The disclosures about app suspensions renew questions about whether people’s personal information on Facebook is secure
The New York TimesKate Conger, Gabriel J.X. Dance And Mike Isaac
September 21, 2019
3:31 PM EDT
SAN FRANCISCO — Facebook said on Friday that it had suspended tens of thousands of apps for improperly sucking up users’ personal information and other transgressions, a tacit admission that the scale of its data privacy issues was far larger than it had previously acknowledged.
The social network said in a blog post that an investigation it began in March 2018 — following revelations that Cambridge Analytica, a British consultancy, had retrieved and used people’s Facebook information without their permission — had resulted in the suspension of “tens of thousands” of apps that were associated with about 400 developers. That was far bigger than the last number that Facebook had disclosed, of 400 app suspensions in August 2018.
The extent of how many apps Facebook had cut off was revealed in court filings that were unsealed later on Friday by a state court in Boston, as part of an investigation by the Massachusetts attorney general into the technology company. The documents showed that Facebook had suspended 69,000 apps. Of those, the majority were terminated because the developers did not cooperate with Facebook’s investigation; 10,000 were flagged for potentially misappropriating personal data from Facebook users.
The disclosures about app suspensions renew questions about whether people’s personal information on Facebook is secure, even after the company has been under fire for more than a year for its privacy practices.
Facebook apps can take on a variety of forms, from music apps like Spotify to games like Candy Crush. Some apps use Facebook simply so that people can log in to their service or product, which otherwise has nothing to do with the social network. The common denominator is that these apps want access to information about Facebook members so that they can add new users.
As the world’s largest social network, Facebook has data of more than 2 billion people. But it showed that it had failed to safeguard some of that information when Cambridge Analytica took some of the data without people’s permission in 2016 and built voter profiles from it for the Trump presidential campaign, which The New York Times and The Observer in London reported on last year. Facebook said that as many as 87 million users’ information could have been retrieved.
The social network has since faced lawsuits, regulatory scrutiny and the ire of lawmakers around the world over whether it can safeguard its users’ data trove. The Justice Department and the FBI are investigating Cambridge Analytica. Mark Zuckerberg, Facebook’s chief executive, has appeared in Congress to testify on the matter. Zuckerberg, who visited Washington this week and met with President Donald Trump, also apologized for the improper handling of user data and vowed changes. That included auditing all of Facebook’s third-party apps to make sure they were not abusing people’s information.
“Every company, and especially the app developers involved, needs to understand that there are consequences for abusing consumer data,” said Jules Polonetsky, chief executive of the Future of Privacy Forum, a nonprofit organization focused on issues of data privacy and scholarship. “If these apps escape legal penalty, developers are left thinking there is no legal risk, privacy is solely a platform responsibility and a terms of service agreement with Facebook.”
Polonetsky called for the Federal Trade Commission to act quickly against developers who broke Facebook’s terms of service around customer data.
The latest revelations follow a settlement that Facebook struck with the FTC in July over privacy violations, in which the company agreed to pay a record $5 billion fine and to increase oversight into its data-handling practices. Some critics claimed at the time that the FTC’s settlement did not go far enough in protecting consumers and the agency faced new calls to take a harder line on the social network.
“Facebook put up a neon sign that said ‘Free Private Data,’ and let app developers have their fill of Americans’ personal info,” Sen. Ron Wyden, D-Ore., said Friday. “The FTC needs to hold Mark Zuckerberg personally responsible.”
The FTC said in a statement that it was “aware of a widespread problem involving app developers on Facebook’s platform and that’s why the agency obtained the relief it did.” The agency said its settlement required Facebook “to do more to enforce its platform policies and to ensure that app developers are complying with them.”
The agency is also investigating the social network for potential antitrust violations and has started interviewing former employees from companies that Facebook has acquired.
In Facebook’s blog post, Ime Archibong, a company executive, said the suspensions of so many apps were not “necessarily an indication that these apps were posing a threat to people.” Some of the apps had not yet been rolled out, while others were suspended because they did not respond to the company’s request for information, he said.
Archibong added that Facebook had banned some apps, including one called myPersonality, which declined to participate in the company’s audit and had shared information with other parties with few protections around the data. He also said Facebook had sued a South Korean data analytics company, Rankwave, in May for refusing to cooperate with the investigation.
Facebook said that only 400 developers could be associated with tens of thousands of apps because developers often created apps for multiple clients, and built test versions of their products that were not deployed. The investigation is ongoing, the company added.
“We are far from finished,” Archibong wrote. “As each month goes by, we have incorporated what we learned and re-examined the ways that developers can build using our platforms. We’ve also improved the ways we investigate and enforce against potential policy violations that we find.”
The Silicon Valley company has been duelling with the Massachusetts Attorney General’s Office to keep documents related to its app investigation out of the public eye. The state prosecutor began examining Facebook’s data sharing practices in early 2018 after the Cambridge Analytica revelations broke and issued several civil subpoenas to the company for information. Last month, Facebook had petitioned a judge in Boston to seal the records. The seal was lifted on Friday.
“For nearly a year, Facebook has fought to shield information about improper data-sharing with app developers,” Maura Healey, the Massachusetts attorney general, said in a statement. “If only Facebook cared this much about privacy when it was giving away the personal data of everyone you know online.”
According to the court documents, Facebook told the attorney general’s office that it had identified approximately two million apps that required a close examination to determine whether they had misused people’s personal data. The investigation narrowed to focus on a group of 10,000 apps, one document said.
Of the 10,000 apps, 6,000 were flagged because a large number of people installed them, which could expose them to data misuse. Facebook conducted a “detailed background check” of developers behind 2,000 apps to determine whether they had connections to “entities of interest” or revealed any signs of fraud, according to the court documents. Another group of 2,000 apps received a technical review from Facebook, which looked at internal records to determine whether the apps had made broad data requests that could indicate misuse, the documents said.
The Massachusetts prosecutor said in a court filing that it sent Facebook a demand to reveal the names of the apps involved in the investigation. The company declined to identify them.