A new report reveals that yet another Facebook app has been gathering personal details from millions of users, and selling it to interested parties.
Apparently, data from millions of Facebook users who used the popular myPersonality app, including their answers to intimate questionnaires, was left exposed online for anyone to access, a New Scientist investigation recently unearthed.
myPersonality app exposed personal information of millions of Facebook users
This is what the researchers reported:
Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Gaining access illicitly was relatively easy.
This revelation is quite troublesome since the data was highly sensitive, revealing private details of Facebook users, including the results of psychological tests. Moreover, the data was meant to be stored and shared anonymously. Unfortunately, the actions to protect the data have been described as “poor precautions”, meaning that deanonymising the data would not be hard at all.
The data sets were controlled by David Stillwell and Michal Kosinski at the University of Cambridge’s The Psychometrics Centre. Alexandr Kogan, at the centre of the Cambridge Analytica allegations, was listed as a collaborator on the myPersonality project until the summer of 2014.
Facebook has already suspended the myPersonality app from its platform on 7 April. The social platform said that the app may have violated its policies due to the language used in the app and on its website to describe how data is shared, the researchers explained.
How many Facebook users have been affected by myPersonality’s data collection?
The report shows that more than 6 million people completed the tests on the myPersonality app. Furthermore, approximately half of them agreed to share the data from their Facebook profiles.
All of this data was then scooped up and the names removed before it was put on a website to share with other researchers. The terms allow the myPersonality team to use and distribute the data “in an anonymous manner such that the information cannot be traced back to the individual user”.
It should be noted that in order to be able to access the data people had to register as a collaborator to the project. Not surprisingly, the number of interested parties wasn’t small and at least 280 people from nearly 150 institutions registered, including university researchers and employees from companies such as Facebook, Google, Microsoft and Yahoo.
According to Chris Sumner at the Online Privacy Foundation, “this type of data is very powerful and there is real potential for misuse.”
Easy access to the data without restrictions was available
Apparently, not only those entitled to access the data gathered via the app (like people with permanent academic contracts) were able to access it. It appears that there was an easy workaround as for the last four years a fully-functional login (username and password) has been available online. The login details could be found from a single web search. This fact means that anyone willing to access the data could have found these freely available credentials.
How is this even possible, you are most certainly wondering. This is how:
The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data. Uploading code to GitHub is very common in computer science as it allows others to reuse parts of your work, but the students included the working login credentials too.
Lastly, what is mostly alarming is that the myPersonality app wasn’t only an academic project as researchers from commercial companies were also entitled to access the data. They only had to agree to abide by strict data protection procedures and not to directly earn money from it.