Facebook on Friday apologized for a bug that may have exposed exposed private photos to third-party apps for the 12 day period from September 13 to September 25, 2018.
"We're sorry this happened," said Tomer Bar, Facebook engineering director, in a blog post intended for developers, noting that as many as 6.8 million users and 1,500 apps from by 876 developers may be affected.
Tomer explained that when a Facebook user grants permission for an app to access that individual's photos on Facebook, the service should only grant access to photos shared on timelines.
Instead, the bug made photos shared elsewhere – in Marketplace or Facebook Stories – or uploaded but never posted available to developers' apps, specifically those that had been approved by Facebook to use the photos API and by users.
Facebook intends to notify affected individuals, so they can check their photo apps for images that shouldn't be there. And next week, the company says it will provide developers with a tool to determine which users of their apps may have been affected and to assist with the deletion of images that shouldn't be there.
It was only a few days after the period of vulnerability, on September 28, that Facebook said a different bug had exposed as many as 90 million Facebook profiles to hackers, a figure it subsequently revised down to 30 million.
In response to that incident, Guy Rosen, VP of product management, apologized.
This is getting to be a habit
The social data biz has apologized so often that its serial contrition came up when CEO Mark Zuckerberg testified before the House Energy and Commerce Committee in April.
Addressing Zuckerberg at the hearing, Rep. Jan Schakowsky (D-IL) said, “You have a long history of growth and success, but you also have a long list of apologies." She then recited a partial litany of his mea culpas over the years:
- "I apologize for any harm done as a result of my neglect." – Harvard, 2003
- “We really messed this one up.” – Facebook, 2006
- "We simply did a bad job [with this release, and] I apologize for it." – Facebook, 2007
- "Sometimes we move too fast…" – Facebook, 2010
- "I'm the first to admit we made a bunch of mistakes." – Facebook, 2011
- "[For those I hurt this year,] I ask forgiveness and I will try to be better." Facebook, 2017
Schakowsky concluded from this that Facebook's self-regulation doesn't work.
Legislative regulation may not be working either. Facebook in April, shortly after Zuckerberg's Congressional testimony, made much of its effort to comply with Europe's GDPR privacy regime.
"As soon as GDPR was finalized, we realized it was an opportunity to invest even more heavily in privacy," said Erin Egan, veep and chief privacy officer of policy, and Ashlie Beringer, veep and deputy general counsel in a blog post at the time. "We not only want to comply with the law, but also go beyond our obligations to build new and improved privacy experiences for everyone on Facebook."
Facebook confirms Cambridge Analytica stole its data; it’s a plot, claims former directorREAD MORE
Nonetheless, in response to complaints, the Irish Data Protection Commission has begun an investigation of the company's privacy practices.
"The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018," spokesperson for the watchdog said on Friday in an email to The Register. "With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR."
Coming shortly after the British Parliament published a trove of Facebook emails about how the ad biz monetizes its user data, the investigation isn't all that surprising.
The Register asked Facebook how users of the ad network should interpret the photo bug in light of CEO Mark Zuckerberg's apology following the Cambridge Analytica scandal: "We have a responsibility to protect your data, and if we can't then we don't deserve to serve you. "
We've not heard back. ®
Updated to add
After this story was filed, a Facebook spokesperson said via email, “We are in close contact with the Irish Data Protection Commission and are happy to answer any questions they may have.”
Our question about Zuckerberg’s remarks went unanswered.
Sponsored: Webcast: Simplify data protection on AWS