- Facebook says that 100 of its partners have accessed Groups API data that they shouldn’t have.
- Eleven of them did so during the past couple of months, although Facebook warned everyone not to.
- The violators will merely delete the obtained data, and they will not be banned or even named.
Konstantinos Papamiltiadis of Facebook published a blog post today, informing that one of their regular reviews regarding the recent changes in the Groups API access policy yielded alarming results. As he details, roughly 100 partners have accessed information like group activity, group names, profile pictures, and more, ever since Facebook imposed API access restrictions. Eleven of them reportedly did so in the last sixty days. He did clarify that they found no evidence of abuse, so they will ask them to delete this data without banning these entities.
The administrators of Facebook Groups can use third-party tools to manage them, and these tools inevitably access associated information. Facebook made the appropriated changes to stop this from occurring, as it constituted a user privacy risk. The fields that shouldn’t be accessible include member names, profile pictures, and other data that hasn’t been clarified by the platform. Although some didn’t respect these restrictions, no app names were revealed in Facebook’s post. However, Papamiltiadis mentioned that these are primarily social media management and video streaming apps that are designed to help admins share videos on their groups.
The question that arises is how these apps could maintain access to the Groups API data, although Facebook changed its policy after the Cambridge Analytica scandal? The answer is complicated. First, Facebook added new rules incrementally and asked their partners to comply, creating some confusion for the developers. Secondly, some could still access the Groups API data depending on whether they could justify a good reason for it, asking Facebook’s approval. Thirdly, Facebook has a large number of partners engaged in a labyrinthine data management structure, so monitoring every single data handling activity is very challenging.
Mr. Papamiltiadis wrote that Facebook strives to maintain the high standard of security that they agreed on with the FTC, so they are sharing this incident in the context of being transparent with their userbase. Facebook will continue to review everything that is going on and promises to report it again to the public if their investigation uncovers user privacy risking practices. This obviously isn’t alleviating any damage that the users may have sustained from the incident, but we suppose that using Facebook goes with accepting the risk. At this point, personal data leaks like this one are largely considered the norm rather than the exception.