Facebook mistakenly leaked developer analytics reports to testers

Facebook mistakenly leaked developer analytics reports to testers

Set the “days without a Facebook privacy problem” counter to zero. This week, an alarmed developer contacted TechCrunch, informing us that their Facebook App Analytics weekly summary email had been delivered to someone outside their company. It contains sensitive business information, including weekly average users, page views and new users.

Forty-three hours after we contacted Facebook about the issue, the social network now confirms to TechCrunch that 3 percent of apps using Facebook Analytics had their weekly summary reports sent to their app’s testers, instead of only the app’s developers, admins and analysts.

Testers are often people outside of a developer’s company. If the leaked info got to an app’s competitors, it could provide them an advantage. At least they weren’t allowed to click through to view more extensive historical analytics data on Facebook’s site.

Facebook tells us it has fixed the problem and no personally identifiable information or contact info was improperly disclosed. It plans to notify all impacted developers about the leak today and has already begun.

Update: 1pm Pacific: TechCrunch was provided with this statement from a Facebook spokesperson:

“Due to an error in our email delivery system, weekly business performance summaries we send to developers about their account were also sent to a small group of those developer’s app testers. No personal information about people on Facebook was shared. We’re sorry for the error and have updated our system to prevent it from happening again.”

Below you can find the email the company is sending:

Subject line: We recently resolved an error with your weekly summary email

We wanted to let you know about a recent error where a summary e-mail from Facebook Analytics about your app was sent to testers of your app ‘[APP NAME WILL BE DYNAMICALLY INSERTED HERE]’. As you know, we send weekly summary emails to keep you up to date with some of your top-level metrics — these emails go to people you’ve identified as Admins, Analysts and Developers. You can also add Testers to your account, people designated by you to help test your apps when they’re in development.

We mistakenly sent the last weekly email summary to your Testers, in addition to the usual group of Admins, Analysts and Developers who get updates. Testers were only able to see the high-level summary information in the email, and were not able to access any other account information; if they clicked “View Dashboard” they did not have access to any of your Facebook Analytics information.

We apologize for the error and have made updates to prevent this from happening again.

One affected developer told TechCrunch “Not sure why it would ever be appropriate to send business metrics to an app user. When I created my app (in beta) I added dozens of people as testers as it only meant they could login to the app…not access info!” They’re still waiting for the disclosure from Facebook.

Facebook wouldn’t disclose a ballpark number of apps impacted by the error. Last year it announced 1 million apps, sites and bots were on Facebook Analytics. However, this issue only affected apps, and only 3 percent of them.

The mistake comes just weeks after a bug caused 14 million users’ Facebook status update composers to change their default privacy setting to public. And Facebook has had problems with misdelivering business information before. In 2014, Facebook accidentally sent advertisers receipts for other business’ ad campaigns, causing significant confusion. The company has also misreported metrics about Page reach and more on several occasions. Though user data didn’t leak and today’s issue isn’t as severe as others Facebook has dealt with, developers still consider their business metrics to be private, making this a breach of that privacy.

While Facebook has been working diligently to patch app platform privacy holes since the Cambridge Analytica scandal, removing access to many APIs and strengthening human reviews of apps, issues like today’s make it hard to believe Facebook has a proper handle on the data of its 2 billion users.

Source: Mobile – Techcruch

Facebook demands advertisers have consent for email/phone targeting

Facebook demands advertisers have consent for email/phone targeting

Facebook is hoping to avoid another privacy scandal by adding new accountability and transparency requirements for businesses that use its Custom Audiences too to target you with ads based on your email address or phone number. Starting July 2nd, advertisers will have to declare whether contact info uploaded for ad targeting was collected with proper user consent by them, one of their partners or both. Users will be able to see this info if they opt to block future ads from that business.

Companies can only share Custom Audiences info with partners like ad agencies if they’re formally connected through Facebook’s business manager tool. And Facebook will start to show advertisers reminders that they need consent for contact info ad targeting and force all users connected to an ad account to confirm these terms.

The new consent tool launch confirms TechCrunch’s scoop from March that Facebook would crack down on Custom Audiences targeting without consent. Facebook has always technically required consent, but it hasn’t necessarily done much to enforce those rules. That same approach to API rules produced the Cambridge Analytica debacle. Facebook began to safeguard Custom Audiences a few months ago when it blocked third-party data brokers like Datalogix and Acxiom from work with Facebook to upload data sets as Partner Categories that advertisers could target. But that still let businesses just upload the same data themselves.

[Update: Two days after the March announcement, Facebook also announced it would be shutting down Managed Custom Audiences, which let data brokers upload data sets on behalf of marketers. But in doing so, Facebook also formalized its policy that advertisers could still buy these data sets from data brokers and upload them themselves.]

Custom Audiences is one of Facebook’s most valuable revenue generators because it allows businesses to hit up their former customers to buy more. A scandal surrounding the targeting mechanism could be seriously detrimental to the social network’s business in a way that the rest of its recent public image problems haven’t, judging by the recovery of Facebook’s share price.

Since 2012, Facebook has offered Custom Audiences as a way for businesses to upload privacy-safe hashed lists of customer contact info. Facebook matches that against its users’ info to show them the business’ ads, rather than companies having to pay to try to reach those people through demographic targeting. That way, a company that already sold you a car and got your email signup could target you a few years later with ads to trade in and buy a new vehicle. Businesses can also use Facebook’s lookalikes targeting to reach people with similar characteristics to their existing customers.

Now at least Facebook will show this “Original Data Source” field asking who collected the uploaded phone numbers or emails. Users can check out this info if they click the “Why Am I Seeing This Ad?” button in the drop-down. However, Facebook stops short of scanning the lists for suspicious info, such as blocks of contact info that match hacked or purchased data sets.

That means Facebook is trusting advertisers to tell the truth about consent for targeting… despite them having a massive financial incentive to bend or break those rules. Today’s update will give Facebook more plausible deniability in the event of a scandal, and it might deter misuse. But Facebook is stopping short of doing anything to actually prevent non-consensual ad targeting.

Source: Mobile – Techcruch