Marketers could harvest member data from closed Facebook groups as recently as June, report says

Facebook continues to struggle with user privacy after years of encouraging developers and marketers to scrape large amounts of data, as a new report shows.

CNBC found that third parties could still get sensitive data on private groups, including group members’ names, as recently as June. According to CNBC, a moderator of a private Facebook group discovered a Chrome extension called Grouply.io, which purportedly gave people the ability to scrape information from Facebook groups.

The article calls the ability to harvest personal data on private groups a “loophole,” but a Facebook spokesperson disputed that term in an email to VentureBeat, saying that “while we recently made a change to closed groups, there was not a privacy loophole.”

CNBC doesn’t state how the woman, Andrea Downing, found the extension. But she decided to test it with the group she moderated — a private group called the BRCA Sisterhood, for women with a gene mutation associated with a high risk of breast cancer. Using Grouply,io, she was able to download “names, employers, locations, email addresses, and other personal details of all 9,000 people who had signed up for the group.”

Facebook has always had three types of groups: public, closed (also sometimes referred to as private), and secret. In public groups, the list of members, as well as the posts of the group, are available for anyone to see. In closed groups, messages are private, but until recently people could search for a closed group and see a list of people in that group. Secret groups are not discoverable, and their member lists are not public.

Downing started working with a health care data journalist and security researcher named Fred Trotter to figure out how Grouply.io was able to get so much information on the BRCA Sisterhood members. Trotter sent a letter to Facebook detailing his concerns about the data harvesting, and on June 20 the company sent a response to members of the BRCA group and Trotter, stating:

“Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members. That work is ongoing and may lead to changes that address some of your concerns going forward.”

Six days later, the group members sent Facebook another note saying that they were unhappy with the company’s response, and by June 29 the ability to publicly view member lists for closed groups was gone, according to Downing and Trotter. Now, only admins and moderators of closed groups are still available to non-members.

Earlier this year, Facebook also sent a cease-and-desist letter to Grouply.io, which is now shut down. Grouply.io’s website simply states that “you cannot get Grouply” anymore, with no explanation.

Facebook has been feeling pressure to close more third parties off from sensitive user data, ever since reports emerged earlier this year about how it failed to stop Cambridge Analytica from getting data on millions of U.S. voters. As CNBC reports, the BRCA Sisterhood example is particular concerning because the group name makes evident sensitive health information about its members. Downing decided not to set the group to secret, the most private setting, because she wanted people outside of the group to be able to find it. But that didn’t mean she wanted third parties to be able to get information about its users en masse. And while Facebook itself didn’t allow third parties to download group members’ detailed personal information, it wasn’t able to completely stop an extension from doing so.

Facebook has taken a number of steps in recent months to curb the amount of data third parties are able to access. These measures include starting an audit of apps that have access to large amounts of data, requiring any apps that want access to a number of APIs to undergo a formal audit, and requiring issue and political advertisers and admins of large Facebook pages to verify their identity and location.