Facebook app left 3 million users’ data exposed for four years

After being burned to a crisp having been found to be manhandling Facebook users’ data, Cambridge Analytica’s ashes blew away on 2 May.

Before it did, former employees had told Gizmodo that they knew the writing was on the wall for the data analytics company, but they didn’t realize how fast the flames would engulf it.

It felt unjust, they seemed to believe. They were just a “typical member of their industry caught in a media firestorm,” as Gizmodo put it. You can see why they’d feel unfairly singled out: in short order, it became clear that Cambridge Analytica wasn’t an aberration. A twin named Cubeyou turned up in April: yet another firm that dressed up its personal-data snarfing as “nonprofit academic research,” in the form of personality quizzes, and handed over the data to marketers.

And now, we have a triplet.

A New Scientist investigation has found that yet another popular Facebook personality app used as a research tool by academics and companies – this one is called myPersonality – fumbled the data of three million Facebook users, including their answers to intimate questionnaires.

Academics at the University of Cambridge distributed data from myPersonality to hundreds of researchers via a website with lousy security… and left it there for anybody to get at, for four years.

New Scientist described the data as being “highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests.” It was meant to be stored and shared anonymously, but “such poor precautions were taken that deanonymising would not be hard,” it reports.

People had to register as a project collaborator to get access to the full data set, and more than 280 people from nearly 150 institutions did so, including university researchers and those from companies including Facebook, Google, Microsoft and Yahoo.

No permanent academic contract? No big-name company paying you to do research? No problem. For four years, there’s been a username and password to get at the data. The credentials have been sitting on the code-sharing website GitHub. A simple web search would lead you to the working credentials.

Besides being an academic project, myPersonality, like its personality quiz siblings, let commercial companies – or, at least, their researchers – get their hands on the data.

For its part, Cambridge Analytica accessed data from an app called This Is Your Digital Life, developed by Cambridge University professor Aleksandr Kogan, who’s at the center of the Cambridge Analytica allegations. (Kogan was previously on the myPersonality project, as well). As long as the researchers agreed to abide by strict data protection procedures and didn’t directly earn money from the data set, such companies were allowed access, according to New Scientist.

More than six million Facebook users completed the tests on myPersonality, and nearly half agreed to share data from their Facebook profiles with the project, according to the news outlet:

All of this data was then scooped up and the names removed before it was put on a website to share with other researchers. The terms allow the myPersonality team to use and distribute the data ‘in an anonymous manner such that the information cannot be traced back to the individual user’.

This, however, was not how the data was handled. Pam Dixon, with the World Privacy Forum, told New Scientist that besides posting a publicly available password to get at the data set, and besides allowing access to hundreds of researchers, the anonymization wasn’t up to snuff. Each Facebook user was given a unique ID that pulled together data including their age, gender, location, status updates, results on the personality quiz and more.

With all that, deanonymizing the data would be a snap, Dixon said. As we’ve written about, the more data you string together, the less time it takes to correlate it all to the point of being able to strip away anonymity.

Dixon, with regards to the data collected by the myPersonality app:

You could re-identify someone online from a status update, gender and date.

Facebook suspended myPersonality on 7 April. The app is currently under investigation for potentially having violated the platform’s policies due to the language used in the app and on its website to describe its data-sharing practices.

MyPersonality is only one of many: Facebook on Monday announced that it had suspended 200 apps so far in the app investigation and audit that CEO Mark Zuckerberg promised following the Cambridge Analytica scandal.

The Information Commissioner’s Office (ICO) is investigating myPersonality. In fact, the University of Cambridge told New Scientist that it was alerted to the issues surrounding myPersonality by the ICO. The university says the app was created before the data set’s controllers – David Stillwell and Michal Kosinski, at the University’s Psychometrics Centre – joined the university.

New Scientist quoted the university’s statement:

[The app] did not go through our ethical approval processes… The University of Cambridge does not own or control the app or data.

Readers, are any of you still using these type of Facebook personality quizzes? I’m expecting a “Hell, NO” strong enough to shake the halls over at Facebook headquarters, but please, do tell in the comments section below. If you’re staying the course, you might want to take a peek at our tips on How to protect your Facebook data.