Facebook’s chief technology officer, Mike Schroepfer, wrote on Wednesday that he believes most users on Facebook could have had their public profile data harvested by third parties—one of the many revelations and announcements the company has made this week as it tries to explain itself to the public in the aftermath of the Cambridge Analaytica scandal, and one that was easy to overlook. The comment was nestled in a description of a Facebook feature that allowed users to search for other users via someone’s phone number or email address, which Facebook says has been abused by malicious hackers that would scour Facebook using lists of emails and phone numbers they already had to find and then harvest users’ public profile information. Schroepfer said this feature has now been disabled, but also noted that “given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.”
Schroepfer’s post, one of seven Facebook published this week, details many of the ways Facebook has decided to tighten how it shares user data with developers who build apps that somehow extract people’s profile and Facebook activity following reports last month Cambridge Analytica, a political-data firm, had wrongfully obtained profile information on tens of millions of Facebook users. The original stories in the Guardian and the New York Times reported that in 2014 more than 50 million Facebook users had their information harvested for use by Cambridge Analytica, but in its blog post Wednesday, Facebook clarified that the actual number of affected users is much higher. “In total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica,” Schroepfer wrote. Most of those 87 million people were Americans. And that’s just by one app. As for the thousands of other apps that have plugged into Facebook over the years, the number of affected users could easily be in the hundreds of millions.
It’s been a busy week for Facebook. On Tuesday, the company shared an update on the number of accounts purged from the Kremlin-linked troll farm known as the Internet Research Agency. Alex Stamos, Facebook’s head of security, wrote that an additional 273 Facebook and Instagram accounts and pages from the Internet Research Agency have been removed recently. On a call Wednesday with journalists, Zuckerberg revealed that Facebook may effectively extend a broad set of new privacy protections going into effect for European users in May to Facebook users around the world. He also called himself “a power user of the internet.”
Whether the billions of people who use Facebook are power users or not, the Facebook users who might have been impacted by the phone number and email address look-up feature—which, to reiterate, is most of them—now have another reason to mistrust Facebook’s privacy practices. It wasn’t just people building apps like FarmVille that were able to collect user data at a massive scale. It was also people who were taking lists of email address and phone numbers and using Facebook to match those with people’s names and photos and whatever other data they made publicly available on their Facebook page. That data alone could reveal a person’s location, race, and other identifying information that a data-hungry ad targeter or software developer might use to build profiles of people.
With the third-party apps, it gets worse, of course, since it wasn’t just profile pictures and names that these developers were able to harvest off Facebook. (Until 2014, Facebook let developers take data not only from people who downloaded their app, but data on all their friends too.) Schroepfer writes that Facebook’s various developer tools could provide information on people’s private group posts, likes, religious affiliation, relationship status, and political views, news reading, and more—information that still be out there, perhaps for sale on the black market. Once that data is out of Facebook’s walled garden, there’s really no getting it back.
