Personality app leaked sensitive details of 3m Facebook users
16 May 2018
Earlier this year, Facebook found itself in the midst of a massive data security scandal after it came to light that a personality app named thisisyourdigitallife harvested Facebook data of over 87 million users and the same was shared by data analytics firm Cambridge Analytica with political parties during the Brexit referendum and the US presidential election.
After Facebook drew widespread criticism for allowing an external firm to harvest data of millions of users across the globe, Facebook CEO Mark Zuckerberg announced in a blog post that not only did Facebook ban both Kogan and Cambridge Analytica from using its services, it also took steps in 2014 to dramatically limit the data apps could access, and this move stopped apps from collecting data belonging to a person’s friends unless their friends had also authorized the app.
Turns out that thisisyourdigitallife wasn’t the only personality quiz app that harvested sensitive and personal details of millions of Facebook users. An investigation carried out by New Scientist has revealed that another personality app named myPersonality obtained personal information of over 6 million Facebook users since 2011.
“The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. It was meant to be stored and shared anonymously, however such poor precautions were taken that deanonymising would not be hard,” the firm noted.
Data obtained via the personality app were stored and controlled by David Stillwell and Michal Kosinski, two academics at the University of Cambridge, and contained personal details of 6 million Facebook users, half of whom had agreed to share data from their Facebook profiles with the project. The academics then created a database, removed the names of users who took personality tests on the app, and shared the data with hundreds of researchers for academic purposes.
The purpose of removing names of Facebook users from the database was to ensure that the information could not be traced back to the individual user. However, the way such data was shared and how access to it was controlled signified that any one could gain access to it by conducting a simple search on the web.
According to New Scientist, more than 280 people from nearly 150 institutions, including researchers at universities and at companies like Facebook, Google, Microsoft and Yahoo registered as collaborators in the project to access the database. Even Alexander Kogan, the developer behind the much-maligned thisisyourdigitallife app, was registered as a collaborator until the summer of 2014.
Sensitive data accessible to everyone
However, as the firm points out, the database could also be assessed by anyone with access to the Internet. This was because a working username and password for the database was shared on code-sharing website GitHub and could be discovered by anyone after conducting a web search for the credentials. The credentials were initially shared by a university lecturer with some students for a course project and could have been shared by a student on the site.
“The credentials gave access to the “Big Five” personality scores of 3.1 million users. These scores are used in psychology to assess people’s characteristics, such as conscientiousness, agreeableness, and neuroticism. The credentials also allowed access to 22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people
“Each user in the data set was given a unique ID, which tied together data such as their age, gender, location, status updates, results on the personality quiz and more. With that much information, de-anonymising the data can be done very easily,” New Scientist noted.
Facebook has suspended myPersonality app from its platform as it violated existing policies on how data is shared with third parties. “We are currently investigating the app, and if myPersonality refuses to cooperate or fails our audit, we will ban it,” said Ime Archibong, Facebook’s vice president of Product Partnerships to New Scientist.