I feel for the person having to update the variation of this sign in Facebook's Menlo Park HQ:
But, unfortunately, the time has come once again. This week, on the Facebook Developer blog, the company has revealed that a flaw in its Groups API may have enabled up to 100 app partners to access group member information, like names and profile pictures, in connection with group activity.
As explained by Facebook:
"Before April 2018, group admins could authorize an app for a group, which gave the app developer access to information in the group. But as part of the changes to the Groups API after April 2018, if an admin authorized this access, that app would only get information, such as the group’s name, the number of users, and the content of posts. For an app to access additional information such as name and profile picture in connection with group activity, group members had to opt-in."
Facebook made significant changes to its APIs to limit access in April 2018, and this description above is how the new process is supposed to work. But there was a flaw in Facebook's system:
"As part of our ongoing review, we recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than we intended. We have since removed their access."
As a result, Facebook says that up to 100 developers may have been able to access this information since it announced restrictions to the Groups API.
"We know that at least 11 partners accessed group members’ information in the last 60 days. Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted."
Facebook says that the apps which could have accessed this information were primarily social media management and video streaming apps.
"For example, if a business managed a large community consisting of many members across multiple groups, they could use a social media management app to provide customer service, including customized responses, at scale. But while this access provided benefits to people and groups on Facebook, we made the decision to remove it and are following through on that approach."
Given the data available in this error - names and profile pictures in connection with group activity - it's not as significant as some of the other data missteps Facebook has had. But still, for a company working to reassure users, and regain trust, any slip-up of this type is significant.
Trust in Facebook is already at all-time lows, and every time there's another issue like this, it not only reminds people of Facebook's previous issues, but it also raises the specter of what else could be. If they've just now detected yet another flaw, surely there are other ways developers are still able to extract Facebook data.
On one hand, it clearly doesn't matter to the majority of users. Facebook continues to grow its active user base, and it has repeatedly noted that privacy issues like Cambridge Analytica have not impacted usage.
On the other, it may be more significantly important to government officials and regulatory bodies examining a possible break-up of the platform - with The Social Network wielding more and more power over public opinion, some political groups believe its time to act. And Facebook clearly sees this as a threat - this week, it launched its new corporate logo, which will now be used to better signify Facebook ownership, and effort to improve user understanding over what Facebook controls.
Facebook will be hoping that will appease some of its critics - but every time there's another data flaw like this, questions will again be raised over the company's capability to manage such insights.
Back to day zero for Facebook's data breach board.