Facebook says millions of people's posts were accidentally made public so anyone could see them
Site says the personal information was made available by accident
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Millions of users' private Facebook posts were made public so that anyone could see them, the site has admitted.
The issue is just the latest privacy problem for the scandal-ridden company.
The bug meant that Facebook automatically switched the privacy settings on users' posts onto public, even if they had previously restricted them only to friends or to specific people. That meant that unless users saw the settings had changed, the posts could be seen by absolutely anyone.
The issue has now been fixed and only ever applied to new posts, according to Erin Egan, Facebook's chief privacy officer. The site will tell people who were affected and posted publicly during the several days it was active, and will tell them to check their posts.
The news follows recent furor over Facebook's sharing of user data with device makers, including China's Huawei. The company is also still recovering from the Cambridge Analytica scandal, in which a Trump-affiliated data-mining firm got access to the personal data of as many as 87 million Facebook users.
Jonathan Mayer, a professor of computer science and public affairs at Princeton University, said on Twitter that this latest privacy gaffe "looks like a viable Federal Trade Commission/state attorney general deception case." That's because the company had promised that the setting users set in their most recent privacy preferences would be maintained for future posts. In this case, this did not happen for several days.
Facebook's 2011 consent decree with the FTC calls for the company to get "express consent" from users before sharing their information beyond what they established in their privacy settings. Even if the bug was an accident on Facebook's part, Mayer said in an email that the FTC can bring enforcement action for privacy mistakes.
Facebook, which has 2.2 billion users, says the bug was active from May 18 until May 27. While the company says it stopped the error on May 22, it was not able to change all the posts back to their original privacy perimeters until later.
The mistake happened, that company said, when it was building a new way for people to share "featured items" on their profiles. These items, which include posts and photo albums, are automatically public. In the process of creating this feature, Facebook said it accidentally made the suggested audience for all new posts public.
When people post to Facebook, the service suggests and audience for their posts, based on past privacy settings. So if you made all your posts "friends only" in the past, it will suggest that you make your new post "friends only" too. You can still manually change the privacy of the posts — anywhere from "public" to "only me" — and this was the case during the bug's life span too.
Additional reporting by agencies
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments