Millions of Facebook users who used a popular personality app may have had personal data, including their answers to intimate questions, left exposed online for anyone to access, according to an investigation by New Scientist.
The myPersonality quiz app was created by academics at the University of Cambridge. After receiving data from millions of users, the researchers then distributed the data to hundreds of other researchers via a website with insufficient security provisions, which led to it being vulnerable to illicit access for four years.
The data was highly sensitive and included personal details by Facebook users, including the results of the personality tests. The data was supposed to have been stored and shared anonymously, but due to the poor precautions taken, investigators estimated that deanonymising the data would not be hard.
"This type of data is very powerful and there is real potential for misuse," said Chris Sumner at the Online Privacy Foundation.
The data sets were controlled by David Stillwell and Michal Kosinski at the University of Cambridge's The Psychometrics Centre. Alexandr Kogan, who was at the centre of the Cambridge Analytica scandal, was previously part of the project. The myPersonality app wasn't purely an academic venture either, with researchers from commercial companies entitled to access the data as long as they agreed to data protection procedures and didn't directly earn money from it.
More than 6m people have completed the tests on the myPersonality app, and nearly half of them have agreed to share data from their Facebook profile with the project. The app was suspended from Facebook's platform on 7 April, with Facebook claiming that app may have violated its policies due to the language used in the app and on its website to describe how data is shared. No mention was made of the potential data leak.
"We are currently investigating the app, and if myPersonality refuses to cooperate or fails our audit, we will ban it," said Ime Archibong, vice president of product partnerships at Facebook.
The UK's data watchdog, the Information Commissioner's Office, is also aware of the incident, and is reportedly investigating.