Set the "days without Facebook privacy problem" to zero. This week, an alerted developer contacted TechCrunch and told us that the weekly summary of the Facebook App Analytics email was sent to someone outside their company. It contains confidential business information, including weekly average users, page views, and new users.
Forty-three hours after we contacted Facebook about the issue, TechCrunch social network confirmed that 3 percent of the apps that use Facebook Analytics were on a weekly basis. Summary reports are sent to the app's testers, not just developers, administrators and analysts of the app.
Testers are often people outside the developer company. If the leaked information reaches an app's competitors, it could give them an advantage. At least they were not allowed to click through to see more detailed historical analysis on the Facebook page.
Facebook informs us that the issue has been resolved and no personally identifiable information or contact information has been disclosed inappropriately. It plans to inform all affected developers today about the leak and has already started. Following is the email that the company sends:
Subject line: We recently fixed a bug with your weekly email summary
We would like to inform you about a recent error Facebook Analytics to your app has been sent to your app's tester "[APP NAME WILL BE DYNAMICALLY INSERTED HERE]". As you know, we send weekly summary emails to keep you up to date on some of your key metrics. These emails are sent to people who have identified you as administrators, analysts, and developers. You can also add testers to your account that you have designated to test your apps during the development phase.
We accidentally sent the last weekly email summary to your testers, in addition to the usual set of administrators and analysts and developers receiving updates. The testers could only see the aggregated high-level information in the email and were unable to access other account information. If you clicked View Dashboard, they did not have access to your Facebook Analytics information.
We apologize for the error and have made updates to prevent this again.
One affected developer told TechCrunch, "Not sure why should it ever be appropriate to send business metrics to an app user?" When I created my app (in beta), I added dozens of people as testers because it only meant that they could log into the app … no credentials! "They are still waiting for the disclosure of Facebook.
Facebook would not list a number of apps affected by the bug. Last year, there were 1
The bug comes just weeks after a bug has resulted in 14 million Facebook status update composers changing their default privacy setting to "public". And Facebook had previously had problems with the disclosure of business information. In 2014, Facebook mistakenly sent advertisers receipts for other advertising campaigns, causing considerable confusion. The company has also misread metrics about page reach and more on several occasions. Although user data did not expire and today's problem is not as severe as other Facebook developers, developers still consider their business metrics private and thus violate this privacy.
While Facebook has been working diligently since the Cambridge Analytica scandal, app platform privacy holes can be closed, access to many APIs is removed and human app ratings are improved. Problems like today make it hard to believe that Facebook is handling the data of its 2 billion users properly.