clock menu more-arrow no yes mobile

Filed under:

Facebook warns “most users” have had their data harvested by third-party apps

The company is closing off vulnerable loopholes to third-party apps — including some that seem long overdue.

Javier Zarracina/Vox; AFP/Getty Images
Aja Romano writes about pop culture, media, and ethics. Before joining Vox in 2016, they were a staff reporter at the Daily Dot. A 2019 fellow of the National Critics Institute, they’re considered an authority on fandom, the internet, and the culture wars.

Facebook’s woes continue to mount in the midst of the Cambridge Analytica scandal. On Wednesday, in a lengthy post to its online newsroom, the company addressed numerous vulnerabilities in its API that could allow user data to be harvested by unscrupulous third-party app developers.

Among them was the revelation that “most people” on Facebook had their public profile data scraped by third-party apps. This vulnerability came through a key search functionality — the ability to find people by email and phone number — which had, until yesterday, allowed third-party apps to gather a large amount of public user profile information.

“Given the scale and sophistication of the activity we’ve seen,” Facebook’s chief technology officer Mike Schroepfer wrote, “we believe most people on Facebook could have had their public profile scraped in this way.“

In addition to this revelation, the company admitted on Wednesday that the total number of users affected by the Cambridge Analytica data scrape was much higher than previously reported. The total wasn’t 30 million, as originally reported in 2017, or 50 million, as reported last month, but might be potentially as high as 87 million. The vast majority of affected users were in the US.


Facebook’s tiny footnote reads, “We do not know precisely what data the app shared with Cambridge Analytica or exactly how many people were impacted. Using as expansive a methodology as possible, this is our best estimate of the maximum number of unique accounts that directly installed the thisisyourdigitallife app as well as those whose data may have been shared with the app by their friends.”

“Thisisyourdigitallife” refers to the name of the app that Cambridge Analytica used to harvest Facebook data between 2013 and 2015, when Facebook revoked the app’s access to its API.

Wednesday’s post detailed Facebook’s attempt to close many loopholes across its platform, in response to both the Cambridge Analytica fiasco and the new privacy regulations Europe has mandated for Facebook, which take effect next month.

Facebook will now make the changes required by European law — which include giving users more control over their privacy settings and clearer access to those settings — available to all users. It will also tell users if they were affected by the Cambridge Analytica data scrape specifically. Facebook demonstrated with a sample mock-up alert what this notification would look like:


Other potential vulnerabilities the company is addressing include a range of public data, from public profiles to direct ad targeting to event pages, that the company has newly made unavailable to apps and third parties. It’s also ramping up its authorization process for apps and will no longer allow old and unused apps to continue to collect users’ data.

To this end, one of its biggest changes involves the way it handles third-party apps that log you in to Facebook on other sites. A longstanding feature of Facebook’s API allows you to log in to virtually any website through your Facebook account. Now, however, the company is making it much, much harder for websites that use this login feature to access your user data in exchange.

According to the company’s developer blog, ”access to checkins, likes, photos, posts, videos, Events, and Groups” that are being scraped by these sites will now require the app to undergo “prior approval by Facebook” in which they will need to “comply with rigorous policies and terms.” The company has not yet publicly stated what those terms will be. In addition, a litany of data will no longer be accessible to these third-party apps, including any of the following data you may have shared on your profile:

religion and political views, relationship status, relationship details, custom friend lists, about me, education history, work history, my website URL, book reading activity, fitness activity, music listening activity, video watch activity, news reading activity, games activity.

Finally, these apps will no longer be able to see lists of your taggable and mutual friends.

The obvious question arising from all this is: Why did it take Facebook so long to recognize that these were potential, glaring vulnerabilities that might put users’ privacy at risk — or, at the very least, that users might not want to be shared outside of their control?

The short answer is that until Cambridge Analytica exposed this underbelly of Facebook’s open API, all of this was a feature, not a bug, for Facebook. Making user data accessible to third parties, particularly in exchange for allowing websites all over the world to access Facebook logins, essentially allowed it to consolidate power across the internet, making it that much harder for you to extricate Facebook from the rest of your life.

It’s also important to note that cries for Facebook to be more strictly regulated, like any other business, have gone unheeded for years — until now. Note that it’s Europe, not the US, that is stepping in to regulate the company now, though Mark Zuckerberg will testify before Congress next week. In essence, Facebook’s wake-up call has been a wake-up call for everyone, and it’s unlikely the company’s damage control will end here.

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.