Facebook has announced a sweeping overhaul of its data collection rules, and revealed that most people's accounts were likely targets of "scraping" by malicious actors.
Mike Schroepfer, chief technology officer, on Wednesday published a blog post outlining nine areas where Facebook would focus on tightening up data protection. The new data rules come as Facebook is dealing with the fallout from the Cambridge Analytica data leak, in which the third-party developer reportedly misused data on 50 million Facebook users in its work to influence U.S. elections and the U.K. Brexit referendum.
On Wednesday, Schroepfer said the company now believes Cambridge Analytica may have actually improperly received data not on 50 million users, but 87 million.
Since the spotlight has shined brightly on Facebook's data-sharing policies, the company has been reviewing how it works with outside parties and exactly what kind of access it will allow in the future.
In the blog post, under the category of "search and account recovery," Schroepfer detailed a vulnerability in which bad actors could use Facebook's search bar to look up accounts by phone number or email.
"Given the scale and sophistication of the activity we've seen," Schroepfer writes, "we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature."
During a call with media on Wednesday afternoon, Facebook CEO Mark Zuckerberg was asked about the widespread scraping. He said most people keep the default privacy setting allowing their accounts to be searched in this way, meaning "not quite" everyone was vulnerable, but most were.
"The potential here would be that over the period of time that this feature has been around, people have been able to scrape public information," Zuckerberg said, adding it's "reasonable to expect" that people's public information was accessed in this way if they had the search setting turned on.
Abbas Razaghpanah, a doctorate candidate at Stony Brook University who specializes in mobile privacy and security, said once that data is scraped, there is little Facebook can do to regain control of that information.
"There's a number of ways public information can be abused," Razaghpanah says. "Somebody could use this information to impersonate you in a number of ways, none of which is good for the person being impersonated."
The new policies also impact the data developers can glean going forward. Facebook said it will now have to manually approve most apps before they can access the APIs—application programming interface platforms—if they plug into Pages, Group or Events.
"Until today, any app could use the Pages API to read posts or comments from any Page," Schroepfer writes. "This let developers create tools for Page owners to help them do things like schedule posts and reply to comments or messages. But it also let apps access more data than necessary."
Similar concerns were raised with the other categories.
Facebook also addressed the call and text data that had been collected through Messenger. At the end of March, some users discovered that the messaging app stored information about contacts and kept records of message and call times.
Facebook said it checked its practices to determine the validity of concerns that it also kept records of actual conversations. Facebook says that was not the case.
"We've reviewed this feature to confirm that Facebook does not collect the content of messages—and will delete all logs older than one year," Schroepfer writes. "In the future, the client will only upload to our servers the information needed to offer this feature—not broader data such as the time of calls."