Canadian federal privacy officials warned that third-party developers’ access to Facebook users’ personal information “raises serious privacy risks” back in 2009, documents show.
The report also pointed out that app developers could access information about the Facebook friends of people using apps.
On Wednesday, Facebook CEO Mark Zuckerberg admitted that a feature of their system in which creators of third-party apps had nearly unlimited access to the Facebook data of people who installed the apps — and also their friends — had led to the leakage of the Facebook data of up to 87 million people, about 622,000 of them in Canada.
“It’s clear now that we didn’t do enough,” Zuckerberg said.
“We didn’t focus enough on preventing abuse and thinking through how people could use these tools to do harm as well … We didn’t take a broad enough view of what our responsibility is, and that was a huge mistake.”
In a 2009 speech, then-assistant privacy commissioner Elizabeth Denham said that her office’s top Facebook concern was “the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes.”
“We were alarmed by a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information – as well as information about their online ‘friends,'” she said.
“The notion that some teenager in a basement on the other side of the world could have access to all this personal information is unsettling, to say the least.”
Denham went on to be B.C.’s information and privacy commissioner.
As the U.K.’s information commissioner, she is heading that country’s inquiry into the use of Facebook data leaked through apps by political data firm Cambridge Analytica. Late in March, her office entered Cambridge Analytica’s London office with a search warrant as part of their investigation.
For its part, Facebook said in 2009 that it would “introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. In addition, the user will also have to specifically approve any access to their friends’ information, which would still be subject to the friend’s privacy and application settings.”
At the time, Facebook and the federal privacy commissioner agreed that the promised changes would be in place no later than 12 months from the announcement, which is August of 2010.
In 2010, the commissioner’s office said it was satisfied with Facebook’s solution to the third-party app problem, which involved clearer user consent when apps were installed.
“The privacy commissioner at the time kind of gave the green light to Facebook, and from our perspective that was really problematic, especially the access to third-party content through the API,” says David Fewer of the Canadian Internet Policy and Public Interest Clinic, whose complaints against Facebook led to the original investigation.
“They reached a resolution which did away with our complaint, and basically gave the green light to Facebook to keep on doing what they do.”
A Facebook spokesperson who responded by email did not directly address a question about the 2009 warning.
“As people used the Facebook platform in new ways, we strengthened the rules,” he wrote. “We required that developers get people’s permission before they access the data needed to run their apps. Over the years we’ve introduced more guardrails, including in 2014, when we began reviewing apps that request certain data before they could launch.”
Carleton University journalism professor Dwayne Winseck points out that third-party developers were able to access users’ information not through a bug or hack, but as a “built-in feature of Facebook.”
“It’s not an aberration. This is exactly what Elizabeth Denham pointed out in 2009. Facebook kind of thumbed their nose at her, based on the idea that third-party developers designing for the platform would be extremely valuable for them. It would be the thing that would bring the Farmvilles and keep the platform sticky.”
“Nine years ago, Facebook had a warning,” he says. “Talk about history turning around and biting you in the butt. The same woman that issued it, and tried to reel them in, and who they thumbed their nose at, is now leading up the charge in the U.K.”
In March, the privacy commissioner’s office opened an investigation into whether Facebook complies with federal privacy laws.
Comments