The data consulting firm Cambridge Analytica, which harvested as many as 87 million Facebook users' personal data, also could have accessed the private inbox messages of some of those affected. Facebook slipped this previously undisclosed detail into the notifications that began appearing at the top of News Feeds on Monday. These alerts let users know whether they or their friends had downloaded a personality quiz app called This Is Your Digital Life, which would have caused their data to be collected and potentially passed on to Cambridge Analytica.
Facebook buried the disclosure in the details about what information was compromised: "A small number of people who logged into 'This Is Your Digital Life' also shared their own News Feed, timeline, posts and messages which may have included posts and messages from you."
'The harvesting of personal Facebook messages wasn't disclosed, yet again, until the last second.'
Jonathan Albright, Columbia University
A Facebook spokesperson confirmed that the app, which was designed by Cambridge University researcher Aleksandr Kogan to collect data on Americans on behalf of Cambridge Analytica’s British counterpart SCL, requested access to user inboxes through the read_mailbox permission. Unlike the collection of specific user friend information, which Facebook says it phased out in April 2015 unless both people had downloaded the same app, the read_mailbox permission didn't fully deprecate until that October.
Users had to agree to give apps access to their inboxes, but that request for highly personal information would be bundled up with a list of other more benign data points, including birthdays or profile pictures. It's possible some users approved this access, never knowing how much of themselves they were giving up, not just to Cambridge Analytica, but to every app that requested these permissions until 2015.
Facebook says that a total of 1,500 people granted This Is Your Digital Life permission, although the total number of people affected remains unknown. Anyone who messaged those 1,500 people—or received messages from those 1,500—on Facebook at the time would be potentially impacted.
Cambridge Analytica denies having accessed that specific data. "GSR did not share the content of any private messages with Cambridge Analytica or SCL Elections. Neither company has ever handled such data," a company spokesperson says.1
Still, the ambiguous last-minute detail Facebook offered to users about this deeply sensitive issue irked critics of Facebook's privacy policies. "The harvesting of personal Facebook messages wasn't disclosed, yet again, until the last second," says Jonathan Albright, research director at the Tow Center for Digital Journalism at Columbia University, who has tracked Facebook's recent missteps. "I suspect it'll be difficult to accurately reconcile the number of users affected due to the nature of [direct messages] and especially group messages."
This is just one more detail that Congress may ask Facebook CEO Mark Zuckerberg to explain when he faces a joint Senate committee hearing Tuesday, followed by a House committee hearing Wednesday. While Zuckerberg and the company he runs have rushed to cast themselves as transparent in the wake of a massive data privacy scandal, the company has consistently slid ever more troubling information about the way users' information has been used into the fine print. Last week, toward the very end of a blog post on new restrictions for app developers, the company noted that 87 million people’s data may have been exposed to Cambridge Analytica, 37 million more than had been publicly reported. Facebook also indicated in that post that most of its 2.2 billion users may have had their public profiles scraped using a feature that allowed people to search for other users with their phone numbers and email addresses.
During a phone call with reporters, Zuckerberg stressed that this was all information that Facebook users “chose to share,” but that’s not necessarily true when it comes to users’ private messages. If one person in a conversation did agree—even willingly—to share their inboxes with an app, that doesn’t mean the person on the other side of that conversation did. And yet, Facebook’s permissions allowed apps to peek in at both sides of a conversation, a practice that continued for months after the company's touted Graph API overhaul in 2015. Unlike some profile information, which users may have unknowingly left public, there is an expectation of privacy that accompanies direct messages. That’s why people send direct messages, rather than post publicly to a Facebook friend’s timeline.
Given his recent change of heart, Zuckerberg may well acknowledge this as an oversight. But like so many others, it was an oversight Facebook could have addressed years ago.