The revelation is the most severe breach of privacy yet in the Cambridge Analytica scandal.
The social network admitted to the transfer of data in its warning to users whose friends had installed the This Is Your Digital Life app, which harvested data from not only the installer, but also all their friends on the site.
“A small number of people who logged into This Is Your Digital Life also shared their own news feed, timeline, posts and messages, which may have included posts and messages from you,” the company told affected users.
The statement appears to echo previously unreported claims made by Christopher Wylie, the Cambridge Analytica whistleblower. Wylie told the Observer that he had seen a table, produced by Kogan, that included private messages. It remains unclear whether GSR, Kogan’s company, or Cambridge Analytica ever used the messages to build any targeting models.
Kogan declined to comment, referring the Guardian to an interview with the New York Times in which he said his app collected information from a “couple thousand” people, and that the data “was obviously sensitive so we tried to be careful about who could access it”.
Kogan told the New York Times that he took messages only from people who had installed his app, not their friends, and that none of the information was shared with Cambridge Analytica.
For users who did not install the app, only their messages with the friend who had actively installed the app could have been shared, owing to the specific functionality offered by Facebook at the time. But those users would not have been offered any opportunity to opt out of the data sharing, since Facebookrequired the mailbox owner only to consent to uploading the entire contents, both sent and received.
For the users who did install the app, potentially their entire mailbox history was uploaded. Those users, however, would have been explicitly notified – through a simple clickthrough panel listing all the permissions they were handing over – that they were granting mailbox access.
The potential that Facebook may have handed over direct messages was first publicly highlighted in late March by Jonathan Albright, a professor at the Tow Center for Digital Journalism. On 21 March he noted that apps such as Kogan’s “could also request users’ private messages [ie their Facebook DM inbox] via the ‘read_mailbox’ API request”. Albright said at the time that Facebook should “immediately” share the API access that it had granted Kogan, as well as whether or not private messages were collected.
Speaking yesterday, Albright said: “Have to admit, I didn’t expect private DMs/messages to show up in people’s CA notifications today … Might explain why FB late getting these [notifications] out?”
More about: #Facebook