December 18, 2018
Facebook said it discovered a bug that allowed unauthorized access to third-party apps of private photos, impacting about 6.8 million users. Facebook engineering director Tomer Bar said the company fixed the issue that allowed such apps “access to a broader set of photos than usual.” Starting with the Cambridge Analytica harvesting of user data, Facebook has had a string of problems related to data privacy, most recently with a serious hack in September that compromised the Facebook accounts of millions of users.
The New York Times reports that, more specifically, “around 1,500 third-party apps had access to users’ uploaded photos — even if they had not posted them publicly to Facebook — from September 13 to September 25,” although Facebook “doubted that all 1,500 apps gained access to the social network during those 12 days” and is “contacting the 876 developers who had built the apps and asking them to check and delete any photos they may have retrieved improperly.”
The bug was discovered on September 25, “the same day Facebook discovered a data breach that affected 30 million users.”
This latest breach “is likely to raise questions among federal regulators about whether Facebook violated a consent decree with the Federal Trade Commission in 2011,” under which “Facebook is prohibited from misrepresenting its privacy and security practices.” The consent decree also requires Facebook “to obtain users’ consent before overriding their privacy choices, and to institute a comprehensive program to protect the privacy and security of users’ data.”
According to David Vladeck, a former director of the commission’s bureau of consumer protection, it’s possible that, “Facebook’s failure to anticipate and address the latest data privacy problem violated the agreement.”
Berkeley Center for Law and Technology faculty director, adjunct professor Chris Hoofnagle, isn’t so sure. “We don’t know yet whether this security hole was a product of negligence or an accident that could happen even if you have good security,” he said.
The FTC declined to comment, but Facebook’s “main data-protection regulator in the European Union, the Irish Data Protection Commission, said on Friday that the mounting number of problems required a deeper investigation,” and that it has begun an inquiry after receiving “a number of breach notifications from Facebook” over the past six months; it could “lead to a fine of up to 4 percent of Facebook’s global revenue, or about $1.63 billion.”