Subscribe to Data Sheet, a daily brief on the business of tech, delivered free to your inbox.
Facebook mistakenly shared some users’ personal data with outside developers for a longer period of time than promised, in a breach of policies the social network implemented following the Cambridge Analytica scandal of 2018.
The company previously said that third-party app developers would be blocked from accessing user data if a person didn’t interact with the developer’s app for 90 days. At that point, the developer would be required to ask users for permission to re-access their data, including information like email addresses, birthdays and hometowns.
That failed to happen in some instances, Facebook said Wednesday in a blog post. If a user of a third party app was also connected to a Facebook friend through that app, developers are allowed to pull data from both users at once. But a flaw in the company’s system meant developers who pulled data from one active user could also see data from that user’s friend, even if the friend had not opened the app in more than 90 days, a spokesperson said. The issue applies to apps from some 5,000 developers, but the company didn’t disclose how many users might be affected.
“We fixed the issue the day after we found it,” Facebook wrote in a blog post. “We’ll keep investigating and will continue to prioritize transparency around any major updates.”
The flaw was discovered by a Facebook engineer two weeks ago, and the company says it doesn’t have reason to believe any of the data was misused, the spokesperson said.
Facebook has a long history of blunders when it comes to sharing user data with third parties. The 90-day limit was imposed in response to the revelation more than two years ago that Cambridge Analytica, a political data-analytics firm, had purchased the personal information of millions of Facebook users that was harvested without their knowledge through quiz apps using the social network’s login feature.
At the time, Facebook clamped down on many of its data-sharing products and implemented new rules requiring users to more clearly grant outside apps permission to collect their information. It also signed a $5 billion privacy settlement with the Federal Trade Commission in mid-2019 following an investigation that resulted from the Cambridge Analytica disclosures.