Facebook Corrects Issue That Could Have Enabled Developers to Access User Data Past Time Limit

Facebook last week detailed a since-corrected issue that may have given developers access to user data beyond a previously established 90-day limit, and the social network released updates to its platform terms and developer policies. Vice president of platform partnerships Konstantinos Papamiltiadis detailed the issue in a blog post last week, reiterating the social network’s 2018 policy change that removes the ability of applications to receive updates to users’ non-public information—such as email addresses, birthdates, languages and gender—if Facebook’s systems did not recognize that those people used the app within the past 90 days. Papamiltiadis said that some 5,000 developers may have continued to receive that information beyond the 90-day period of inactivity, adding that the company had no evidence that the issue resulted in the sharing of information beyond what people gave their permission for when logging into apps via Facebook. He said as an example, “This could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn’t recognize that some of their friends had been inactive for many months.” Papamiltiadis said the issue was corrected the day after it was discovered. In a separate blog post, director of product management Eddie O’Neil detailed updates to Facebook’s platform terms and developer policies aimed at ensuring that businesses and developers on its platform safeguard users’ data and protect their privacy. The updated platform terms introduced a two-tiered structure for data developers receive from Facebook’s platform, with clear guidance on how they can use and share platform data and restricted platform data, as well as limits on the information they can share with third parties without explicit consent from users. Developers are also required to delete data if it is no longer needed for a legitimate business purpose, if the developer is no longer operating the product or service, if Facebook requests the deletion or if the data was received in error. Developers must immediately notify Facebook of data breaches, immediately begin correcting those issues and “reasonably cooperate” with Facebook. The social network’s policies on auditing, termination and enforcement were also clarified. Requirements regarding aesthetic, content, functional requirements, integrity, quality control and user experience were separated out into Facebook’s new developer policies, and O’Neil said developers will be notified of the changes via email, in the app dashboard and via Facebook’s developers’ site and the Instagram Help Center. The updated requirements take effect Aug. 31. O’Neil also issued a reminder that PPCA (page public content access) can only be used to provide aggregated, anonymized public content for competitive analysis and benchmarking, and this policy will be enforced more broadly across developers with PPCA access. He concluded, “We believe people, businesses and developers deserve a safe and secure platform, and these changes will help strengthen trust with people who use our apps and drive long-term value for developers who use our platform.”