Facebook improperly gave users’ data to third-party developers, again

Stop me if you’ve heard this one before: Facebook gave user data to third-party developers, even after specifically telling users it wouldn’t. 

In a Wednesday blog post, Facebook announced that (oops!) thousands of developers continued to receive updates to users’ non-public information well past the point when they should have. Specifically, Facebook said that, for an unspecified number of users, it failed to cut off the data spigot — like it promised it would back in 2018 — 90 days after a person had last used an app. 

We reached out to Facebook in an attempt to determine just how many users had their data improperly sent to third-party apps, but received no immediate response. 

Facebook’s blog post does provide some — albeit limited — insight into the privacy mishap, however. The company writes that the user info in question possibly involved email addresses, birthdays, language, and gender, and was sent to around 5,000 apps past the 90-day threshold. 

“[Recently], we discovered that in some instances apps continued to receive the data that people had previously authorized, even if it appeared they hadn’t used the app in the last 90 days,” writes Konstantinos Papamiltiadis, Facebook’s vice president of platform partnerships, in the blog post. “For example, this could happen if someone used a fitness app to invite their friends from their  hometown to a workout, but we didn’t recognize that some of their friends had been inactive for many months.”

We also asked Facebook how “recently” it discovered the error, but received no immediate response. 

Notably, this is not the first time third-party developers have been given improper access to Facebook users’ data. In late 2019, Papamiltiadis wrote yet another blog post laying out the shockingly familiar situation. 

“[We] recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than we intended,” wrote Papamiltiadis at the time. “We know at least 11 partners accessed group members’ information in the last 60 days.”

Oh yeah, and in 2018 Papamiltiadis was forced to awkwardly explain why certain third-party companies were given troubling amounts of access to Facebook users’ data. He assured everyone then, as he assured everyone today, that the company was working on it. 

SEE ALSO: Here are the (many) companies pulling their ads from Facebook

“We’ve taken a number of steps this year to limit developers’ access to people’s Facebook information, and as part of that ongoing effort, we’re in the midst of reviewing all our APIs and the partners who can access them,” he wrote. 

Sigh. No wonder this all sounded so familiar.