Facebook accidentally shared user data with at least 5,000 apps, even after the 90-day cutoff date
Facepalm: It seems like every year, there’s some privacy and security issue with Facebook. This time, at least 5,000 apps retained user data access even after they were supposed to lose it automatically.
Facebook has revealed that at least 5,000 app developers had access to user data even after users were inactive for 90 days. Apparently, the security mechanism that automatically cuts off access to user data after 90 days of inactivity failed. The company says that the issue was fixed a day after it was found.
The revelation is part of Facebook’s attempt at transparency in how it manages user data connected to third party applications. The 90-day cutoff time was part of the security measures implemented following the Cambridge Analytica scandal in 2018. While the company identified how many app developers retained access, it has not yet specified how many users were affected.
To be clear, Facebook says that the information shared was not inconsistent with the permissions given when the user first logged in using Facebook. Furthermore, the issue only happened in certain circumstances, such as inviting friends to workout from a fitness app. Facebook’s algorithms didn’t recognize that those invited friends had been inactive, so their data continued to be shared.
The social media giant is introducing new “Platform Terms and Developer Policies” to ensure that app developers and businesses understand their responsibilities when it comes to user privacy on Facebook. The new terms limit how much data developers can share with third parties without the user’s consent. The new terms also allow Facebook to audit third-party apps that connect to Facebook to ensure compliance. If an app is found to breach these conditions, the developer would be asked to delete the data.
While this security issue isn’t as egregious as Cambridge Analytica, it does continue to showcase how vulnerable user data can be due to how connected everyone is. The new security policies go into effect at the end of August and hopefully close any loopholes to gain access to user data.