Andrea Downing helps moderate a members-only group for women that have a gene mutation associated with a higher-risk breast cancer, called BRCA. The group is kept closed, and the women who are members of it often don’t want their identities known. The group did not use Facebook’s most restrictive privacy setting, “secret,” because that would have made it invisible to people searching the site.
Downing said women who join the BRCA Sisterhood Facebook group are often dealing with private issues that make them feel vulnerable, and social media had offered an inviting way to share their stories intimately with other women experiencing the same concerns. Privacy has always been top-of-mind for the Sisterhood community and other groups and others that cater toward BRCA-positive women, she said, because members post pictures of surgical procedures and share private stories of their experiences managing the health matter.
Downing grew concerned about the privacy of group members when she discovered an extension for the Chrome web browser called Grouply.io, which she saw could allow her to easily download names, employers, locations, email addresses and other personal details of all 9,000 people who had signed up for the group. She contacted a security researcher she knew who specialized in health care data, Fred Trotter, to see if her concerns were warranted.
Trotter discovered that “closed” Facebook groups had a privacy loophole that would make it possible for third parties to discover the names of people in them, and that the Grouply.io application was made specifically for marketers to harvest this information en masse. Requests for comment submitted to a forwarding email for the Grouply.io application, which is no longer available, were not answered.
Trotter further discovered he could glean these details manually, without use of the browser extension. On May 29, he submitted a report on the problem to Facebook. A Facebook spokesperson said the social media network had previously made member lists for closed groups “viewable,” but the ability to download the full list at once was not a feature on the platform.
On June 20, Trotter and the BRCA members received a response from Facebook, which included an acknowledgement that member lists for these closed groups were available publicly. According to the Facebook response provided by Trotter, a company representative said: “Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members. That work is ongoing and may lead to changes that address some of your concerns going forward.”
A Facebook spokesperson confirmed the interaction and said the company continues to emphasize its commitment to the groups concept in allowing individuals to share sensitive experiences.
Members of the BRCA group replied to Facebook that they were dissatisfied with the response on June 26. By June 29, the ability to harvest details in this way was shut down on Facebook, according to Trotter and Downing.
Source : CNBC