Under the microscope for a major data breach discovered in October and for allowing third party developers to access user information without sufficient consent, Facebook has found itself in hot water again.
After acknowledging on Friday that a bug in its photo API may have allowed third-party apps to access users photos for 12 days in September, the Irish Data Protection Commission (DPC) said it is investigating the incident as part of a broader inquiry into the company.
The DPC has European jurisdiction over Facebook because the company’s international headquarters is in Dublin.
“The Data Protection Commission has received a number of breach notifications from Facebook since the introduction of the GDPR (General Data Protection Regulation) on 25 May  2018,” the commission said in a statement. “With reference to these data breaches, including the most recent breach received, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR.”
This broad investigation could have serious consequences: Under the GDPR, the commission could levy a hefty fine. The maxium is four percent of a company’s annual reveune.
A Dec. 14 blog by Facebook engineeing director Tomer Bar said the photo API problem may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.
“Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos,” he wrote. “We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018.
“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo for three days so the person has it when they come back to the app to complete their post.”
This week Facebook will roll out tools for app developers to let them to determine which people using their app might be impacted by this bug, Bar said. The company will work with those developers to delete the photos from impacted users. People potentially impacted by the bug will also be notified through an alert on Facebook, which will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.
Facebook also recommends people log into any apps with which they have shared their Facebook photos to check which photos they have access to.
