Facebook recently closed a serious privacy loophole that gave marketers the ability to discover the members of private groups on the social network.
Andrea Downing, the moderator of a private Facebook group for women with the BRCA gene mutation (which is associated with a higher-risk breast cancer), discovered the existence of a Chrome extension called Grouply.io. This extension made it possible to download names, email addresses, employers, locations, and other details of the BRCA Sisterhood’s 9,000 private group members. Downing, and group members, were understandably rattled by the revelation—while the group wasn’t secret on Facebook (that is, it is searchable), many of its members did not want their identities publicly known.
Downing contacted a security issue to check if her concerns were valid, and he found that the extension did make it possible for third parties to discover the members of “closed” Facebook groups. This extension, in particular, was built to harvest that data for marketers, but the information could also be gleaned manually.
The researcher, Fred Trotter, reported his findings to Facebook May 29. On June 20, a Facebook spokesperson told them: “Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members. That work is ongoing and may lead to changes that address some of your concerns going forward.”
Facebook completely shut down third parties’ ability to harvest closed group members’ details this way on June 29.
The situation highlights an interesting problem: While genetic information such as a BRCA test result is protected under the Health Insurance Portability and Accountability Act (HIPAA), information on social networks is not. If you choose to share private health information on a social network, that information is not legally regulated like it would if it were part of a medical health record.
Still, the members of the BRCA Sisterhood private group may have grounds for some sort of recourse, at least under GDPR law in the EU. The group members may have had a reasonable expectation of privacy from their closed group setting, which Facebook’s security loophole allowed apps like Grouply.io to exploit.