For a few days last month, a software bug caused 14 million Facebook users’ default setting for sharing content to be “public,” meaning that some of their posts intended to be kept private were accessible to anyone on the internet, the company said Thursday.
Users who were affected by the bug, which appeared when the company was testing new features between May 18 and May 22, will get a notification to review their posts from that period to make sure they actually wanted them to be public and hadn’t simply accepted the changed default setting. In the meantime, Facebook has set any public posts from that period to users’ previous default settings, meaning that even users who intended to make posts public will need to reset them to be globally accessible.
“We’d like to apologize for this mistake,” said Erin Egan, Facebook’s chief privacy officer, in a statement. “We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts. We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time. To be clear, this bug did not impact anything people had posted before–and they could still choose their audience just as they always have.”
Facebook, which said it discovered the bug, has not yet shared details about who may have accessed the exposed data, or how that access may have occurred.
A company spokesperson shared with Fast Company a version of an alert screen that all affected users will begin seeing in their notifications today:
The mistake comes at an awkward time for Facebook, which continues to face questions across the world around the sharing of data with now-defunct political consulting firm Cambridge Analytica. In April, Princeton researchers showed how the company’s “Login With Facebook” feature could be exploited to collect user data. Facebook has long faced criticism from users and privacy advocates who say the service’s privacy settings can be difficult to understand, particularly as new features roll out and the interface evolves, and the new bug is unlikely to ease those fears.
Most recently, a report this week in The New York Times revealed that Facebook provided mechanisms for phone makers to build software accessing user data, mostly to integrate Facebook features before app markets came into widespread use.
While many phone makers have said any data pulled through those channels only resided on phones, not on company servers, some critics have questioned how certain Facebook can be that those statements are true.
“I look forward to learning more about how Facebook ensured that information about their users was not sent to Chinese servers,” Senator Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, said recently, referring to China-based phone vendor Huawei. The data sharing revelation led other lawmakers to turn up the heat on Facebook, with one accusing chief executive Mark Zuckerberg of essentially lying to Congress about users’ privacy controls.
On Thursday, Sen. Warner also asked Google and Twitter for information about their own data sharing agreements with Chinese and other companies, and said he and the committee’s chairman, Senator Richard Burr, would soon be inviting the heads of Facebook, Google and Twitter to testify at a public hearing.