Follow us:
  1. Home
  2. News
  3. Cybersecurity News

Facebook admits to sharing user data in another personal data gaffe

The problem is fixed, but users have heard that before

Photo
Photo (c) Pornpak Khunatorn - Getty Images
Facebook has more egg on its face. Besides the bevy of advertisers pulling their ad dollars over the company’s stance on hateful content, the master spirit of social media has confessed that it erred in sharing the personal data of inactive accounts -- and for longer than it had the authority to do so.

In a blog post, Facebook’s Konstantinos Papamiltiadis, VP of Platform Partnerships, came clean about the mistake, saying that “in some instances” third-party apps collected data from inactive users past the 90-day window that Facebook’s Mark Zuckerberg committed to in the face of the Cambridge Analytics scandal.

What exactly happened

The example that Papamiltiadis used was if someone used a fitness app to invite their friends from their hometown to a workout. He said in an instance like that, Facebook didn’t recognize that some of the user’s friends may have been inactive for several months.

Papamiltiadis estimated that around 5,000 app developers continued to receive some sort of information -- like gender or the language spoken -- but that the company has yet to see any hard evidence that the issue went further than the permissions those inactive accounts originally gave when they signed up for the app.

“We fixed the issue the day after we found it. We’ll keep investigating and will continue to prioritize transparency around any major updates,” Papamiltiadis promised.

Going forward

Whether this is an incident error or an egregious one, Facebook quickly instituted new safeguards to keep this from happening again. 

Those new measures fall under a revision of Facebook’s Platform Terms and Developer Policies, which detail app developers' responsibility to safeguard data and respect people’s privacy when using its platform. Specifically, the company is putting limitations on the information developers can share with third parties without the explicit consent from a user. 

Papamiltiadis said that the updated policy should also strengthen data security requirements and spell out exactly when developers have to delete a user’s data.

Take an Identity Theft Quiz

Get matched with an Accredited Partner

    Share your comments