Facebook disclosed a new privacy blunder on Thursday in a statement that said the site accidentally made the posts of 14 million users public even when they designated the posts to be shared with only a limited number of contacts.
The mixup was the result of a bug that automatically suggested posts be set to public, meaning the posts could be viewed by anyone, including people not logged on to Facebook. As a result, from May 18 to May 27, as many as 14 million users who intended posts to be available only to select individuals were, in fact, accessible to anyone on the Internet.
“We have fixed this issue, and, starting today, we are letting everyone affected know and asking them to review any posts they made during that time,” Facebook Chief Privacy Officer Erin Egan said in the statement. “To be clear, this bug did not impact anything people had posted before–and they could still choose their audience just as they always have. Wed like to apologize for this mistake.”
The statement said that Facebook technicians stopped automatically making private posts public on May 22, but that it took them another five days to fully restore privacy settings for all the affected posts.
The bug occurred as Facebook developers were creating a new way to share photos and other featured items in user profiles. In the process, the developers accidentally suggested all new posts be set to public, rather than just the featured items. Normally, Facebook makes it possible for users to share photos, text, or video only with family members, work colleagues, or other specially designated contacts and preventing anyone else from seeing the content. The bug caused such posts to be viewable to anyone.
Thursdays disclosure comes three months after The New York Times reported that in 2016, Facebook provided personal data for more than 87 million users to Cambridge Analytica, a political firm with ties to Donald Trumps presidential campaign. The social network has since worked to assure users and politicians around the world that it will give users more control over who gets access to their posts, contact lists, and other personal data.
Starting Thursday, Facebook started notifying the 14 million users affected by the bug that some of their private posts had been made public. Facebook is also referring users to this privacy basics page.
“We've heard loud and clear that we need to be more transparent about how we build our products and how those products use your data—including when things go wrong,” Thursdays statement read. “We expect that this kind of on-platform notification is something which people might see more of over the coming months as we try and do more (and better) to detect and fix issues before they affect people's experience.”
[contf] [contfnew] 
Ars Technica
[contfnewc] [contfnewc]
