Facebook will warn 4 million users that the app “myPersonality” may have mishandled their personal data, according to a blog post by Facebook on Wednesday afternoon.
The app was “mostly active before 2012,” writes Facebook VP Ime Archibong, and is now banned from the platform. And there’s no indication that “myPersonality” had access to the data of its users’ Facebook friends, so it will only notify those affected.
This is evocative of the origins of the Cambridge Analytica scandal, in which the users of an app called “thisisyourdigitallife,” and that of those users’ friends, had their personal data improperly obtained by a political research firm with ties to the Trump presidential campaign. All told, the incident affected as many as 87 million Facebook users.
In the wake of the Cambridge Analytica scandal, Facebook instituted an app auditing process, where it would go through and vet every app that integrated with the social network — past and present — to make sure that it didn’t mishandle or resell the personal data that it gathered, in violation of Facebook’s policies.
However, Archibong writes that “myPersonality” came to Facebook’s attention after “failing to agree to our request to audit and because it’s clear that they shared information with researchers as well as companies with only limited protections in place.”
In other words, while Facebook either can’t or won’t say how the data gathered by “myPersonality” was used, it’s confident enough that the data was mishandled to take action.
Read more: Facebook CEO Mark Zuckerberg testified to Congress about Cambridge Analytica and Russia
Notably, Facebook has been investigating “myPersonality” since at least April, when it suspended the app from the site. It was reported in May that the app had some 6 million users, 40% of whom shared their personal data with the site.
Also of note is that Aleksandr Kogan, the academic who created “thisisyourdigitallife,” also contributed to “myPersonality,” which was created in 2007 by Dr. David Stillwell at the University of Cambridge.
In a statement to Business Insider, Dr. Stillwell claims that Facebook knew all about “myPersonality,” and in 2009 actually certified it as a “verified application.”
“It is therefore odd that Facebook should suddenly now profess itself to have been unaware of the myPersonality research and to believe that the data may have been misused,” Dr. Stillwell writes. You can read his full statement below.
Dr. Stillwell issued the following statement late on Wednesday:
“I am aware that Facebook have banned the myPersonality application as its users’ data “may have been misused”. The app has not been in use since July 2012 so this ban is nonsensical and purely for PR reasons. When the app was suspended three months ago I asked Facebook to explain which of their terms was broken but so far they have been unable to cite any instances.
“Just to be clear, all necessary consents were explicitly and repeatedly provided by all Facebook users when using the myPersonality app. Data was not sought nor obtained from users’ friends.
“Facebook has long been aware of the application’s use of data for research. In 2009 Facebook certified the app as compliant with their terms by making it one of their first ‘verified applications.’ In 2011 Facebook invited me to a meeting in Silicon Valley (and paid my travel expenses) for a workshop organised by Facebook precisely because it wanted more academics to use its data, and in 2015 Facebook invited Dr Kosinski to present our research at their headquarters.
“It is therefore odd that Facebook should suddenly now profess itself to have been unaware of the myPersonality research and to believe that the data may have been misused.
“Important research papers have been published due to the generosity of myPersonality users who opted in to share their data for anonymized research. Research published with myPersonality data warning about the privacy risks of Facebook data (such as Facebook Likes) has had major policy impact through citations in UK, EU, Australian and Dutch government data policy reports. Most recently, the UK Parliament’s DCMS Committee report into fake news quoted (p.30) a 2014 academic publication based on myPersonality data warning about the potential for Facebook data misuse.
“To summarise, so far as I am aware, everyone involved in the myPersonality project at all times acted lawfully, ethically and in good faith. We believe that it is important that independent academic research into the privacy risks of big data should continue unhindered.”