Facebook discovers it shared user data with at least 5,000 app developers after a cutoff date

SAN JOSE, CA - MAY 01: Facebook CEO Mark Zuckerberg speaks during the F8 Facebook Developers conference on May 1, 2018 in San Jose, California. Facebook CEO Mark Zuckerberg delivered the opening keynote to the FB Developer conference that runs through May 2. (Photo by Justin Sullivan/Getty Images)
SAN JOSE, CA - MAY 01: Facebook CEO Mark Zuckerberg speaks during the F8 Facebook Developers conference on May 1, 2018 in San Jose, California. Facebook CEO Mark Zuckerberg delivered the opening keynote to the FB Developer conference that runs through May 2. (Photo by Justin Sullivan/Getty Images)
Sarah Perez

Facebook says it accidentally allowed around 5,000 developers to access data from their app's inactive users, even though that access should have been cut off. The company explained on Wednesday it recently discovered an issue that had allowed app developers to continue receiving this information beyond the 90 days of inactivity that is meant to cut off data access until the user returns to the app and again re-authenticates.

In 2018, Facebook announced a change to the way app developers would be able to access Facebook user data in the wake of the Cambridge Analytica scandal, which saw the personal data of 87 million Facebook users compromised. Among many new restrictions to Facebook's API platform, it introduced a stricter review process for the use of Facebook Login for apps and said it would block apps' access to users' personal data after three months of non-use.

This latter change is the one that was not adhered to, in the case of this latest data sharing incident.

Facebook Login, by way of background, gives app developers a way to make it easier for users to sign into apps using their Facebook sign-in credentials. But it also allows developers to request access to a subset of that person's data on Facebook, including things like email, user likes, gender, location, birthday, age range and more. It's unclear among the 5,000 apps how many access which specific user details. Facebook says apps accessed "for example, language or gender" but Facebook Login isn't limited to just those two attributes when requesting user data.

According to Facebook's announcement, the issue didn't impact all apps using Facebook Login but only occurred in certain circumstances. For example, it said, if someone used a fitness app to invite friends to a workout, Facebook didn't recognize that some of those invited friends had been inactive for many months -- meaning, beyond the cutoff date of 90 days.

The estimate of 5,000 apps comes from a review of the past few months' worth of data. Facebook didn't say how many users were impacted. These users had granted permissions to these apps to begin with, to be clear, but those permissions were meant to have expired.

This new issue is not the same as the one that occurred during the Cambridge Analytica scandal, when an app's user provided access to all their friend network's user data, due to the app's shady use of access permissions. But it is another example of how Facebook's friend network leads to data being compromised through someone's personal associations. In this case, the user data was inadvertently shared with developers because of a user's connection to a friend who used an app and invited them to try it, too.

Facebook said the issue has since fixed and it's continuing to investigate.

Related to this, the company also introduced new Platform Terms and Developer Policies to push more of the data-mining aspects, legally speaking, into developers' hands. The terms now limit the information developers can share with third parties without explicit consent from users, strengthen data security requirements, and clarify when developers must delete data.

For instance, the terms now require developers to delete data that's no longer required for a legitimate business purpose, if the app is shut down, if Facebook tells them to, or if data was received in error, the announcement states.

Those last two stipulations are interesting, as Facebook could reach out to developers in the future if it noticed other data access problems, like this latest, and inform the developer that they've received user data in error. Facebook's Terms also allow Facebook to audit third-party apps by requesting either remote or physical access to the developers' systems, according to these terms, to ensure compliance with its policies. Facebook could then ask the developer to delete the data that is non-compliant, as required by these new Terms.

To what extent the wider world would know about any later issues would be up to Facebook to disclose, as it does today by blog posts.

Developer policies were only one area that received an update. Facebook also updated its Business Terms, including its Business Tools Terms, to also cover data involved with certain usages of the Facebook SDK, Facebook Login, and social plug-ins. It's making changes to its Commercial Terms to make the terms clearer, as well, it says.

It will take time to fully analyze what loopholes Facebook is closing with a comprehensive update to terms like this and how these will impact user data and transparency about subsequent data access issues.

Facebook says the new policies and terms will go into effect August 31, 2020. Developers don't have to take any action to agree to the updates.

More From

  • Twitter warns investors of possible fine from FTC consent order probe

    Twitter has disclosed it's facing a potential fine of more than a hundred million dollars as a result of a probe by the Federal Trade Commission (FTC) which believes the company violated a 2011 consent order by using data provided by users for a security purpose to target them with ads. In an SEC filing, reported on earlier by the New York Times, Twitter revealed it received the draft complaint from the FTC late last month. Twitter found that when advertisers uploaded their own marketing lists (of emails and/or phone numbers) it matched users to data they had submitted purely to set up two-factor authentication on their Twitter account.

  • Grab launches new consumer financial services, including micro-investments and loans

    Grab announced today that its financial unit, which previously focused mainly on services for entrepreneurs and small businesses, is launching a slew of consumer products, including micro-investments, loans, health insurance and a pay-later program. Based in Singapore, Grab began in 2012 as a ride-hailing company before expanding into on-demand deliveries and other services. Since then, its financial services portfolio has grown through a series of partnerships and the acquisition of Bento, which allowed it to offer investment and wealth management services as well.

  • Daily Crunch: Microsoft-TikTok acquisition inches closer to reality

    A possible Microsoft -TikTok acquisition is causing plenty of drama, we review Google's new budget Pixel and SpaceX's Crew Dragon returns to Earth. This weekend, Microsoft confirmed reports that it's in talks to acquire TikTok, the popular mobile video app currently owned by Chinese company ByteDance.

  • EventGeek relaunches as Circa to help marketers embrace virtual events

    Today, EventGeek relaunched as Circa, with a new focus on virtual events. Founder and CEO Alex Patriquin said that Circa is reusing some pieces of EventGeek's existing technology, but he estimated that 80% of the platform is new. While the relaunch only just became official, the startup says its software has already been used to adapt 40,000 in-person events into virtual conferences and webinars.