Facebook Groups API Fix Fails, Causing Another Data Breach

Facebook says privacy-enhancing measures made to the Facebook Groups API in April 2018 didn’t work effectively, with group member data wrongly disclosed to third-party apps as a result, in yet another data breach by the social media company.

That should have ended early last year, after the company tweaked the Facebook Groups API. Prior to the April 2018 changes, group admins could authorise a third-party app to plug in to a group, giving the app developer access to information in the group.

After last year’s changes, even with a Facebook group admin’s approval, the third-party application would only get the group’s name, number of users, and the content of posts; group members had to opt-in for the application to get their details too.

But a number of apps have still been accessing personal data in recent weeks, the company admitted, saying it saw “no evidence of abuse”.

“We recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than we intended. We have since removed their access,” Facebook’s Konstantinos Papamiltiadis – director of platform partnerships – wrote on the company’s developers page on Tuesday.

Facebook Groups API Breach: “At Least 11 Partners Accessed Group Members’ Information in the Last 60 Days”

The data breach comes four months after Facebook paid out $5 billion to settle Federal Trade Commission (FTC) charges that the company deceived users about how it was using their private information. The deal was panned by some critics, despite the record fine. FTC commissioner, Rohit Chopra was particularly scathing.

He said the agreement “doesn’t fix the incentives causing these repeat privacy abuses. It doesn’t stop Facebook from engaging in surveillance or integrating platforms. There are no restrictions on data harvesting tactics — just paperwork.”

Papamiltiadis played down the breach this week.

He wrote: “We are also reaching out to roughly 100 partners who may have accessed this information since we announced restrictions to the Groups API… We know at least 11 partners accessed group members’ information in the last 60 days.

“Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained.”

He added: “The new framework under our agreement with the FTC means more accountability and transparency into how we build and maintain products. As we continue to work through this process we expect to find more examples of where we can improve, either through our products or changing how data is accessed. We are committed to this work and supporting the people on our platform.”

The apps with access were mostly social media management and video streaming apps, designed to make it easier for group admins to manage their groups more effectively and help members share videos to their groups, he noted.