Reset the
“days since the last Facebook privacy scandal” counter, as Facebook has just
revealed a Photo API bug gave app developers too much access to the photos of
up to 5.6 million users.
The bug allowed apps users had approved to pull their
timeline photos to also receive their Facebook Stories, Marketplace photos, and
most worryingly, photos they’d uploaded to Facebook but never shared. Facebook
says the bug ran for 12 days from September 13th to September 25th. Facebook
tells TechCrunch it discovered the breach on September 25th, and informed the
European Union’s privacy watchdog the Office Of The Data Protection
Commissioner (IDPC) on November 22nd. The IDPC has begun a statuatory inquiry
into the breach.
Facebook
provided merely a glib “We’re sorry this happened” in terms of an apology. It
will provide tools next week for app developers to check if they were impacted
and it will work with them to delete photos they shouldn’t have. The company
plans to notify people it suspects may have been impacted by the bug via
Facebook notification that will direct them to the Help Center where they’ll
see if they used any apps impacted by the bug. It’s recommending users log into
apps to check if they have wrongful photo access. Here’s a look at a mockup of
warning notification users will see:
Facebook
initially didn’t disclose when it discovered the bug, but in response to TCs
inquiry, a spokesperson says that it was discovered and fixed on September
25th. They say it took time for the company to investigate which apps and
people were impacted, and build and translate the warning notification it will
send impacted users. The delay could put Facebook at risk of GDPR fines for not
promptly disclosing the issue within 72 hours that can go up to 20 million pounds
or 4 percent of annual global revenue.
However,
Facebook tells me it notified the IDPC that oversees GDPR on November 22nd, as
soon as it established the bug was considered a reportable breach under GDPR
guidelines. It says that it had to investigate to make that conclusion and let
the IDPC know within 72 hours once it had. The head of communications for the
IDPC Graham Doyle tells TechCrunch “The Irish DPC has received a number of
breach notifications from Facebook since the introduction of the GDPR on May
25, 2018. With reference to these data breaches, including the breach in
question, we have this week commenced a statutory inquiry examining Facebook’s
compliance with the relevant provisions of the GDPR.”
Facebook
tells me the bug did not impact photos privately shared through Messenger. The
bug wouldn’t have exposed photos users never uploaded to Facebook from their
camera roll or computer. But photos users uploaded but either decided not to
post, that got interrupted by connectivity issues, or that they otherwise never
finished sharing could have winded up with app developers.
The privacy
failure will further weaken confidence that Facebook is a responsible steward
for our private data. It follows Facebook’s massive security breach that
allowed hackers to scrape 30 million people’s information back in September.
There was also November’s bug allowing websites to read users’ Likes, October’s
bug that mistakenly deleted people’s Live videos, and May’s bug that changed
people’s status update composer privacy settings. It increasingly looks like
the social network has gotten too big for the company to secure. Curiously,
Facebook discovered the bug on September 25th, the same day as its 30 million
user breach. Perhaps it kept a lid on the situation in hopes of not creating an
even bigger scandal.
That it
keeps photos you partially uploaded but never posted in the first place is
creepy, but the fact that these could be exposed to third-party developers is
truly unacceptable. And it seems Facebook is so tired of its failings that it
couldn’t put forward even a seemingly heartfelt apology is telling. This
company’s troubles are not only souring users on Facebook, but employees and
the tech industry as large as well. CEO Mark Zuckerberg told Congress earlier
this year that “We have a responsibility to protect your data, and if we can’t
then we don’t deserve to serve you.” What does Facebook deserve at this point?
Comments