Facebook has admitted that it accidentally shared some users’ personal data with approximately 5,000 app developers even after the 90-day cut-off period.
For those unaware, following the 2018 Cambridge Analytica app scandal which saw the personal data of 87 million Facebook users compromised, the social media giant established the below 90-day lock-out policy that would block third-party app developers from accessing user data if the app has not been used by the user for 90 days.
The expiration period for data access is 90 days, based on when the user was last active. When this 90-day period expires, the user can still access your app — that is, they are still authenticated — but your app can’t access their data. To regain data access, your app must ask the user to re-authorize your app’s permissions.
On Wednesday, Facebook explained that a flaw in how it recorded inactivity allowed about 5,000 developers to collect data from users’ profiles even after their 90-day time limit to access data had expired.
“Recently, we discovered that in some instances apps continued to receive the data that people had previously authorized, even if it appeared they hadn’t used the app in the last 90 days,” Facebook admitted in a blog post.
“For example, this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn’t recognize that some of their friends had been inactive for many months.
“From the last several months of data we have available, we currently estimate this issue enabled approximately 5,000 developers to continue receiving information – for example, language or gender – beyond 90 days of inactivity as recognized by our systems.”
Facebook said the issue has since been fixed after discovering it, and it will keep investigating and continue to prioritize transparency around any major updates. It did not mention how many users were impacted.
A company rep stated: “We haven’t seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook.”
In the same blog post, Facebook also announced it simplified its platform terms and developer policies to provide developers with clearer guidance around data usage and sharing and “ensure businesses and developers clearly understand their responsibility to safeguard data and respect people’s privacy when using our platform.”
It also added: “These new terms limit the information developers can share with third parties without explicit consent from people. They also strengthen data security requirements and clarify when developers must delete data. These changes are just some of the ways we’re improving our platform and making more trustworthy experiences for people using apps on Facebook.”