The app permissions that led to 87 million Facebook users’ data being harvested and sold to Cambridge Analytica may have also allowed access to those users’ inboxes, the company confirmed today. This wasn’t achieved by any underhanded means, exactly, but people might not have realized that they were granting permission to read and record their private messages as well as more public data like location and interests.
That messages may have been collected by CA was revealed first by Facebook itself as part of its warning issued to the 87 million users in question. “A small number of people who logged into ‘This Is Your Digital Life’ also shared their own News Feed, timeline, posts and messages which may have included posts and messages from you,” reads the warning.
Access to messages had not been previously disclosed. And, of course, if someone affected had chatted with you, then your messages would also have been collected.
The permission used to do this was called “read_mailbox,” though it would have been put in more everyday terms when a user was agreeing to it. The dialog box would have said something along the lines of, “This app will be able to access your wall posts, friend list, contacts, messages…” in bullet points.
This Is Your Digital Life, the app created by researcher Aleksandr Kogan, which served as the harvester for all this data, requested “read_mailbox” privileges for some period and, as Facebook tells Wired, a total of 1,500 people granted that permission.
It’s unclear why the number is so low if hundreds of thousands agreed to the terms, but the app may only have requested messaging access for a brief period — stopping, perhaps, upon finding that people balked at granting it.
Still, even if only 1,500 people had their messages collected directly, the number of people whose messages were indirectly collected could be orders of magnitude higher. After all, look at your inbox, if you have one — there are likely dozens of conversations, perhaps with hundreds of people. So that 1,500 could balloon to 150,000 real fast.
I’ve asked Facebook for clarification on how the 1,500 number was determined and what the number of secondary affected users is.