After the massive Cambridge Analytica data privacy scandal, which impacted the personal data of 87 million users, Silicon Valley giant Facebook has been attempting to clean up its data privacy practices. Through a series of internal audits, Facebook is attempting to find every possible occurrences of data being improperly leaked to third-party partners or developers, and then disclosing those occurrences to the public. Thus, it might not come as any surprise that the company has found yet another Facebook privacy breach, this one involving 100 developers with improper access to Facebook Groups data.
Details of the Facebook privacy breach
In the aftermath of the Cambridge Analytica scandal, Facebook sought to turn off the data spigots to its third-party developers, many of whom were abusing their data access. One of the ways that Facebook sought to do this was by restricting access to the Facebook Groups API. This API, which can be used by developers to integrate their apps much more tightly with the overall Facebook experience, unfortunately came with a few loopholes related to personal information and the potential for improper access to personal data.
Prior to 2018, the Groups API enabled access to information such as the names and profile pictures of users connected to Groups. After 2018, Facebook attempted to restrict access to this information. The goal was to give developers access only to the name of the Group, the number of users of that Group, and post content related to that Group. If Group users chose to, they could “opt-in” to having their profile pictures and other profile information made available.
According to a blog post about the Facebook privacy breach from Konstantinos Papamiltiadis, Facebook’s Director of Platform Partnerships, however, Facebook failed to seal down access to the Groups API in over 100 different cases. Primarily, these apps were related to social media management and video streaming. As Facebook notes, there were at least 11 different occurrences over the past two months when third-party app developers had access to the valuable Groups information. But, as Facebook is also quick to point out, there is “no evidence” of abuse. In other words, just because a third-party app developer had access to the data doesn’t mean that the developer actually did anything with the data.
The new, more transparent Facebook
On one hand, of course, Facebook deserves to be applauded for its new transparency. In the past, the company might have not disclosed this Facebook privacy breach publicly. And it certainly would not have been conducting an ongoing internal audit into all of its data-sharing practices to uncover a potential security breach.
On the other hand, it’s clear that the new, more transparent Facebook is only the result of massive regulatory and government pressure. In July 2019, for example, the U.S. Federal Trade Commission (FTC) fined Facebook $5 billion and entered into a settlement with the company over Facebook privacy breaches, in which the tech giant would agree to conduct a “privacy review” of any new product, service or practice. In addition, the company would be expected to conduct regular internal audits of all of its data practices and data-sharing agreements.
That would help to explain why, every few months, news of another Facebook privacy breach makes headlines. Back in September 2019, for example, Facebook suspended tens of thousands of apps for their improper use of Facebook data. While Facebook was again quick to point out that there was “no evidence of abuse,” it’s certainly troubling that tens of thousands of inappropriate apps were circulating on the Facebook platform for so long.
Things are always worse than they originally appear
Another disturbing fact is that, in almost every single Facebook privacy breach, things turn out to be worse than they were originally thought to be. Take, for example, the original Cambridge Analytica data scandal – at first, Facebook said the impact was minimal because the source of the scandal (a personality quiz) was so limited in scope. Then, the company admitted that the Facebook privacy breach extended not just to the users of the quiz app, but also to all the friends of the quiz app user. So Facebook tried to cap its exposure at 50 million people. But after the media dug into the story, the final result was 87 million users impacted by the data breach.
That same story is replicated, to a large degree, in Facebook’s efforts to clean up apps on its platform. At first, Facebook suggested that only a few bad actors were present on the platform. In 2018, Facebook kicked some developers of its platforms, and the thought was that Facebook would be starting over with a fresh new slate in 2019. But then in September, Facebook announced the massive purge of tens of thousands of apps. And now, in November 2019, Facebook announces that the earlier purge still didn’t get rid of all the problems.
Will Facebook ever recover?
Nearly 18 months after news of the Cambridge Analytica scandal first broke, it’s now possible to ask: Will Facebook ever recover from this scandal? Yes, of course, the company has managed to minimize the damage to its stock market valuation, and has also managed to stave off efforts by regulators to deliver a life-threatening blow to its current operations. A $5 billion fine? No problem. A call to appear in front of Congress? No problem. Facebook always seems to dodge a bullet.
But now, a lot of very threatening storm clouds are on the horizon headed into 2020. For one, there is the increasing call to break up Facebook into smaller pieces on antitrust grounds. And, secondly, there is the mounting legal and regulatory liability that Facebook could be facing under the European General Data Protection Regulation (GDPR) and the upcoming California Consumer Privacy Act (CCPA), set to go on the books starting on January 1, 2020. In that context, even a relatively minor Facebook privacy breach involving 100 developers might lead to severe penalties. With that in mind, Facebook needs to be doing everything in its power to prevent rogue developers and partners from gaining access to restricted or privileged data. If not, then Facebook could be headed for a brutal 2020.