Facebook confesses improperly administered limit gave developers unauthorized access to user data

Facebook has revealed that around 5,000 developers continued to have access to personal user information beyond the stipulated time period. 

When using an app through Facebook, users grant certain rights to developers so that non-public information such as their email address and birth date can be shared. In 2018, as a part of the changes introduced after the Cambridge Analytica data harvesting episode, the company said developers wouldn’t be privy to that information if a user has not been active on their app for 90 days.

The social media giant has now revealed that due to a problem with how this policy was implemented, a good many developers continued to receive updates to user information well after their rights had expired.

For instance, if someone had invited their friend to use a fitness app and later stopped using it, Facebook failed to interpret that if the friend was still active on the app.

The 5,000 figure for developers is an estimate and the actual figure could very well be higher. It’s not known how many users were affected and what kind of information was siphoned off, but the firm has given the example of gender and language. The company does assure that developers were only able to see data for which permission was previously granted by users.

The issue has now been fixed. 

Facebook has cleverly put part of the responsibility on developers, saying they have as much of a role as Facebook in safeguarding people’s data. The company has now come up with new Platform Terms and Developer Policies which will limit data developers can forward to third parties without explicit consent from users first. The policy also outlines when data developers have on people must be deleted. 

While this step is certainly a welcome change, the new data breach incident couldn’t have come at a worse time.

Many leading companies have currently paused advertising on Facebook and Instagram because of the platform’s lack of action on removing inflammatory content. 

This comes two years after CEO Mark Zuckerberg had to face the US Congress over the aforementioned Cambridge Analytica scandal. To recap, the political consulting firm Cambridge Analytica used personal data without permission and Facebook failed to make it delete it. 

The Federal Trade Commission slapped it with a $5 billion fine last year for deceptive disclosures and privacy issues. It also settled with the Securities and Exchange Commission after agreeing to pay a $100 million for misleading disclosures about the misuse of data.