The Strategist

Facebook is leaking… again



05/16/2018 - 11:43



New Scientist conducted an investigation and found that personal data of 3 million users of a popular Facebook application myPersonality were freely available. Developers of the application, Cambridge University staff, provided the user data to numerous research projects and organizations. However, the information went through an inadequately protected website, which put the security at risk.



pexels
pexels
New Scientist showed that data collected through the myPersonality application, such as profile information and answers to test questions, was monitored by David Stillwell and Michal Kosinski of the Center for Psychometric Measurements at Cambridge University. The application contains various psychological tests of very different directions. It was used by more than 6 million users, and about half of them agreed to give the application access to its profile. 

Under the agreement’s terms, myPersonality developers have the right to use and distribute the data "anonymously, so that it is impossible to reach a specific user according to available information." After removing the names of users, they downloaded all these data in a special website, access to which could be obtained by representatives of the research community. According to New Scientist, this opportunity was used by more than 280 people from 150 organizations from different universities and companies, including Facebook, Google, Microsoft, Yahoo.

It turned out that not only the researchers but everyone could find these data. Active logins and passwords for the website are easily be found on the Internet, so downloading the full package of data would not take a minute.

Among other things, the leaked information contained important psychological characteristics of users, as well as age, gender, marital status, location, and so on. "This type of information has a high potential for causing significant harm," said Online Privacy Foundation expert Chris Sumner.

Pam Dixon, representative of the World Privacy Forum, also believes that the problem is serious: "In any case, if login and password for any restricted access files become publicly available, this is already a serious issue, threatening consequences. This is not only a violation of security rules, but also a gross ethical violation - to give access to data to strangers." At the same time, according to Mrs. Dixon, it was quite possible trace a specific person using these data. And if the process of re-authentication is automated, then identity of millions of users who have passed myPersonality tests will be easily installed, which is a gross violation of the agreement with Facebook.

At the end of March, against the backdrop of a scandal involving Facebook and Cambridge Analytica research company, the social network began checking all applications that have access to large amounts of user personal data. This week, Facebook published the first results of this test and said that about 200 applications were blocked. MyPersonality was blocked by Facebook as early as April 7, but its verification continues, as Facebook Vice President Ime Archibong told New Scientist. According to him, if the application refuses to cooperate or fails verification, it will be banned by the social network.

At Cambridge University, New Scientist was told that myPersonality was developed by David Stillwell even before he started working for them, and it was not tested for compliance with ethical standards. Mr. Stillwell himself noted that the application has been working for nine years, and during this time there was only one case of data leakage. At the same time, he said, access to the collected personal data was provided only in exchange for an obligation not to disclose these data. Mr. Stillwell is sure that "scientific research only benefits from an exchange of impersonal data under the appropriate control within the scientific community". He also noted that Facebook was well aware of the nature of his research in the framework of myPersonality project, and he is surprised why the social network now suddenly "pretended to know nothing and believes that the use of collected data violates the agreement" with it. 

Meanwhile, British regulators have already begun an investigation into the fact of data leakage. The Office of the Information Commissioner (ICO) is trying to determine who specifically accessed myPersonality data and what they were subsequently used for. "We are aware of the incident with the application of myPersonality, and we are conducting a check," the agency told New Scientist. But given the amount of data collected by the application and potential number of people and organizations that have accessed them officially or unofficially, the process of establishing all recipients can be very difficult and time-consuming. "This is only the tip of the iceberg," says Dixon. "Who else has this data?"

source: newscientist.com