Facebook says it mistakenly let 5,000 developers gather information from people’s profiles after a time limit on their rights had expired.
Apps on Facebook are supposed to be prevented from accessing people’s personal data if the app has not been used for 90 days.
But Facebook said that lock-out had not always worked due to a flaw in how it recorded inactivity.
“We fixed the issue the day after we found it,” the company said.
Facebook has not stated how many users had their personal data scraped.
The harvesting of Facebook users’ personal information by third-party apps was at the centre of the Cambridge Analytica privacy scandal that was exposed in 2018.
Cambridge Analytica’s app on Facebook had harvested not only the data of people who interacted with it, but also that of friends who had not given consent. The company built a vast and lucrative database in the process.
- The story of Cambridge Analytica
- Zuckerberg pledges ‘privacy-focused’ Facebook
Facebook’s chief executive Mark Zuckerberg faced questioning before the US Congress on how his company dealt with users’ personal information, and Facebook brought in its new policy on 90-day lock-outs for apps later that year.
But Facebook now says the limit did not work properly.
“Recently, we discovered that in some instances apps continued to receive the data that people had previously authorised, even if it appeared they hadn’t used the app in the last 90 days,” the company said in a statement.
Policy change
Facebook gave an example of the error in action. It said that if two Facebook friends had both used an app, and only one was still using it after 90 days, the app might gather personal information from the inactive friend.
“For example, this could happen if someone used a fitness app to invite their friends from their home town to a workout, but we didn’t recognise that some of their friends had been inactive for many months,” the company said.
In that example, the home town of a user would be the personal information in question. Facebook cited language and gender as other examples.
The company said its estimate of 5,000 developers was only based on data available from the last few months.
But it also said that the information handed out, even if it was after the time limit, was only what users gave permission for when they signed up to the app in the first place.
In the same blog post, Facebook also announced that it was changing its platform terms and developer policies “to ensure businesses and developers clearly understand their responsibility to safeguard data and respect people’s privacy”.
The faulty time limit in this announcement is the most recent in a long line of privacy issues for the social network.
In November last year, a flaw in Facebook’s Groups feature was revealed. It allowed the harvesting of some personal data from groups.
Figures announced in January showed that Facebook’s annual profit fell in 2019, for the first time five years – partly due to settlements with regulators over privacy concerns.