Facebook told the BBC that the social network has recently uncovered a privacy flaw that lets app developers access group data, which they should not have.
Following the Cambridge Analytica scandal that exposed the data of over 80 million users, Facebook restricted how much information that developers could obtain from individual profile and groups. However, it said that about 100 developers have had access to group data and have been able to obtain their names and photos. The social network did not say how many people have been affected.
“We can be in little doubt that there are groups out there that seek to abuse these kinds of flaws to artificially shape debate, manipulate voters and influence election results,” Mike Beck from the cyber-security company Darktrace said.
Initially, before the Cambridge Analytica scandal, Facebook provided an application programming interface that allowed app developers connect their own creations to the social network. The links appear on peoples’ timelines and they can easily click on whatever they like. In 2018, however, it was discovered that Cambridge Analytica abused the access by harvesting the personal data of millions of users by creating a personality quiz on Facebook. The harvested information was used for political advertising.
The UK’s data protection watchdog imposed a £500,000 fine for its role in the scandal, after which Facebook restricted access to many of its APIs, including the one that allows app developers connect to Groups.
App developers can connect with groups and access the name, number of members and the contents with permission from Facebook. However, members’ names and their photos can only be accessed if the members voluntary opted in.
Nevertheless, Facebook revealed in a blog post that about 100 partners retained their access following the restrictions.
“As part of our ongoing review, we recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than we intended. We have since removed their access.”
Facebook said further that it will conduct an investigation to see that there was no form of misuse of data. “Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted”, the social network said in a statement.