It took Facebook months to ban this shady app after Cambridge Analytica

It took Facebook months to ban this shady app after Cambridge Analytica

Facebook announced this week it had made its first outright ban of an app in the company-wide audit it’s been working on since the Cambridge Analytica scandal earlier this year. The app in question had apparently been setting off red flags since April.

Ime Archibong, Facebook‘s VP of product partnerships, revealed Facebook banned an app called “myPersonality,” which hadn’t been active since 2012. According to him, the app was banned “for failing to agree to our request to audit and because it’s clear that they shared information with researchers as well as companies with only limited protections in place.” The app may have leaked the personal data of up to 4 million people, and Archibong said the company was reaching out to alert those people of the issue.

The app was, as you’d expect, a personality quiz. It asked users to share information from their Facebook profiles, and the information gathered was distributed to other researchers. As many as 280 people apparently had access to the full data set, both from universities and other companies such as Google and Microsoft.

Meanwhile, one of the  Cambridge University researchers who controlled the app’s datasets today fired back, deriding the ban as “purely for PR reasons” since the app hadn’t been in use since July 2012. Dr. David Stillwell told Business Insider that Facebook knew perfectly well what the app was for when it was active, even paying for him to attend a workshop on user data. He also said he never refused an audit, and insisted, “There was no misuse of personal data.”

It’s worth noting that, just as in the Cambridge Analytica case, it wasn’t Facebook itself who discovered the suspicious security flaws. The company apparently began investigating the app in April, when an investigation by the New Scientist revealed the researchers had indeed attempted to secure the data, but had stored it in a server easily accessed via a password publicly available on Github — presumably that’s what Archibong meant by “limited protections.”

Interestingly, New Scientist also noted there was another connection between the two apps: Aleksandr Kogan, the researcher who initially culled Cambridge Analytica’s user data via the “thisisyourdigitallife” quiz, was listed as a collaborator on myPersonality in 2014. Apparently Cambridge Analytica attempted to gain access to the datasets from the latter app, but were refused, according to Dr. Stillwell.

Archibong also mentioned it’d suspended over 400 suspect apps since the inspections began. The company announced the audit in the aftermath of the Cambridge Analytica kerfuffle, and it’s apparently still going through the apps which had access to user data prior to a 2014 rule change.

An Update on Our App Investigation on Facebook

Read next: Watch: Hoonigan tests Mario Kart banana peel attack with real Audi RS5