Facebook Bans Second App Ever Over Privacy Issues as Cambridge Analytica Fallout Continues

August 23, 2018, 1:12 AM UTC

Under fire for failing to adequately police third-party apps on its service in the wake of the recent Cambridge Analytica scandal, Facebook has permanently banned the personality quiz app myPersonality.

The decision by Facebook, announced on Wednesday, comes after it had temporarily suspended the app on April 7 shortly after it was revealed that political consulting firm Cambridge Analytica had allegedly misused Facebook user data. The myPersonality app has no direct connection to Cambridge Analytica, but it had spurred the creation of a similar app that is at the heart of that controversy.

Facebook said that myPersonality’s creators, which include David Stillwell of University of Cambridge’s Psychometrics Centre, refused to cooperate with an audit of how data their app gathered was protected and shared. Facebook also said that the protection of data collected by the app was inadequate.

In a statement to Fortune, Stillwell disputed Facebook’s conclusion, saying that “all necessary consents were explicitly and repeatedly provided by all Facebook users when using the myPersonality app.” He added, “When the app was suspended three months ago I asked Facebook to explain which of their terms was broken but so far they have been unable to cite any instances.”

Stillwell declined via email to Fortune to confirm whether he had declined an audit, and the statement doesn’t address how well secured the data was against unauthorized access.

The app, developed at the University of Cambridge in 2007, gathered profile information from about four million users, Facebook said, higher than previously estimated. The Psychometrics Centre website states that only 40%, or 2.4 million people, agreed to share the Facebook profile out of 6 million who took the test. But that number appears to be several years old. A New Scientist investigation in May 2018 suggested the number was roughly three million.

Facebook believes the four million figure is accurate, however. “This is the best estimation we can come up with—who we know who directly installed the app itself,” said a Facebook spokesperson.

Facebook said little data had been collected by the app since 2012. Stillwell stated pointedly, “The app has not been in use since July 2012 so this ban is nonsensical and purely for PR reasons.”

That New Scientist report stated that the data collected by myPersonality lacked reasonable online protections, and could be accessed easily by finding login credentials stored openly (and accidentally) in an unrelated party’s code archive. The investigation also said the data, intended to be distributed in a way that would prevent identification of individuals, contained enough personal characteristics to re-connect profile data with individual users, or deanonymize the profiles.

Facebook also said on Wednesday that it had suspended a total of 400 apps since March, up from 200 at the last public report. Facebook started a review of third-party apps on its service following news reports about Cambridge Analytica’s use of Facebook profiles. That was followed by government hearings in the United States, the United Kingdom, and elsewhere, in which executives were grilled about the lack of oversight of how extracted data was used.

Facebook’s reasons for those app suspensions include concerns about the developers or how the developers used information shared with the apps. A Facebook spokesperson said, “We will suspend the app if there is any suspicious activity while we investigate,” which could include requiring an audit with access to servers and data.

MyPersonality is only the second app that Facebook has ever banned. The first was a personality-testing app developed in 2013 by Aleksandr Kogan, then working as a research associate in the Department of Psychology at Cambridge, of which the Psychometrics Centre is part. Cambridge Analytica relied on Kogan’s data as part of its pitch for micro-targeting advertising for political campaigns, such as that of Donald Trump.

Kogan gathered data about as many as 87 million Facebook users by using an option then available to developers that let them grab details about users’ friends, not just the user.

Cambridge Analytica has not been charged with a crime.

A Facebook spokesperson said the company found no evidence that the myPersonality app retrieved information about the quiz takers’ friends, and that it would not notify the friends of the four million users at the center of the myPersonality app ban. Stillwell agreed in his statement: “Data was not sought nor obtained from users’ friends.”