Facebook Groups API flaw exposed data to 100 developers, company says – Ars Technica

A wall of user photos form a Facebook logo at the company's data center in Lulea, Sweden.
Enlarge
/ A wall of user photos form a Facebook logo at the company’s data center in Lulea, Sweden.

JONATHAN NACKSTRAND/AFP/Getty Images

More than a year after the Cambridge Analytica scandal came to light, Facebook is once again admitting that some developers have accessed user data that they should not have.

Facebook said in a developer post yesterday that it would be changing developers’ access to a number of APIs, including Groups, after “roughly 100 partners” were found to have extra access. “We recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than we intended,” the company said.

At least 11 developers accessed group members’ information in the last two months, Facebook added. “Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted.”

The company did not name any of the apps, but it said they were mostly social media management or video streaming apps “designed to make it easier for group admins to manage their groups more effectively and help members share videos to their groups.”

Here we go again

Facebook made significant changes to its various APIs in 2018 after it burped up data on 87 million people to Cambridge Analytica. Cambridge not only accessed a broad swath of data from users who never even interacted with its app but also retained all of the information for years after promising it would be deleted.

Facebook ultimately paid $5 billion in a settlement with the Federal Trade Commission relating to the scandal and agreed to make significant changes to how “partners” access data on the platform.

The 2018 changes still allowed group admins to enable an app for a group, Facebook said, but limited the data those apps could collect to information such as the group’s name, the number of members it has, and “the content of posts.” Users would theoretically have to opt in to having other information, such as their names and profile pictures, pulled in. Given yesterday’s update, however, it seems that didn’t fully take.

In September, Facebook also suspended “tens of thousands” of apps from about 400 developers after they were found to be obtaining data inappropriately, failing to anonymize data, installing malware, or otherwise breaking the company’s terms of service.