Once again Facebook admits a privacy problem: the social network shared its users' data with third-party companies by mistake
Facebook shared its users' data with third-party companies due to a bug in the system. In the meantime, however, with this mistake, for the umpteenth time the privacy of users was compromised and thousands of third-party app developers had access to the sensitive data of members.
The company had already ended up in the crosshairs of privacy watchdogs after the Cambridge Analytica scandal in 2018. Since then, it doesn't seem to find peace when it comes to security, between errors and bugs that lead to the sharing of sensitive user data. This time, the bug affected precisely one of the security systems introduced by Facebook to ensure privacy: the data of users inactive for 90 days was shared with 5 thousand third-party app developers, even though it should have remained private after that time period.
Facebook and the 90-day rule after the Cambridge Analytica scandal
In 2018, the company founded by Mark Zuckerberg was the protagonist of the Cambridge Analytica scandal, which raised many questions, still unresolved apparently, about the security and privacy of members of the social network. On that occasion, Cambridge Analytica had collected the personal data of millions of Facebook users without their consent and used them to make political propaganda.
Facebook thus ended up in the eye of the storm, so much so that Zuckerberg had to testify even before the U.S. Congress and explain what happened. Since then, the social network has had to work to offer greater privacy to its users, also committing to limit misinformation with systems to combat fake news and propaganda.
After the scandal, Facebook introduced new measures to safeguard the privacy of its users. In particular, one that provides that developers of third-party apps installed on the user's smartphone, after 90 days of last use, no longer have access to his data. This is a way to prevent third-party companies from accessing the data of a user who is now considered "inactive", who has perhaps lost interest in the app or has forgotten to have it installed.
Inactive users on Facebook: data shared due to a bug
Something in the 90-day rule didn't work as it should have. Due to a bug, third-party apps that had received users' initial permission continued to receive their data even when, after the 3 months had passed, they should have been considered as "inactive". Konstantinos Papamiltiadis, Facebook's director of developer programs and platforms, said, "We found that some apps continued to receive data from people who had previously authorized them, even though they were inactive users for more than 90 days."
Director Papamiltiadis explains, "Let's take an example. You've installed a fitness app and want to share your workout session with your friends, inviting them to connect. Some of those who received the invitation, had been inactive for many months and we didn't notice, so their data was released."
Facebook said it has already fixed the problem and that the bug has been fixed, but did not release details on the number of accounts involved, nor the nature of the data disclosed without explicit consent. The only reassurance to users was that no additional data was released beyond what the user had initially authorized to the app. But doubts about the security of Facebook and the privacy of its users, after yet another bug, remain.