Security news that informs and inspires

Facebook Changes Developer Rules After Apps Improperly Got User Data


On the heels of yet another privacy incident where Facebook app developers received user data when they shouldn’t have, the social networking giant rolled out new terms and policies for developers.

As part of the general crackdown after the Cambridge Analytica data-sharing scandal, Facebook changed the rules so that access to user data was cut off to app developers if the user hadn’t used the app for more than 90 days. In a recent review, Facebook found that some apps were still receiving data from inactive users, wrote Konstantinos Papamiltiadis, the company’s vice-president of product platforms. Papamiltiadis didn’t say how many users were affected or how long the data was being shared beyond three months of inactivity.

The problem has been fixed—”We fixed the issue the day after we found it,” Papamiltiadis said—but it is unclear when that occurred.

This isn’t the first time Facebook let third-parties see user data when they shouldn’t have been able to. In November 2019, Facebook found “some apps,” primarily social media management and video streaming apps, had retained access to group member information such as names and profile pictures via the Groups API “for longer than we intended,” Papamiltiadis said.

Facebook had locked down the Groups API in April 2018 and had implemented new rules around the API a few months later. Even with that oversight, at least 11 partners had accessed group members’ information over the prior 60 days, and 100 developers since the rules had changed, Papamiltiadis said. That incident prompted Facebook to remove the Groups API entirely.

Facebook this week introduced new Platform Terms and Developer Policies, which squarely placed the responsibility of safeguarding user data and respecting user privacy on to the businesses and developers using the platform. The new terms limit the information developers can share with third parties without receiving explicit consent from Facebook users, strengthen data security requirements, and clarify when developers must delete data, said Eddie O’Neill, Facebook’s head of platform.

The new policies and terms go into effect Aug. 31.

Data will be grouped into a two-tiered structure and developers have “clear guidance” on how each tier can be used and shared. “ This new distinction between Platform Data and Restricted Platform Data limits the information developers can share with third parties without explicit consent from users and strengthens our protection of user data,” O’Neill said.

Under these changes, developers are now required to delete data that’s no longer required for a legitimate business purpose, in the event that the app is shut down, or if the data was received in error. Developers also have to delete user data if Facebook tells them to, as well. TechCrunch noted that Facebook’s Terms already allow Facebook to audit third-party apps by requesting remote or physical access to developer systems, which means the company could conceivably reach out to developers if they notice data access problems and force the developer to delete non-compliant data this way.

The latest privacy misstep involves the mechanism which allowed users to use Facebook to sign into third-party apps. Developers can request access to a subset of that user’s data, such as email address, user likes, gender, location, birthday, age range, and preferred language. If someone using a third-party app, say a fitness app, invited Facebook friends on to the app, the app developer was able to see the subset of that friend’s data even if that invited friend was inactive on the app.

Based on the “last several months of data,” Papamiltiadis estimated that “approximately 5,000 developers” continued to collect data such as the user’s preferred language and gender, even after access was supposed to be cut off. Papamiltiadis said there was no evidence that data the user didn’t authorize as part of the original app permissions were shared.

Developers should use the Data Use Checkup tool to review the types of data they have access to via Facebook Platform APIs and confirm that they are using the data in a compliant manner, Facebook’s O’Neill said.