NEW YORK (AP) — Facebook revealed Wednesday that tens of millions more people might have been exposed in the Cambridge Analytica privacy scandal than previously thought and said it will restrict the data it allows outsiders to access on its users.
Those developments came as congressional officials said CEO Mark Zuckerberg will testify next week, while Facebook unveiled a new privacy policy that aims to explain the data it gathers on users more clearly — but doesn’t actually change what it collects and shares.
Facebook is facing its worst privacy scandal in years following allegations that a Trump-affiliated data mining firm, Cambridge Analytica, used ill-gotten data from millions of users to try to influence elections. The company said Wednesday that as many as 87 million people might have had their data accessed — an increase from the 50 million disclosed in published reports.
This Monday, all Facebook users will receive a notice on their Facebook feeds with a link to see what apps they use and what information they have shared with those apps. They’ll have a chance to delete apps they no longer want. Users who might have had their data shared with Cambridge Analytica will be told of that. Facebook says most of the affected users are in the U.S.
With outsiders’ access to data under scrunity, Facebook outlined several changes to further tighten its policies.
Facebook is restricting access that apps can get about users’ events, as well as information about groups such as member lists and content. In addition, the company is also removing the option to search for users by entering a phone number or an email address. While this was useful to people to find friends who may have a common name, Facebook says malicious actors abused it by collecting people’s profile information through phone or email lists they had access to.
This comes on top of changes announced a few weeks ago. For example, Facebook has said it will remove developers’ access to people’s data if the person has not used the app in three months.
Earlier Wednesday, Facebook unveiled a new privacy policy that seeks to clarify its data collection and use.
For instance, Facebook added a section explaining that it collects people’s contact information if they choose to “upload, sync or import” this to the service. This may include users’ address books on their phones, as well as their call logs and text histories. The new policy says Facebook may use this data to help “you and others find people you may know.”
The previous policy did not mention call logs or text histories. Several users were surprised to learn recently that Facebook had been collecting information about whom they texted or called and for how long, though not the actual contents of text messages. It seemed to have been done without explicit consent, though Facebook says it collected such data only from Android users who specifically allowed it to do so — for instance, by agreeing to permissions when installing Facebook.
Facebook also added clarification that local laws could affect what it does with “sensitive” data on people, such as information about a user’s race or ethnicity, health, political views or even trade union membership. This and other information, the new policy states, “could be subject to special protections under the laws of your country.” But it means the company is unlikely to apply stricter protections to countries with looser privacy laws — such as the U.S., for example. Facebook has always had regional differences in policies, and the new document makes that clearer.
The new policy also makes it clear that WhatsApp and Instagram are part of Facebook and that the companies share information about users. The two were not mentioned in the previous policy. While WhatsApp still doesn’t show advertisements, and has its own privacy policy, Instagram long has and its policy is the same as Facebook’s. But the notice could be a sign of things to come for WhatsApp as well.
Other changes incorporate some of the restrictions Facebook previously announced on what third-party apps can collect from users and their friends.
Although Facebook says the changes aren’t prompted by recent events or tighter privacy rules coming from the EU, it’s an opportune time. It comes as Zuckerberg is set to appear April 11 before a House committee — his first testimony before Congress.
As Facebook evolved from a closed, Harvard-only network with no ads to a giant corporation with $40 billion in advertising revenue and huge subsidiaries like Instagram and WhatsApp, its privacy policy has also shifted — over and over.
Almost always, critics say, the changes meant a move away from protecting user privacy toward pushing openness and more sharing. On the other hand, regulatory and user pressure has sometimes led Facebook to pull back on its data collection and use and to explain things in plainer language — in contrast to dense legalese from many other internet companies.
The policy changes come a week after Facebook gave its privacy settings a makeover. The company tried to make it easier to navigate its complex and often confusing privacy and security settings, though the makeover didn’t change what Facebook collects and shares either.
Those who followed Facebook’s privacy gaffes over the years may feel a sense of familiarity. Over and over, the company — often Zuckerberg — owned up to missteps and promised changes.
In 2009, the company announced that it was consolidating six privacy pages and more than 30 settings on to a single privacy page. Yet, somehow, the company said last week that users still had to go to 20 different places to access all of their privacy controls and it was changing this so the controls will be accessible from a single place.
