Are You Kidding Me, Facebook

By Tom McKay on at

Facebook is currently dealing with the fallout of a massive attack that compromised site security and allowed hackers to seize the access tokens of roughly 50 million accounts, potentially giving them full control of both the accounts and linked apps. It is still sorting out what user data might have been stolen. Amid all this, Facebook is also extending its grip on how long it can keep account deletion requests in hiatus from two weeks to a month, the Verge reported on Wednesday.

Here’s what that means. When a user tries to delete their Facebook, the site holds on to all of their data for a period of time in case they decide they want to come back. That used to be 14 days, and now it is conveniently a month, right around the same time users might be getting antsy that hackers were able to get past the site’s core security measures. The Verge wrote:

Facebook won’t automatically restore your account if you log in, but it says you will have “the option to cancel your request.”

“We recently increased the grace period when you choose to delete your Facebook account from 14 days to 30 days,” says a Facebook spokesperson. “We’ve seen people try to log in to accounts they’ve opted to delete after the 14-day period. The increase gives people more time to make a fully informed choice.”

It’s not clear when the decision was made, or whether it predates September 25th, when the company says it became aware of the hack. (Gizmodo has reached out for comment, and we’ll update this post if we hear back.) Even if the updated data retention policies have nothing to do with the security incident, that still doubles the amount of time Facebook is able to hold user data after they decide they want out – essentially making it harder for them to manage their own privacy and security so that the company can try to squeeze more data out of users at a time growth is stalling.

If this does have something to do with the hack, a less charitable interpretation is that Facebook is hoping that users who decide they’re done will change their minds, or at least make it so their data lingers in its servers just a little longer. Given Facebook has not clarified what user information could have been compromised – all it’s said is that it found “no evidence that the attackers accessed any apps using Facebook Login,” which still leaves a lot unclear – it could also be bracing for any potential findings that sensitive user data was stolen.

In any case, Facebook clearly wants to make users wait longer before they can pack up and leave. That includes users who have already concluded it can no longer be trusted. [The Verge]