Facebook exposed personal photos of millions of people in its latest privacy gaffe disclosed on Friday. The debacle happened due to a bug in one of the company's application programming interfaces for image management which allowed hundreds of app developers to access much broader photo sets than what users agreed to share with them. The vulnerability period ran from September 12 to September 25 and affected up to 6.8 million users who provided access to their photos to some 1,500 apps from 876 developers. Only users who explicitly granted access to their photos to apps via the vulnerable API could have been compromised by the bug which essentially allowed developers of those services to access any photo from their profiles, including those attached to incomplete posts, i.e. those that were never published, Facebook Engineering Director Tomer Bar revealed earlier today.
The said photos API is generally only used for granting apps access to one's Timeline photos on the world's largest social media network, whereas every other image from one's profile — including those uploaded to albums by other people, content from Stories and Marketplace — should be off limits. Facebook says it discovered the bug on its own, i.e. one of its internal security teams did, and has yet to find any evidence of the vulnerability being abused by third parties.
"We're sorry this happened," Mr. Bar said in a prepared statement, without providing an explanation on how the bug came to be. What he did say is that Facebook will be providing its app developers with tools designed to help them determine which of their users might have been affected and had their photos accidentally harvested. The tools will roll out next week and also come packed with an option for deleting the involuntarily shared photos in a straightforward manner. What's presently unclear is whether Facebook is looking into the possibility that some of the accidentally collected images were used for malicious purposes. The social media juggernaut also didn't clarify why it took nearly three months to disclose the existence of the bug, though such a delay isn't unusual when it comes to cybersecurity vulnerabilities and the firm was likely looking into the extent of the issue before opting to go public with it.
Users potentially impacted by the newly disclosed bug will be notified of the development via a standard Facebook alert sent via a push notification. The notification will contain a link to the service's Help Center where they'll be able to see which particular apps possibly collected photographs they didn't agree to share. As is the case with the vast majority of data exposures Facebook failed to prevent in recent times, the newly confirmed vulnerability was inherently tied to Facebook Connect, the tool used for accessing apps and web services within and outside of the company's online ecosystem.
A pre-emptive justification
Regarding images attached to incomplete posts Facebook admitted to storing as part of today's disclosure, the company quickly went on to clarify it only saves such content for up to three days, then purges it from its servers. The reason for such policy to exist has to do with the fact people often fail to post their photographs for a variety of reasons like lost signal and distractions, with Facebook hence looking to save them mobile data and time in case they decide to revisit their incomplete posts in the immediate future, according to the company. While this clarification initially wasn't provided alongside the disclosure of the photos API bug, Facebook added it to the communication within hours of first publishing it, presumably as it was expecting public backlash for what could be interpreted as yet another privacy-invasive practice on its part.
No end in sight
While the Cambridge Analytica debacle is by far Facebook's largest privacy scandal of the year, numerous smaller gaffes such as the newly disclosed one keep emerging. The nature of software development makes no system perfect and new bugs always appear as apps and services get upgraded and revamped, though Facebook still isn't showing signs of reacting to such issues in a timelier manner like it repeatedly pledged to do over the course of this year, largely in response to the Cambridge Analytica episode. "We must do better" was the message the company's top executives including CEO Mark Zuckerberg and COO Sheryl Sandberg voiced on countless occasions in 2018, though the details of how that needed improvement is meant to happen remain slim.
What remains to be seen is how many users in California and the European Union were affected by the issue Facebook confirmed today seeing how those two jurisdictions have strict data privacy laws with specifically defined disclosure periods which may or may not have been broken in this case. The latest development is yet another piece of evidence suggesting not even the world's best-funded platforms are immune to data leaks. On the contrary, as the complexity of online services increases, so does the number of moving parts, i.e. chances for something to go wrong.
Even when things are working as intended, the human error factor is always a risk. In the case of Facebook in particular, that issue can materialize in the form of "dead" apps leeching data long after users stopped relying on them, though the world's largest social media platform has recently undertaken steps meant to address that possibility and automatically revokes access to user info from apps that went unused for a certain period of time (usually several months).
But new regulations are on the horizon
Moving forward, Facebook can expect more regulatory scrutiny in regards to how it collects, manages, stores, and utilizes data from its over two billion users around the world. Following its own scandals and debacles from other Internet giants like Google, Capitol Hill seems keener than ever to enact federal-level legislation meant to protect American citizens from having their privacy compromised, intentionally or not. California already started the trend earlier this year with the toughest privacy law in the country, though the Silicon Valley and other digital companies are presently lobbying for federal legislation in order to avoid a scenario wherein they have to create and maintain 50 different privacy policies. On the other side of the pond, the EU's General Data Protection Regulation is facing its first judicial tests after watchdogs filed complaints against numerous Internet companies, including both Google and Facebook.