Facebook reveals bug allowed apps access to photos
Facebook Inc. revealed Friday that a major software bug might have allowed third-party apps to wrongly access the photos of up to 6.8 million users, including images that people began uploading to the site but didn’t post publicly.
The mishap, which occurred over a 12-day period in September, adds to Facebook’s mounting privacy headaches after a series of incidents earlier this year in which it failed to fully safeguard the personal data of its users. It has already prompted European regulators to investigate — and brought fresh calls for the company to be fined.
In general, Facebook allows apps by third-party developers to obtain users’ permission and access photos shared on their timeline. Because of the bug, though, roughly 1,500 apps could access “a broader set of photos than usual,” Facebook said in a blog post. That includes photos that a user might have started to post but abandoned before actually publishing, as Facebook keeps a copy of the draft in case the user might want to finish it later.
The software bug also might have allowed developers to access photos they weren’t supposed to on Marketplace, a Facebook hub for users to buy and sell goods, and some posted in Stories, where users can share short photo or video updates that appear for 24 hours.
Friday’s revelation quick drew sharp rebukes from privacy advocates. “It’s stunning that Facebook has the ability to send user photos to third parties when the user has not fully uploaded the photo,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. “It’s like a provider sending draft emails.”
In response, Facebook apologized to users. “Early next week, we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug,” the company said. “We will be working with those developers to delete the photos from impacted users.”
Facebook declined to detail the exact apps that might have obtained these photos or what they might have done with them.
The photo mishap could embolden those who believe Facebook and its peers in Silicon Valley should be regulated for the data they collect about their users. It could also result in fines and other penalties for the company, which is already under investigation in the U.S. for mishandling users’ data. That investigation, initiated by the Federal Trade Commission, is the result of Facebook’s entanglement with Cambridge Analytica, a political consultancy that improperly accessed data on 87 million users.
Rotenberg said the new incident offered “more evidence” that Facebook has run afoul of the 2011 agreement it brokered with the FTC that required the tech giant to improve its privacy practices.
“You can call this a bug, or you can call it what it is: yet another instance of Facebook failing to protect its users’ privacy and running afoul of its 2011 consent decree,” Sen. Edward J. Markey (D-Mass.) tweeted.