Even after Facebook locked down its Groups API in April 2018 to keep developers from accessing user data – including the names and profile pictures of people in specific, sometimes secret, groups – roughly 100 developers might still have gotten at that user information, the platform said on Tuesday.
Konstantinos Papamiltiadis, Facebook’s director of platform partnerships, said in a News for Developers post that the access has inappropriately been left open and that data may have been accessed by some developers for over a year. “At least” 11 partners accessed group members’ information in the last 60 days, he said.
When it made the change in April 2018, Facebook explained that at the time, apps needed the permission of a group admin or member to access group content for closed groups, and the permission of an admin for secret groups.
The apps help admins do things like easily post and respond to content in their groups. Facebook said that it wanted to better protect information about group members and conversations, so it changed things around: with the newly locked-down Groups application programming interface (API), any third-party app would need approval from Facebook and an admin to ensure that the apps were actually benefitting the group.
It shut down the apps’ ability to access the member list of a group and removed personal information, such as names and profile photos, attached to posts or comments that the approved apps could access. After April 2018, if an admin authorized an app’s access, it would only get information such as the group’s name, the number of users, and the content of posts.
An app could still access information such as name and profile picture, but only if group members opted in to that data sharing.
Well, anyway, that’s the way it should have been.
During an ongoing review, Facebook found that some apps were still getting information such as group members’ names and profile pictures.
Most of the apps are for social media management and video streaming: they’re designed to help group admins manage their groups and to do things like help members to share videos to their groups. Facebook gave the example of a business that manages a large community that has members that span multiple groups: such a business could use a social media management app to provide customer service, including customized responses, at scale.
Papamiltiadis said that the number of developers that actually accessed the, supposedly off-limits, data is likely to be less than 100, and that the number has likely decreased over time.
Facebook hasn’t seen any evidence that the developers have abused their data access. Still, it’s asking them to delete any member data they may have retained and plans to conduct audits to confirm that it’s been scrubbed.