shared with developers because of a user’s connection to a friend who used an app and invited them to try it, too.
Facebook said the issue has since fixed and it’s continuing to investigate.
Related to this, the company also introduced new Platform Terms and Developer Policies to push more of the data-mining aspects, legally speaking, into developers’ hands. The terms now limit the information developers can share with third parties without explicit consent from users, strengthen data security requirements, and clarify when developers must delete data.
For instance, the terms now require developers to delete data that’s no longer required for a legitimate business purpose, if the app is shut down, if Facebook tells them to, or if data was received in error, the announcement states.
Those last two stipulations are interesting, as Facebook could reach out to developers in the future if it noticed other data access problems, like this latest, and inform the developer that they’ve received user data in error. Facebook’s Terms also allow Facebook to audit third-party apps by requesting either remote or physical access to the developers’ systems, according to these terms, to ensure compliance with its policies. Facebook could then ask the developer to delete the data that is non-compliant, as required by these new Terms.
To what extent the wider world would know about any later issues would be up to Facebook to disclose, as it does today by blog posts.
Developer policies were only one area that received an update. Facebook also updated its Business Terms, including its Business Tools Terms, to also cover data involved with certain usages of the Facebook SDK, Facebook Login, and social plug-ins. It’s making changes to its Commercial Terms to make the terms clearer, as well, it says.
It will take time to fully analyze what loopholes Facebook is closing with a comprehensive update to terms like this and how these will impact user data and transparency about subsequent data access issues.
Facebook says the new policies and terms will go into effect August 31, 2020. Developers don’t have to take any action to agree to the updates.