Facebook investigation records show crash effort to probe app privacy in wake of Cambridge Analytica scandal

More than a year after the Cambridge Analytica scandal emerged, Facebook targeted for suspension more than 50,000 apps that may have had access to sensitive data of millions of users who didn’t consent to that access, according to newly unsealed court documents that illuminate Facebook’s crash program to understand the scope of its privacy exposure.

The senior leadership of the company now known as Meta Platforms understood the gravity of the crisis they faced in 2018 as public knowledge grew that app developers on Facebook had broad access to the non-public data of millions of other Facebook users who had never consented to that access, the newly public documents suggest.

The internal documents, some of which were unsealed only late Friday night and which Meta has fought to keep secret for years, detail the progress of Facebook’s “App Developer Investigation,” or “ADI,” and include previously sealed correspondence of Sheryl Sandberg, the former chief operating officer who led Facebook alongside CEO Mark Zuckerberg. They were ordered unsealed by a federal judge in San Francisco as part of class-action litigation that Meta in December proposed to pay $725 million to settle.

“The single biggest issue we face —  and I really need everyone to know this —  is that there were a MILLION developers with access to the data. We are going to have many, many, many more moments like this in the next months and year,” Sandberg wrote in a March 22, 2018 email excerpted in one of the recently unsealed documents.

While Facebook in September 2019 acknowledged suspending “tens of thousands” of apps as part of its ADI, it never disclosed an exact number. The newly public documents show that by May of that year, as part of its crash effort to evaluate 11 million potentially problem apps, Facebook had decided to target 50,863 apps created by about 80 software developers who had failed to provide sufficient information about the apps.

Millions of users

Those apps had a total of 2.9 million users, according to a spreadsheet included in documents unsealed under an order this week by US District Judge Vince Chhabria. Facebook’s concern was that like the personality quiz app at the heart of the Cambridge Analytica scandal, which was downloaded by fewer than 400,000 users that accessed data on 87 million Facebook users, those 50,000 apps could potentially access the data of hundreds of millions of Facebook subscribers.

In that case, Facebook ultimately agreed in July 2019 to implement privacy compliance measures and pay $5 billion, the largest fine ever imposed by the US Federal Trade Commission. The company's investigation before that settlement resulted in a plan to remove apps for which sufficient information could not be acquired.

“As part of our ongoing App Developer Investigations, we have a list of 50,863 apps [associated with ~80 developers] targeted for suspension next week due to lack of response to our RFIs [Request for Information],” Nana Akyaa Amoah, a Facebook platform sustainability engineer, wrote in a May 2019 internal e-mail. “There are 2 [quiz app] developers with over 90% of the apps from the list, AppBank ~42K [users] and Crowdstar ~5K [users], of which we have not been successful in reaching as only email bounce backs.”

Quiz app worries

Quiz apps were a particular concern, the ADI investigators said in the documents, “because the viral nature and business model of such apps make them well suited to deceptive collection of data for purposes of sale.” Among Crowdstar quiz apps listed in a document unsealed Friday were titles such as “What do people first notice about you?”, “What kind of smile do you have?” and “Who’s Your Guardian Angel?”

The ADI probe also focused on potential privacy problems from apps posted by developers in certain “high-risk jurisdictions,” including China, Vietnam, Ukraine, Cuba, Iran and Russia.

Some apps triggered heightened privacy concerns, such as an app called “Social Video Downloader” or “SVM,” created by a developer in India and ultimately installed by 11.2 million Facebook users. The ADI investigation led by the law firm Gibson Dunn concluded that the SVM app was engaging in phishing attacks aimed at getting more Facebook users to download the app.

"These guys created an app that prompted users to give up credentials, and then took access tokens. So no‐no," Alastair Agcaoili, a Facebook in-house lawyer, said in a 2019 internal chat in the newly unsealed records, many of which are marked in capitalized red type, "PRIVILEGED & CONFIDENTIAL – ATTORNEY ­CLIENT COMMUNICATION."

Data access

Like other apps taking advantage of Facebook’s liberal data-sharing policy, the SVM app was able to access the data not only of Facebook users who installed it, but also the likes, photos, videos, and profile information of the Facebook friends of people who installed it — users who would not have known or consented to the sharing of their information.

“The SVM app had access to a concerning amount of sensitive user data, most of which does not seem necessary to the function of the app,” a Gibson Dunn report concluded in June 2018.

“In addition to friends likes, photos, videos, and profile information, the app had the user_manage_groups permission, which would have allowed it to pull information from any group a user was an admin of. With a total user base of 9,230,213 (before May 1, 2015), the potential affected population and the amount of sensitive data at risk are both very high.”

By June 2018, the SVM app had failed a Facebook privacy policy check five times —  in February 2014, March 2014, February 2018, and twice in March 2018 —  but had not been taken down, the Gibson Dunn report said.

Crash program

The ADI documents show the major resources Facebook threw at the app problem, after Zuckerberg pledged in March 2018 that the company would “investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity.”

Two consultants — Stroz Friedberg and FTI Consulting — had nearly 200 people working on the ADI at Facebook under the direction of Gibson Dunn lawyers by September of 2018.

“Combined, they are producing about 150 background reports on escalated apps per week (total of 1,238 as of August 8),” one update said in 2018. "Stroz and FTI each have personnel onsite, which facilitates speedy interaction with multiple Facebook groups ... Stroz, FTI, and GDC, are constantly ready, and regularly called upon, to assist with high priority and other escalations ... Gibson Dunn has attorneys onsite daily, overseeing ADI and ready to handle rapid response escalations; there are often as many as 5 hipri diversions a day."

"Hipri" is used by technology companies to indicate "high priority."

Alleged whitelist

Plaintiffs in the app developer class action that produced these documents argued in a Dec. 22 settlement motion that through efforts such as these, Meta has slammed the door on access to so-called “friend sharing” data since the Cambridge Analytica scandal, although they told Chhabria that about 60 apps maintained “whitelisted” access to that data for years afterward.

Meta denied the whitelisting claim in a court filing Jan. 19. The company pledged in 2021 that it would no longer allow advertisers to buy targeted ads for users based on that massive warehouse of personal data that allowed targeting by race, political affiliation, sexual orientation, religion, or health.

Other documents among the thousands of pages of recently disclosed litigation records detail how, prior to that 2021 pledge, Facebook logged trillions of data points about its users in massive data repositories internally called the “Hive” that contained more than 20 million data tables, and how it formerly targeted ads to categories of users such as “High Dollar Religious Donor.”

Ad targeting

Starting in January 2022, however, Meta said it removed detailed ad-targeting options that relate to topics “people may perceive as sensitive, such as options referencing causes, organizations, or public figures that relate to health, race or ethnicity, political affiliation, religion, or sexual orientation.” Among the targeting options Meta said it would remove were tags such as “Lung cancer awareness,” “Catholic Church,” “Chemotherapy,” and “LGBT Culture.”

As Sandberg prepared for an important first media interview  the Cambridge Analytica story blew up in March 2018, she was receiving PR advice from Eugene Sperling, who had been a senior figure in the Clinton and Obama administrations.

Sperling suggested it would be  “dodging responsibility” to focus on “‘bad actors” on Facebook’s platform. Sandberg, however, seemed unpersuaded, responding with the email that cited "a MILLION developers."

For the plaintiffs, who shared only that fragment of Sandberg’s five-email exchange, the email was part of an argument for why a judge should grant them access to Sperling’s communications.

Sandberg and Zuckerberg were never deposed in the litigation. The plaintiffs said in recent court filings that they were on the verge of taking the sworn depositions of the two senior leaders as the litigation settled — a threat which could have given the plaintiffs leverage as they tried to negotiate the record settlement with Meta.

A Meta spokesperson declined to comment on Sandberg’s email or the other hundreds of unsealed documents this week.

In a statement the night of the settlement Dec. 22, Meta said it “pursued a settlement as it’s in the best interest of our community and shareholders. Over the last three years we revamped our approach to privacy and implemented a comprehensive privacy program. We look forward to continuing to build services people love and trust with privacy at the forefront.”

-With assistance from Amy Miller and Jenn Brice in San Francisco, and from Madeline Hughes in Washington.