Personal information on more than three million Facebook users who used the now-suspended myPersonality app was exposed online for four years and accessible by anyone who had a username and password publicly available on GitHub, according to an investigation by New Scientist.
Data, including results of psychological tests, was made available to qualifying researchers via a website run by academics David Stillwell and Michal Kosinski at the University of Cambridge’s The Psychometrics Centre.
More than 280 people from nearly 150 institutions registered as collaborators, including academics to gain access to the datasets, including academics, researchers at Facebook and Google and, for a short time, Alexsandr Kogan, the professor behind the app that facilitated the Facebook Cambridge Analytica scandal.
But the New Scientist probe found that website, intended to share the data privately and anonymously with academics under contract, was poorly secured – anyone could access it with the publicly available login credentials – and the information was easily deanonymized.
Stillwell and Kosinski also hawked the data sets to private sector companies for advertising purposes through a company called Cambridge Personality Research.
Facebook removed the app April 7 for potentially violating its data sharing guidelines.
MyPersonality’s poor protections came to light during the social media giant’s probe of apps prompted by the Cambridge Analytica debacle. The data analytics firm’s 2013 entreaties to access the myPersonality data were spurned, Stillwell told New Scientist because the information would be used for political purposes. Unable to withstand the months-long scandal over its collection of data from millions of unsuspecting Facebook users, Cambridge Analytica, the data analytics firm that claimed to have helped Donald Trump gain the White House, closed its doors in early May, announcing that it was filing for bankruptcy. But it quickly appeared to rebrand under the umbrella of Emerdata Limited.