Facebook has discovered another back-end privacy issue which meant that thousands of apps continued to receive users’ personal information even after access should have automatically expired.
The social network’s vice-president of platform partnerships, Konstantinos Papamiltiadis, explained in a blog post that rules to limit developer access to Facebook user data were brought in several years ago.
“In 2014, we introduced more granular controls for people to decide which non-public information — such as their email address or their birth date — to share when they used Facebook to sign into apps,” he said.
“Later, in 2018, we announced that we would automatically expire an app’s ability to receive any updates to this information if our systems didn’t recognize a person as having used the app within the last 90 days.”
However, the firm recently discovered that some apps continued to receive previously authorized user data, even though they hadn’t used the app in 90+ days.
“From the last several months of data we have available, we currently estimate this issue enabled approximately 5000 developers to continue receiving information — for example, language or gender — beyond 90 days of inactivity as recognized by our systems,” Papamiltiadis continued.
“We haven’t seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook.”
The issue was fixed within a day and he said that Facebook is introducing new Platform Terms and Developer Policies to improve transparency further with the developer community and ensure they “clearly understand their responsibility to safeguard data and respect people’s privacy.”
The social network has been tightening its restrictions on third-party developers since the Cambridge Analytica scandal in 2018. In September last year it announced the removal of tens of thousands of apps from hundreds of developers that were suspected of having the potential to abuse policies on user privacy and security.