Facebook has released further details on possible abuse of personal information on the social network, saying most users may have been affected by "malicious actors" scraping public profile information. In addition, the company said some 87 million people had been affected by Cambridge Analytica's improper use of personal data on Facebook users.
The information was disclosed in a statement and conference call by CEO Mark Zuckerberg with the press, where he outlined the company's continued efforts to protect users of the social network and their data. He also confirmed that he will appear before a US Congress committee on 11 April to discuss the recent data breaches and Facebook's role, while other top executives from the company will meet with government officials in other countries.
Zuckerberg said that "it’s clear now that we didn’t do enough" to prevent abuse of the platform and how its tools could harm people. "We didn’t take a broad enough view of what our responsibility is, and that was a huge mistake. It was my mistake." As a result, "we’re broadening our view of our responsibility, from just giving people tools to recognizing that it’s on us to make sure those tools are used well."
Facebook said that the 87 million people affected by the improper sharing of data with political campaigner Cambridge Analytica would be informed by the company. The number was previously thought to be 50 million, according to the initial press reports on the breach, and this is the first time Facebook has given its own data. The vast majority, some 70 million, were in the US, while Facebook also gave a breakdown for numbers of affected users in other countries.
Zuckerberg said this information was finalised in the "last couple days", based on estimates of how many people the original app used to collect the data could have reached. He said the company did not have logs going back to when the app was first used.
The company further disclosed that it had found that a function to search on a person’s phone number or email address in Facebook search was being abused to collect personal data. The unnamed "malicious actors" accumulated personal profile information by submitting phone numbers or email addresses they already had through search and account recovery. Facebook said that "most people on Facebook could have had their public profile scraped in this way", given the level of sophistication of the scheme. As a result, it's disabled this feature and changed its account recovery methods to reduce the risk of scraping.
Additional changes have been made to the collection of call and text history data of people using Messenger or Facebook Lite on Android. Facebook said it's "reviewed this feature to confirm that Facebook does not collect the content of messages", and going forward and will delete all logs older than one year. In future, clients will only upload to Facebook servers the information needed to offer the service, and not broader data such as the time of calls.
Zuckerberg further confirmed that changes to Facebook Login have started to control better third-party apps' access to user data. From 09 April, the company will launch the earlier announced link at the top of the News Feed for users to see what apps they use and the information they have shared with those apps. People will also be able to remove apps that they no longer want.
New terms of service
In addition, the company published its proposed new terms of service and data policy. These will be open to public comment for seven days before being rolled out. The update notably adds information about how Facebook shares data with its other services WhatsApp, Oculus and Instagram, as well as more detailed explanations of how it processes personal and device data and shares this with advertisers and third-party services.
Zuckerberg said that privacy controls would be the same for Facebook users around the world. He rejected an earlier story by Reuters that suggested users in the EU may benefit from stronger controls under the EU's General Data Protection Regulation taking effect next month. "We intend to make all the same controls and settings available everywhere, not just in Europe," said the CEO. "Is it going to be exactly the same format? Probably not. We need to figure out what makes sense in different markets with the different laws and different places."
Finally, the CEO said he did not see a meaningful impact from the #deletefacebook campaign started after the Cambridge Analytica scandal broke. "I don’t think there has been any meaningful impact we’ve observed," he said in response to a journalist's question. "But, look, it’s not good. I don’t want anyone to be unhappy with our services or what we do as a company. So, even if we can’t really measure a change and the usage of a product, or the business or anything like that, it still speaks to people feeling like this is a massive breach of trust and that we have a lot of work to do to repair that."
