Canada flagged Facebook’s third-party app privacy problem way back in 2009

In this April 4, 2013 file photo, Facebook CEO Mark Zuckerberg walks at the company's headquarters in Menlo Park, Calif. AP Photo/Marcio Jose Sanchez

Canadian federal privacy officials warned that third-party developers’ access to Facebook users’ personal information “raises serious privacy risks” back in 2009, documents show.

The report also pointed out that app developers could access information about the Facebook friends of people using apps.

On Wednesday, Facebook CEO Mark Zuckerberg admitted that a feature of their system in which creators of third-party apps had nearly unlimited access to the Facebook data of people who installed the apps — and also their friends — had led to the leakage of the Facebook data of up to 87 million people, about 622,000 of them in Canada.

“We didn’t focus enough on preventing abuse and thinking through how people could use these tools to do harm as well … We didn’t take a broad enough view of what our responsibility is, and that was a huge mistake.”

Story continues below advertisement

READ MORE: Over 600,000 Canadians’ Facebook data shared with Cambridge Analytica in data leak

In a 2009 speech, then-assistant privacy commissioner Elizabeth Denham said that her office’s top Facebook concern was “the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes.”

We were alarmed by a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information – as well as information about their online ‘friends,'” she said.

“The notion that some teenager in a basement on the other side of the world could have access to all this personal information is unsettling, to say the least.”

Denham went on to be B.C.’s information and privacy commissioner.

WATCH: Facebook founder Mark Zuckerberg has made a public apology for his company’s handling of users’ personal information – including more than 620,000 Canadians.
Click to play video: 'Facebook’s Mark Zuckerberg offers public apology over data breach' Facebook’s Mark Zuckerberg offers public apology over data breach
Facebook’s Mark Zuckerberg offers public apology over data breach – Apr 5, 2018

READ MORE: 9 easy things you can do to beef up your privacy on Facebook

Story continues below advertisement

As the U.K.’s information commissioner, she is heading that country’s inquiry into the use of Facebook data leaked through apps by political data firm Cambridge Analytica. Late in March, her office entered Cambridge Analytica’s London office with a search warrant as part of their investigation.

For its part, Facebook said in 2009 that it would “introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. In addition, the user will also have to specifically approve any access to their friends’ information, which would still be subject to the friend’s privacy and application settings.”

At the time, Facebook and the federal privacy commissioner agreed that the promised changes would be in place no later than 12 months from the announcement, which is August of 2010.

In 2010, the commissioner’s office said it was satisfied with Facebook’s solution to the third-party app problem, which involved clearer user consent when apps were installed.

“The privacy commissioner at the time kind of gave the green light to Facebook, and from our perspective that was really problematic, especially the access to third-party content through the API,” says David Fewer of the Canadian Internet Policy and Public Interest Clinic, whose complaints against Facebook led to the original investigation.

READ MORE: Not just Facebook: How retailers and the payments industry can track, profile you

Story continues below advertisement

“They reached a resolution which did away with our complaint, and basically gave the green light to Facebook to keep on doing what they do.”

A Facebook spokesperson who responded by email did not directly address a question about the 2009 warning.

“As people used the Facebook platform in new ways, we strengthened the rules,” he wrote. “We required that developers get people’s permission before they access the data needed to run their apps. Over the years we’ve introduced more guardrails, including in 2014, when we began reviewing apps that request certain data before they could launch.”

Carleton University journalism professor Dwayne Winseck points out that third-party developers were able to access users’ information not through a bug or hack, but as a “built-in feature of Facebook.”

WATCH: Cybersecurity expert David Shipley on what these new stats on the Facebook data breach means for the social media company
Click to play video: 'Facebook’s data breach now affects 87 million users' Facebook’s data breach now affects 87 million users
Facebook’s data breach now affects 87 million users – Apr 5, 2018

“It’s not an aberration. This is exactly what Elizabeth Denham pointed out in 2009. Facebook kind of thumbed their nose at her, based on the idea that third-party developers designing for the platform would be extremely valuable for them. It would be the thing that would bring the Farmvilles and keep the platform sticky.”

Story continues below advertisement

“Nine years ago, Facebook had a warning,” he says. “Talk about history turning around and biting you in the butt. The same woman that issued it, and tried to reel them in, and who they thumbed their nose at, is now leading up the charge in the U.K.”

In March, the privacy commissioner’s office opened an investigation into whether Facebook complies with federal privacy laws.

READ MORE: Companies will now have to tell Canadian consumers when their privacy is breached — and do it quickly

Sponsored content