According to a report from New Scientist, researchers at the University of Cambridge uploaded user data from 3 million Facebook users onto a shared portal. They locked the data with a username and password. But students later posted the login credentials online which exposed the data to anyone who did a quick web search to find the username and password.
Researchers at the University of Cambridge distributed the data from the personality quiz app “myPersonality” to hundreds of people via a website with insufficient security provisions, which led to it being left vulnerable to access for four years and gaining access illicitly was relatively easy.
The data exposed was highly sensitive, revealing personal details of Facebook users such as the results of psychological tests. The data was meant to be stored and shared anonymously, however, such poor precautions were taken that deanonymizing wasn’t hard.
Although Facebook has suspended myPersonality from its platform on 7 April 2018. According to Facebook, the app, “myPersonality”, may have violated its policies due to the language used in the app and on its website to describe how data is shared.
More than 6 million people completed the tests on the myPersonality app and nearly half of them agreed to share data from their Facebook profiles with the project. All of this data was then scooped up and the names were removed before it was put on a website to share with other researchers.
The terms allowed the myPersonality team to use and distribute the data “in an anonymous manner such that the information cannot be traced back to the individual user”.
To get access to the full data set people had to register as a collaborator to the project. More than 280 people from nearly 150 institutions did this, including researchers at universities and at companies like Facebook, Google, Microsoft, and Yahoo.
Ime Archibong, Facebook’s vice president of product partnerships, says,
“We suspended the myPersonality app almost a month ago because we believe that it may have violated Facebook’s policies, We are currently investigating the app, and if myPersonality refuses to cooperate or fails our audit, we will ban it. There is a lot more work to be done to find all the apps that may have misused people’s Facebook data — and it will take time, we are investing heavily to make sure this investigation is as thorough and timely as possible. We will keep you updated on our progress.”
The social network has suspended about 200 apps as part of its efforts to track down more apps that may have misused user information, Archibong said in a blog post-Monday. The company will further investigate the apps, and Facebook plans to notify users of how exactly their data was affected if it finds evidence of abuse.
The data sets were controlled by David Stillwell and Michal Kosinski at the University of Cambridge’s The Psychometrics Centre. Alexandr Kogan, at the center of the Cambridge Analytica allegations, was previously part of the project.
This incident also resembles a larger scandal plaguing both Facebook and researchers affiliated with the University of Cambridge. Political consultancy Cambridge Analytica improperly obtained the data of 87 million Facebook users when researcher Aleksandr Kogan shared information he collected through a personality quiz.