Earlier this week, several Facebook users learned that their personal information — including public profiles, likes, birthdays and locations —was compromised as a result of either they or their friends using the personality quiz app “This Is Your Digital Life.”
But it appears the privacy breach may have been even more serious than that, with the app’s creator, data scientist and psychologist Aleksandr Kogan, reportedly collecting direct messages between Facebook users.
Kogan told the New York Times on Tuesday that he harvested messages from around “a couple thousand” people for a Cambridge University research project, exploring how people use emojis to convey emotion.
The Moldovan-born Kogan, whose academic career included a stint as a post-doctoral fellow at the University of Toronto, later went on to work for Cambridge Analytica, but he told the Times that the information he shared with the controversial data mining firm only comprised names, birthdays, locations and likes — not direct messages.
In March, Kogan told CNN’s Anderson Cooper that he didn’t even know that Cambridge Analytica was looking to use the data to build profiles of voters to target political ads more precisely, although he was aware the data would be used for “political consulting.”
On Wednesday, Facebook CEO Mark Zuckerberg told U.S. Congress that the social media giant was looking into taking legal action against Kogan, and would “be doing a full audit to make sure that he gets rid of all the data that … he has, as well.”
WATCH: Would making users pay for Facebook fix its privacy problem? Cambridge Analytica scandal explained
Facebook claims that Kogan agreed to obtain Facebook user information for academic purposes only, but later sold the data to Cambridge Analytica.
Concerns over Facebook potentially sharing users’ direct messages with external agents were previously raised by data journalist and researcher Jonathan Albright who, in a March 20 blog post, suggested that Facebook’s application programming interface (API) was capable of collecting user data for years.