Unfortunately, it appears there may have been others, as the audit has uncovered another 200 Cambridge Analytica-type apps out there.
Facebook has suspended these apps, pending further investigations into each app developer’s potential data misuse.
In a blog post (opens in new tab) titled “An Update on Our App Investigation and Audit”, Facebook VP of Product Partnerships Ime Archibong discussed the results of the company's probe into apps that “had access to large amounts of [user] information”, before Facebook restricted unfettered data access in 2014.
To inspect each app, Facebook’s security teams are using a combination of remote interviews, information requests (RFIs) about what data an app-maker still has stored, and on-site inspections.
The investigation, which Archibong says is “in full swing”, has covered thousands of apps so far (no word on how many apps Facebook has left to scrutinize).
Out of those thousands, he says, “around 200 have been suspended — pending a thorough investigation into whether they did in fact misuse any data.”
If Facebook discovers an app has misused data, it will instantly “ban” the app, and then post information on this page (opens in new tab) to let users know if the banned apps had access to their data.
While Archibong admits that “there is a lot more work to be done” to find all potential violators of Facebook’s policies, “we are investing heavily to make sure this investigation is as thorough and timely as possible.”
Estimating the extent of the damage
Outside of that key 200 figure, Facebook’s revelations leave a lot of important details out.
For one, what criteria did Facebook use to decide if an app should be suspended? Were these 200 apps chosen simply because they requested or acquired user data, or because Facebook already has evidence or suspicion that they held onto and sold the data?
If the former, the final tally could (hopefully) end up much lower than 200.
We also don’t know what criteria Facebook will use to determine whether a company is in violation of its policies, or how extensive each individual examination will be.
It’s even unclear whether or not Facebook auditors will have the ability to ascertain for certain that a developer misused data.
In 2016, Facebook believed CA when it said that it had deleted the data it had stored, only to find out the truth in 2018 after a whistleblower came forward. Ideally, Facebook's in-person inspections of these hundreds of app-makers will turn up the truth sooner rather than later.
And, of course, we don’t know yet how long it’ll take for Facebook to uncover which users had data obtained by these apps. Facebook took some time to publicize which Facebook users CA had data on, and still hasn’t revealed which users had data scraped by Canadian consultancy firm AggregateIQ.
It may be months or longer before we know for certain which of the 200 apps got access to our personal data. But these 200 apps will undoubtedly add to the 87 million users affected by Cambridge Analytica alone.
- Here are Facebook’s overhauled privacy settings