Facebook continues to struggle with keeping user info private after years of encouraging developers and marketers to scrape large amounts of data, as a new report shows.
CNBC found that third parties could still get sensitive data on private groups, including group members’ names, as recently as June. According to CNBC, a moderator of a private Facebook group discovered a Chrome extension called Grouply.io, which purported the ability for people to scrape information from Facebook groups.
The article calls the ability to harvest personal data on private groups a “loophole,” but a Facebook spokesperson disputed that term in an email to VentureBeat, saying that “while we recently made a change to closed groups, there was not a privacy loophole.”
CNBC doesn’t state how the woman, Andrea Downing, found the extension. But she decided to test it with the group she moderated — a private group called the BRCA Sisterhood, for women with a gene mutation associated with a high risk of breast cancer. Using Grouply,io, she was able to download “names, employers, locations, email addresses and other personal details of all 9,000 people who had signed up for the group.”
Facebook has always had three types of groups: public, closed (also sometimes referred to as private) and secret. In public groups, the list of members, as well as the posts of the group, are available for anyone to see. In closed groups, the messages were private, but up until recently, people could search for a closed group and see a list of people in that group. Secret groups are not discoverable, and their member lists are not public.
Downing started working with a healthcare data journalist and security researcher named Fred Trotter, to figure out how Grouply.io was able to get so much information on the BRCA Sisterhood members. Trotter sent a letter to Facebook detailing his concerns about the data harvesting, and on June 20 Facebook sent a response to members of the Facebook group and Trotter, stating:
“Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members. That work is ongoing and may lead to changes that address some of your concerns going forward.”
Six days later, the group members sent Facebook another note saying that they were unhappy with the company’s response, and by June 29, the ability to publicly view member lists for close groups was gone, according to Downing and Trotter. Now, only admins and moderators of closed groups are still available to non-members.
Facebook also sent a cease-and-desist letter to Grouply.io, which is now shut down, earlier this year. Grouply.io’s website simply states that “you cannot get Grouply” anymore with no explanation.
The company has been feeling pressure to close more third parties off from sensitive user data, ever since reports from earlier this year about how Facebook failed to stop Cambridge Analytica from getting data on millions of U.S. voters. As CNBC reports, the BRCA Sisterhood example is particular concerning because the group name makes evident sensitive health information about its members. Downing decided not to set the group to secret, the most private setting, because she wanted people outside of the group to be able to find the group. But that didn’t mean she wanted third parties to be able to get information about its users en masse. And while Facebook itself didn’t allow third parties to download group members’ detailed personal information, it wasn’t able to completely stop an extension from doing so.
Among the steps Facebook has taken in recent months to curb the amount of data third parties are able to use and access — it started an audit of apps that had access to large amounts of data, required any apps that wanted access to number of APIs undergo a formal audit, and required issue and political advertisers and admins of large Facebook pages to verify their identity and location.