Privacy, Data Security

Developers in China, Russia had access to Facebook user data for years, senators say

The Meta headquarters

Meta is again being called out for its dubious privacy practices, this time over allegations that “significant amounts of sensitive user data” was available for access to “hundreds of thousands of developers” from what Facebook classified as “high-risk jurisdictions,” like China and Russia.

An audit of Meta’s privacy practices revealed “nearly 90,000 separate developers” in China and over 42,000 developers in Russia, and thousands of developers in other high-risk jurisdictions, including Iran and North Korea, had access to user information.

Not only did the social media giant know about the possible access, internal documents show the data could have been used to facilitate espionage, according to a letter sent by Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla.

The senators are the chair and vice chair of the Senate Select Committee on Intelligence, respectively, and are demanding Meta CEO Mark Zuckerberg provide the committee with a response to these recent reports.

The letter was sent after the company’s own investigation revealed the apparent data sharing. The internal audit was brought on after the Cambridge Analytica fallout in 2018, where a New York Times report found Facebook handed privileged API access to Huawei, OPPO, TCL, and other China-backed device makers for at least eight years.

The Times report confirmed the “device manufacturers were permitted to access a wealth of information on Facebook’s users, including profile data, user IDs, photos, as well as contact information and even private messages.” The news prompted a host of lawsuits.

Congress has been meeting with company leadership in the wake of these developments over its “lax data security policies related to third-party applications” and to determine just who had access to user data and the controls used by Facebook to prevent privacy breaches. The documents were released as part of the legal filings.

“We were startled to learn recently, as a result of this ongoing litigation and discovery, that Facebook had concluded that a much wider range of foreign-based developers, in addition to the PRC-based device-makers, also had access to this data,” the senators wrote.

In fact, Facebook’s own internal materials warned that the high-risk jurisdictions “may be governed by potentially risky data storage and disclosure rules or be more likely to house malicious actors,” including “states known to collect data for intelligence targeting and cyber espionage,” the letter continues.

Warner and Rubio have “grave concerns about the extent to which this access could have enabled foreign intelligence service activity, ranging from foreign malign influence to targeting and counterintelligence activity.”

Based on the unsealed documents that showed Facebook performed separate reviews on the risky developers, Zuckerberg is asked to explain the review process and conclusions, the precise percentage of the developers located in China and Russia, and “what communications, if any, has Facebook had with these developers since its initial identification.”

The senators asked for logs into the frequency of the data sharing, as well as the criteria used to evaluate risk associated with operating in those countries, the exact information they had access to, and for how long. Zuckerberg is also asked to estimate just how many users were impacted this time around.

Meta has consistently been in the hot seat over its data practices even before the Cambridge Analytica scandal, particularly over its handling of health data.

Two June 2022 reports claimed its Pixel tool has been routinely scraping hospital data without consent. Despite the company’s denials, multiple health systems reported privacy breaches to the Department of Health and Human Services after discovering the impact of pixel use on their hospital sites — filings that would not have happened if the data sharing had not occurred.

In October, Warner issued another letter to Zuckerberg demanding: “Where required by law, does Meta always comply with any and all notification requirements when the Meta Pixel handles or transmits protected information, in the manner and time required by such laws?”

The company is currently defending itself against well over 1,000 lawsuits, more than a dozen of which are tied to the Pixel tracking tool alone. But with $480.21 billion in market capital, it’s unclear just what impact, if any, these measures will incur.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.