Facebook says a software bug made some private posts public for as many as 14 million users over several days in May.
The problem, which Facebook says it has fixed, is the latest privacy scandal for the world’s largest social media company. On Thursday, the company said the bug automatically suggested that users make new posts public, even if they had previously restricted to “friends only” or another private setting. If users did not notice the new default suggestion, they unwittingly sent their post to a broader audience than they had intended.
Erin Egan, Facebook’s chief privacy officer, said the bug did not affect past posts. She added that Facebook is notifying users who posted publicly during the time the bug was active to review their posts.
The news follows a recent furor over Facebook’s sharing of user data with device makers, including China’s Huawei. The company is also still recovering from the Cambridge Analytica scandal, in which a British data analysis firm got access to the personal data of as many as 87 million Facebook users and used it to build psychological profiles that could help its clients — mostly political campaigns, including that of Donald Trump — better target their ads.
Jonathan Mayer, a professor of computer science and public affairs at Princeton University, said on Twitter that this latest privacy gaffe “looks like a viable Federal Trade Commission/state attorney general deception case.”
That’s because the company had promised that the setting users set in their most recent privacy preferences would be maintained for future posts. In this case, this did not happen for several days.
Facebook’s 2011 consent decree with the FTC calls for the company to get “express consent” from users before sharing their information beyond what they established in their privacy settings. Even if the bug was an accident on Facebook’s part, Mayer said in an email, the FTC could take enforcement action for privacy violations.
Facebook, which has 2.2 billion users, says the bug was active from May 18 until May 27. While the company says it stopped the error on May 22, it was not able to change all the posts back to their original privacy parameters until later.
The mistake happened, the company said, when it was building a new way for people to share “featured items” on their profiles. These items, which include posts and photo albums, are automatically public. In the process of creating this feature, Facebook said it accidentally made the suggested audience for all new posts public.
When people post to Facebook, the service suggests an audience for their posts, based on past privacy settings. So if you made all your posts “friends only” in the past, it will suggest that you make your new post “friends only,” too. You can still manually change the privacy of the posts — anywhere from “public” to “only me” — and this was the case during the bug’s lifespan, too.