Facebook says bug may have exposed user photos to developers
SAN FRANCISCO — Facebook announced Friday that it had discovered a bug that allowed outsiders access to private photos, potentially affecting some 6.8 million people who use the service.
“We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual,” Tomer Bar, an engineering director at the company, said in a blog post.
The announcement is the latest in a string of problems the social network has had with consumer data. In March, The New York Times reported that Cambridge Analytica, a third-party firm, harvested the data of Facebook users without their express knowledge or consent. And in September, a separate, more serious breach gave hackers full access to the Facebook accounts of tens of millions of users.
This most recent incident is somewhat less severe than previous ones. Around 1,500 third-party apps had access to users’ uploaded photos — even if they had not posted them publicly to Facebook — from Sept. 13 to Sept. 25.
Facebook said that the number of people affected was probably smaller than 6.8 million, because it doubted that all 1,500 apps gained access to the social network during that 12-day period. The company said it was contacting the 876 developers who built the apps and asking them to check and delete any photos they may have retrieved improperly.
“We’re sorry this happened,” Bar added.
Facebook has repeatedly pledged to better protect user information.
“If we can’t, then we don’t deserve to serve you,” Mark Zuckerberg, the company’s chief executive, said in a note to users this year.
But the bug reported Friday prompted more scrutiny in the United States and Europe of whether it was following through on those promises.
The announcement is likely to raise questions among federal regulators about whether Facebook violated a consent decree with the Federal Trade Commission in 2011. Under the agreement, Facebook is prohibited from misrepresenting its privacy and security practices. It also requires the company to obtain users’ consent before overriding their privacy choices, and to institute a comprehensive program to protect the privacy and security of users’ data.
In March, in the wake of revelations about Cambridge Analytica, the FTC said it was investigating Facebook’s data-handling practices.
David C. Vladeck, a former director of the FTC’s bureau of consumer protection, said it was possible that Facebook’s failure to anticipate and address the latest data privacy problem violated the agreement. Vladeck oversaw the FTC investigation that led to the consent decree.
“If Facebook can’t control access by third-party apps, they are going to be in constant trouble with the Federal Trade Commission — and the public at some point is just going to revolt,” Vladeck said. “This is just not acceptable.”
But Chris Hoofnagle, an adjunct professor of law who is the faculty director of the Berkeley Center for Law & Technology at the University of California, Berkeley, said it was not clear the incident violated the consent decree.
“We don’t know yet whether this security hole was a product of negligence or an accident that could happen even if you have good security,” Hoofnagle said.
The FTC declined to comment.
European regulators have signaled a strong displeasure with Facebook’s privacy policies. The company’s main data-protection regulator in the European Union, the Irish Data Protection Commission, said Friday that the mounting number of problems required a deeper investigation. Ireland is Facebook’s lead privacy watchdog in the EU because the company’s European headquarters is in Dublin.
The company found the bug Sept. 25, the same day Facebook discovered a data breach that affected 30 million users. But executives did not notify government officials in Europe until November.
Under the new European privacy law, known as the General Data Protection Regulation, or GDPR, companies have 72 hours “without undue delay” to disclose an incident to authorities. Companies taking longer must include reasons for the delay. Facebook said it did not alert officials earlier because it needed time to “create a notification page” and to translate the message to consumers into multiple languages.
The Irish Data Protection Commission said it started an inquiry this week after receiving “a number of breach notifications from Facebook” over the past six months. The investigation could lead to a fine of up to 4 percent of Facebook’s global revenue, or about $1.63 billion. The regulator can also require Facebook to change how it processes data in the region.
“We have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provision of the GDPR,” the Irish Data Protection Commission said in a statement.
The regulator started another investigation after Facebook disclosed the data breach in September.