Facebook app myPersonality leaked data of three million users for four years before it was eventually suspended
Less than 24 hours after Facebook announced it had suspended hundreds of apps for misusing user data, New Scientist has revealed that one particular personality quiz app exposed the information of more than three million people.
The app in question, myPersonality, was suspended on 7 April after Facebook said it might have violated the site’s data sharing terms. However, for four years before that, data collected by the app including the results of personality tests was easily accessible by simply registering as a project collaborator on a university course website.
“More than 280 people from nearly 150 institutions did this, including researchers at universities and at companies like Facebook, Google, Microsoft and Yahoo”, reports the New Scientist.
Even more alarmingly, those without academic credentials could also access the data, because a working username and password were publicly shared on GitHub. “Anyone who wanted access to the data set could have found the key to download it in less than a minute,” it claims.
Used by more than 6 million people, myPersonality’s data was controlled by University of Cambridge academics David Stillwell and Michal Kosinski. Although the app is not directly implicated in the Cambridge Analytica scandal – Stillwell claims the company was denied access to the app’s data in 2013 because of its political aims – Alexandr Kogan, who developed the app used by CA to harvest data, was listed as a collaborator on the myPersonality project until summer 2014.
New Scientist explains that the terms of the myPersonality allowed it to use and distribute data in “an anonymous manner”, but that the data collected by it was so detailed – it collected information about age, gender, location and status updates along with personality test results – that deanonymising it would have been pretty straightforward for anyone with any amount of knowhow. “Any data set that has enough attributes is extremely hard to anonymise,” Yves-Alexandre de Montjoye from Imperial College London told the publication.
The myPersonality app is being investigated by both Facebook and the Information Commissioner’s Office, both of which must try to establish who might have accessed the data and how they might have used it during the four years it was publicly available. The social network claims the app will be banned if it fails the audit.
However, according to New Scientist, Stillwell claims Facebook has long been aware of the project, and even held meetings with him and Kosinski as early as 2011. The University of Cambridge told New Scientist because the app was created by Stillwell before he joined the university, “it did not go through our ethical approval processes”. It also said “the University of Cambridge does not own or control the app or data”.
How do I know if I am affected?
Facebook has promised that if it discovers any of the 200 apps it suspended have misused your data, it’ll update its “How can I tell if an app may have misused my Facebook information?” page accordingly. So, if you think you might have used the myPersonality app, be sure to check back there regularly.
You can already use the link to see if you or any of your friends installed “This Is Your Digital Life”, the app used by Cambridge Analytica to harvest user data.