Facebook recently closed a privacy loophole that allowed third parties to discover the names of people in private, "closed" Facebook groups. A Chrome extension that was made specifically for marketers to harvest this information en masse was also shut down prior to Facebook's move, after the social media network issued a cease-and-desist letter to the application's makers earlier this year, according to a spokesperson.
Facebook's decision came after members of a private group for women with a gene mutation associated with a higher risk breast cancer complained, concerned that their names might be exposed and open them to discrimination from insurers or other privacy violations. A spokesperson for Facebook said shutting down the ability to view members of closed groups was a recent decision based on "several factors," but was not related to this group's outreach.
The privacy issue comes at a time when Facebook is trying to re-position itself as a gathering place for friends, family and those with common problems and interests, in an effort to shake off negative connections to malicious online trolls, political rancor and alleged widespread violations of privacy. Facebook has also prioritized “groups” as a business strategy, with Mark Zuckerberg telling CNN last year: “If what you’re trying to do is run a group that has thousands of people, you need tools to help manage that.”
The company is also dealing with fierce regulatory scrutiny, particularly in the European Union, where new General Data Protection Regulation has expanded the definition of "personal data" far beyond social security numbers, to include the kind of data, like locations, names and genetic markers, that had been available publicly on members of Facebook's closed groups.
A women’s health group that wanted privacy
Andrea Downing helps moderate a members-only group for women that have a gene mutation associated with a higher-risk breast cancer, called BRCA. The group is kept closed, and the women who are members of it often don't want their identities known. The group did not use Facebook's most restrictive privacy setting, "secret," because that would have made it invisible to people searching the site.
Downing said women who join the BRCA Sisterhood Facebook group are often dealing with private issues that make them feel vulnerable, and social media had offered an inviting way to share their stories intimately with other women experiencing the same concerns. Privacy has always been top-of-mind for the Sisterhood community and other groups and others that cater toward BRCA-positive women, she said, because members post pictures of surgical procedures and share private stories of their experiences managing the health matter.
Downing grew concerned about the privacy of group members when she discovered an extension for the Chrome web browser called Grouply.io, which she saw could allow her to easily download names, employers, locations, email addresses and other personal details of all 9,000 people who had signed up for the group. She contacted a security researcher she knew who specialized in health care data, Fred Trotter, to see if her concerns were warranted.
Trotter discovered that "closed" Facebook groups had a privacy loophole that would make it possible for third parties to discover the names of people in them, and that the Grouply.io application was made specifically for marketers to harvest this information en masse. Requests for comment submitted to a forwarding email for the Grouply.io application, which is no longer available, were not answered.
Trotter further discovered he could glean these details manually, without use of the browser extension. On May 29, he submitted a report on the problem to Facebook. A Facebook spokesperson said the social media network had previously made member lists for closed groups "viewable," but the ability to download the full list at once was not a feature on the platform.
On June 20, Trotter and the BRCA members received a response from Facebook, which included an acknowledgement that member lists for these closed groups were available publicly. According to the Facebook response provided by Trotter, a company representative said: "Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members. That work is ongoing and may lead to changes that address some of your concerns going forward."
A Facebook spokesperson confirmed the interaction and said the company continues to emphasize its commitment to the groups concept in allowing individuals to share sensitive experiences.
Members of the BRCA group replied to Facebook that they were dissatisfied with the response on June 26. By June 29, the ability to harvest details in this way was shut down on Facebook, according to Trotter and Downing.
Social networking site not covered by HIPAA
During his research, Trotter found that he could use Grouply.io or a manual process to download the personal details of members of other closed Facebook groups – including other sensitive circles, such as those meant for people recovering from drug addiction, men living with HIV or individuals identifying as gay in countries where same-sex partnerships are criminalized. That functionality has since been disabled.
CNBC contacted three other security professionals who verified that the ability to download member information from "closed" groups was once enabled, but now appeared to be unavailable.
Data such as this is often used in a variety of ways for marketing goods and services, especially by companies looking to reach an audience of self-selected individuals who may be candidates for specific health treatment. Consumers might not realize that sharing information in a "confidential" context on a social network is not the same as sharing it in a medical context, one expert said.
“A genetic test result like BRCA is protected by HIPAA [the Health Insurance Portability and Accountability Act] and it can’t be shared with marketers, if it is in a medical record. But a social networking site is not covered by HIPAA,” said Deven McGraw, chief regulatory officer for Ciitizen, a health information sharing application. Ms. McGraw, who previously served as deputy director of health information privacy for the U.S. Department of Health and Human Services, said many people mistakenly believe their health information is regulated in the United States regardless of where that information is held.
Facebook may be facing challenges beyond the regulation of health care data, she said. The issue of whether users of a “closed” group had a reasonable expectation of privacy will be one that may catch the attention of EU regulators under GDPR, or even the U.S. Federal Trade Commission, which investigates deceptive practices related to privacy, she said.