Facebook only recently closed loophole compromising private groups

Facebook has recently closed a privacy loophole that allowed third parties to discover the names of people in private ‘closed’ Facebook groups. An extension in Google’s Chrome browser designed to enable marketers to harvest this information en masse was also shut down prior to Facebook closing off the loophole.

Facebook’s action came after complaints from a number of members of a private group for women with a gene mutation called BRCA that is associated with a higher risk of breast cancer. The members were concerned that their names being exposed might lead to discrimination or higher premiums from insurers, as well as other privacy violations. A spokesperson for Facebook said that shutting down the ability to view members of closed groups was a recent decision based on “several factors” and was not directly related to this group’s campaign.

Andrea Downing, who helps moderate the BRCA Sisterhood group, says that it did not use Facebook’s most restrictive privacy setting, ‘Secret’, because that would have made it invisible to people searching the site. Downing became concerned about the privacy level when she discovered the Chrome extension, called Grouply.io, which would have allowed her to easily download the names, email addresses, locations, employers and more of all 9,000 people who had signed up for the group, or any other private group on Facebook. She then contacted Fred Trotter, a security researcher who specialised in health care data, to confirm how easy this information was to access.

Trotter found that ‘closed’ Facebook groups had a significant privacy loophole, making it possible for third parties to discover the names of people in them. The Grouply.io extension exploited this loophole, but was not necessary to access the personal data. On 29 May, Trotter submitted a report to Facebook, and on 20 June, he received a response, acknowledging that member lists for closed groups were available publicly.

“Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members,” said a Facebook spokesperson in the response. “That work is ongoing and may lead to changes that address some of your concerns going forward.”

Trotter and the members of the BRCA group replied to Facebook saying they were dissatisfied with the response on 26 June. By 29 June, the ability to harvest details from private groups in this way was shut down.