Facebook Nixes Worrying Loophole That Put Vulnerable Closed Groups at Risk

By Rhett Jones on at

Facebook has quietly changed its privacy standards for closed groups to eliminate the option of manually viewing members’ private information and after it threatened legal action, a Chrome extension that made it possible to download the details of all group members at once has been shuttered. But the question of why this was possible in the first place still lingers.

According to CNBC, the privacy loophole was still in place as recently as last month. It came to the outlet’s attention through the story of Andrea Downing, a moderator for a closed group that provides a gathering place for women who have a particular gene mutation (BRCA) that puts them at higher risk of breast cancer. From the report:

Downing said women who join the BRCA Sisterhood Facebook group are often dealing with private issues that make them feel vulnerable, and social media had offered an inviting way to share their stories intimately with other women experiencing the same concerns. Privacy has always been top-of-mind for the Sisterhood community and other groups and others that cater toward BRCA-positive women, she said, because members post pictures of surgical procedures and share private stories of their experiences managing the health matter.

Downing grew concerned about the privacy of group members when she discovered an extension for the Chrome web browser called Grouply.io, which she saw could allow her to easily download names, employers, locations, email addresses and other personal details of all 9,000 people who had signed up for the group.

Though members’ personal expectation of privacy is enough to cause concern, Downing also had very real concerns about members potentially being discriminated against by insurers or targeted by other corporate interests. She reached out to Fred Trotter, a security researcher who focuses on healthcare data, to get a professional opinion on whether she should be worried.

Trotter confirmed her fears that the Grouply extension was designed for marketers to quickly scoop up members’ private details like names, employers, locations, and email addresses. A user of the extension would still have to gain membership to the group, according to online how-to guides.

The Grouply app is no longer available, and all information has been scrubbed from its website. No one from the company responded to our request for comment.

In late May, Trotter contacted Facebook about the issue, and a month later he received a response that explained it is possible to manually view members of private groups, but the ability to download the full list with personal details was not one of Facebook’s features—even though the feature was available to third parties like Grouply. The response read in part:

Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members. That work is ongoing and may lead to changes that address some of your concerns going forward.

On June 26, the group expressed their concerns with Facebook’s response; three days later, the company’s policy had changed.

We reached out to Facebook to ask exactly when its approach to private groups changed, why this was a feature in the first place, and if it had notified the public about the change in any way. We did not receive an immediate reply, but a spokesperson did tell CNBC that the decision was made based on “several factors,” but that the BRCA Sisterhood Facebook group wasn’t one of them.

The combination of users being unaware of their privacy risks on Facebook and the companies permissive approach to third-party access to data is a constant issue. The fact that private groups can’t even have a reasonable expectation of privacy is a particularly effective demonstration of the level of trust users should hand over to the network. [CNBC]