Facebook says app developers accessed more user data than permitted
Facebook’s Director of Platform Partnerships Konstantinos Papamiltiadis recently announced that around a hundred app developers retained access to detailed profile information of Facebook users even though the access was restricted by the company in April last year.
Papamiltiadis said that prior to April last year, developers who built apps for Facebook could access information about groups if group admins authorised such access. However, as part of a review of app developers in the aftermath of the Cambridge Analytica scandal, Facebook decided to curb the amount of data that third-party apps could request from users.
Facebook CEO Mark Zuckerberg said that even though his company took steps in 2014 to dramatically limit the data apps could access, Facebook will restrict developers’ data access even further to prevent other kinds of abuse.
These steps would include removing developers’ access to a user’s data if the user hasn’t used an app in three months, restricting the data that a user has to provide to an app during the sign-up process to only name, email address, and a profile photo, and requiring developers to not only get approval but also sign a contract in order to ask anyone for access to their posts or other private data.
As part of its detailed review of third-party apps, Facebook said in September that it had suspended tens of thousands of apps that did not conform to its standards on data collection and access to user data.
Some app developers retained access to detailed user data even after April 2018
Papamiltiadis wrote in a blog post that in April 2018, Facebook decided to limit the information third-party apps could access to information such as “the group’s name, the number of users, and the content of posts”.
However, while carrying out its review, Facebook recently learned that around a hundred app developers retained access to profile information of users in Groups even though the access had been restricted in April last year. Such additional information included names and profile pictures of an unknown number of users.
“We recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than we intended. We have since removed their access.
“Today we are also reaching out to roughly 100 partners who may have accessed this information since we announced restrictions to the Groups API, although it’s likely that the number that actually did is smaller and decreased over time. We know at least 11 partners accessed group members’ information in the last 60 days,” said Papamiltiadis.
He added that the third-party apps in question were primarily social media management and video streaming apps that allowed group admins to manage their groups more effectively and help members share videos to their groups. While none of the unauthorised access was malicious, Facebook has asked the concerned app developers to delete any user data they may have retained and will conduct audits to ensure compliance.
“Given the pace of feature development on social media platforms, and the complexity of social networks, users must rely on social media platforms to place their privacy expectations above all else. This can and should include a concise page showing what data is both explicitly or implicitly available to which application, data service, Group, or User,” says Tim Mackey, Principal Security Strategist with the Synopsys Cybersecurity Research Center.
“When settings change or new entities gain access to data, users should be alerted to the change. Armed with this information in a concise manner, individual users can then become active participants in managing their personal data and abuses at any level can be readily identified without requiring a government mandate on the social media platform to perform a privacy review,” he adds.