Ireland has announced Friday, December 14, to have launched a Facebook survey, after the revelation of a new security breach has affected the social network. This flaw has allowed third-party applications to access photos of users that should not have been.
According to details provided by Facebook in a press release, these are photos of about 6.8 million users that were accessible to about 1,500 applications, between September 13 and 25, although the privacy settings of The photos in question should have made them invisible.
In particular, the images that a user has loaded into a post, but then not published (for lack of time or network, because he was wrong, or because he has changed mind). By default, Facebook keeps a copy of these images for three days, to offer the user, during this time, to continue publishing images. These copies of unpublished images could, between September 13 and 25, be accessible to one of the 1,500 third-party applications concerned, and therefore to their teams of developers, if the Facebook user had previously allowed the one of these applications to access the photos of his profile. Similarly, the applications could, because of the flaw, also have access to the images posted in “Stories”, or the classifieds of the “Marketplace” (the equivalent of Bon Coin on Facebook), says the company.
An error in the Facebook code
According to the social network, this opening of access to such images, supposed to be inaccessible to third-party applications, has occurred because of a “Bug of the API dedicated to photos”. That is to say, a code error introduced by Facebook during an update of its technical interface allowing a user to connect his Facebook profile to external services. The Facebook API is thus used when applications like Tinder, Instagram, Airbnb and others ask you to connect to your Facebook account to use them. In this case, it was in this case the API dedicated to access to photos, which allows such applications to use your photos posted on Facebook.
In his statement, Facebook says it is “Sorry” this new flaw, which comes two months after the revelation of another loophole that allowed hackers to access the personal data of 29 million users. Without giving the detail of the users concerned by this new problem (which countries are they from – are they active, how many photos have they actually been visible?) Or applications that could benefit from this error, Facebook has promised to implement the necessary patches.
She promised to do this by working with the 876 companies that developed the 1,500 applications, to make sure they erase the photos they might have accessed due to this error. from Facebook. On the other hand, warning users who may have been affected by improper access to their photos. You can already check if this is the case by connecting to this page, which displays a small box indicating if your Facebook account is, or not, “Touched by this problem”.
An RGPD investigation
It is in this context that the Irish authorities have announced the opening of a new investigation. The approach is taken, more specifically, by the Irish data protection commission (DPC), equivalent of the CNIL in Ireland. In the framework of the General Data Protection Regulation (GDPR) adopted by Europe on 25 May, the Irish DPC has indeed an extended competence to the whole of the European Union for all that concerns Facebook (the company having established its European headquarters in Dublin), and the evaluation of the failures of the social network to properly inform European users of the use of their personal data.
In October, the DPC had already launched an initial investigation after the revelation of piracy that affected 29 million Facebook users, including three million Europeans. DPC spokesperson Graham Doyle said in a statement on Friday that the investigation is part of a larger framework where the Irish regulator “Received a number of Facebook violations since the GDPR entered into force on May 25”.
These violations of the RGPD may include the time taken by Facebook before informing the authorities of the regulations of the data after the discovery of a security breach. On the website of the CNIL, it is thus specified that a company processing personal data must notify data protection commissions, such as the DPC or the CNIL, seventy-two hours after the discovery of any “Loss (…) of confidentiality of personal data, accidentally or illicitly”.
A fine of 4% of the turnover
However, this new Facebook flaw was active from September 13 to 25, the doubt on an offense related to the RGPD (may be punishable by a fine equivalent to 4% of the turnover of the company, or 1.4 billion euros for Facebook) is allowed: why did the company wait until 14 December to warn the general public that such a problem could affect the photos of these users?
Contacted on the subject by the specialized website TechCrunch Facebook has given calendar items. If the flaw was found (and repaired) on 25 September, his teams notified the Irish Data Protection Commission on 22 November, within “Less than three days”, when Facebook was able to establish, after the conclusion of an internal investigation, that an infringement of the confidentiality of the personal data of its users could have taken place. Regarding the delay between finding the fault and its communication to the general public, Facebook has however explained to TechCrunch that it had taken a long time to understand which users and applications were really affected, then to design, and translate, alert messages that were consistent with what had happened.