Data from millions of Facebook users who used a popular personality app, including their answers to intimate questionnaires, was left exposed online for anyone to access, a New Scientist investigation has found.
Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Gaining access illicitly was relatively easy.
The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. It was meant to be stored and shared anonymously, however such poor precautions were taken that deanonymising would not be hard.
“This type of data is very powerful and there is real potential for misuse,” says Chris Sumner at the Online Privacy Foundation. The UK’s data watchdog, the Information Commissioner’s Office, has told New Scientist that it is investigating.
The data sets were controlled by David Stillwell and Michal Kosinski at the University of Cambridge’s The Psychometrics Centre. Alexandr Kogan, at the centre of the Cambridge Analytica allegations, was listed as a collaborator on the myPersonality project until the summer of 2014.
Facebook suspended myPersonality from its platform on 7 April saying the app may have violated its policies due to the language used in the app and on its website to describe how data is shared.
More than 6 million people completed the tests on the myPersonality app and nearly half agreed to share data from their Facebook profiles with the project. All of this data was then scooped up and the names removed before it was put on a website to share with other researchers. The terms allow the myPersonality team to use and distribute the data “in an anonymous manner such that the information cannot be traced back to the individual user”.
To get access to the full data set people had to register as a collaborator to the project. More than 280 people from nearly 150 institutions did this, including researchers at universities and at companies like Facebook, Google, Microsoft and Yahoo.
However, for those who were not entitled to access the data set because they didn’t have a permanent academic contract, for example, there was an easy workaround. For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute.
The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data. Uploading code to GitHub is very common in computer science as it allows others to reuse parts of your work, but the students included the working login credentials too.
myPersonality wasn’t merely an academic project; researchers from commercial companies were also entitled to access the data so long as they agreed to abide by strict data protection procedures and didn’t directly earn money from it.
Stillwell and Kosinski were both part of a spin-out company called Cambridge Personality Research, which sold access to a tool for targeting adverts based on personality types, built on the back of the myPersonality data sets. The firm’s website described it as the tool that “mind-reads audiences”.
Facebook started investigating myPersonality as part of a wider investigation into apps using the platform. This was started by the allegations surrounding how Cambridge Analytica accessed data from an app called This Is Your Digital Life developed by Kogan.
Today it announced it has suspended around 200 apps as part of its investigation into apps that had access to large amounts of information on users.
Source: New Scientist