Cambridge Analytica didn’t just take advantage of Facebook’s porous data-sharing policies to scrape the profile data of as many as 87 million users. The political-data firm apparently got an even more intimate look at the data of a small number of these users, accessing their private inbox messages on Facebook, too. This new revelation came nestled inside the alerts that appeared this week on the top of some users’ news feeds, where Facebook is notifying them if their profile data got siphoned up by an app created on behalf of Cambridge Analytica in 2014.
“A small number of people who logged into ‘This Is Your Digital Life’ ”—the app in question—“also shared their own News Feed, timeline, posts and messages which may have included posts and messages from you,” this disclosure read. “They may also have shared your hometown.” Facebook confirmed that private messages were accessed by the app, created by researcher Aleksander Kogan, to Donnie O’Sullivan, a reporter with CNN, who tweeted a statement from Facebook outlining that before 2015, the company let developers ask Facebook users for permission to access their inbox. The notification Facebook provided this week to users who were affected by the data harvesting does not appear to include details about whether users also had their private message data scraped. Slate asked Facebook for clarification and will update this piece when we hear back. The company didn’t close this permission for developers until 2015.
Facebook says that about 1,500 people gave permission to Kogan’s app to access their private messages, and people who sent or received messages with those people potentially had their private messages siphoned up, too. It’s also possible that people who gave permission to Cambridge Analytica to read their apps did so unwittingly, since the way users are asked to agree to a website’s or app’s terms of service typically involves reading blocks of text that most people scroll past, click “agree” to, and ignore. Facebook previously also allowed app developers to not only collect data of people who downloaded their app, but also data on all their friends.
Under that policy, although only about 270,000 people downloaded Kogan’s app, he was able to collect data on 87 million people, since Facebook users may have hundreds or thousands of friends. Facebook closed that permission in 2015, but by that time, according to a whistleblower who used to work on Facebook’s app security team and spoke to the Guardian last month, hundreds of millions of people could have had their data siphoned off by random developers. And last week, Facebook announced it is now tightening other aspects of its relationship with developers to make it even harder to remove data off the platform—a move that’s unlikely to affect Facebook’s bottom line, since the company probably would rather keep all the data that it collects on users to itself anyway.