Facebook recently closed a privacy loophole that allowed third parties to discover the names of people in private, "closed" Facebook groups. A Chrome extension that was made specifically for marketers to harvest this information en masse was also shut down prior to Facebook's move, after the social media network issued a cease-and-desist letter to the application's makers earlier this year, according to a spokesperson. Facebook's decision came after members of a private group for women with a gene mutation associated with a higher risk breast cancer complained, concerned that their names might be exposed and open them to discrimination from insurers or other privacy violations. A spokesperson for Facebook said shutting down the ability to view members of closed groups was a recent decision based on "several factors," but was not related to this group's outreach. The privacy issue comes at a time when Facebook is trying to re-position itself as a gathering place for friends, family and those with common problems and interests, in an effort to shake off negative connections to malicious online trolls, political rancor and alleged widespread violations of privacy. Facebook has also prioritized “groups” as a business strategy, with Mark Zuckerberg telling CNN last year: “If what you’re trying to do is run a group that has thousands of people, you need tools to help manage that.” The company is also dealing with fierce regulatory scrutiny, particularly in the European Union, where new General Data Protection Regulation has expanded the definition of "personal data" far beyond social security numbers, to include the kind of data, like locations, names and genetic markers, that had been available publicly on members of Facebook's closed groups.

A women’s health group that wanted privacy

Andrea Downing helps moderate a members-only group for women that have a gene mutation associated with a higher-risk breast cancer, called BRCA. The group is kept closed, and the women who are members of it often don't want their identities known. The group did not use Facebook's most restrictive privacy setting, "secret," because that would have made it invisible to people searching the site. Downing said women who join the BRCA Sisterhood Facebook group are often dealing with private issues that make them feel vulnerable, and social media had offered an inviting way to share their stories intimately with other women experiencing the same concerns. Privacy has always been top-of-mind for the Sisterhood community and other groups and others that cater toward BRCA-positive women, she said, because members post pictures of surgical procedures and share private stories of their experiences managing the health matter. Downing grew concerned about the privacy of group members when she discovered an extension for the Chrome web browser called Grouply.io, which she saw could allow her to easily download names, employers, locations, email addresses and other personal details of all 9,000 people who had signed up for the group. She contacted a security researcher she knew who specialized in health care data, Fred Trotter, to see if her concerns were warranted. Trotter discovered that "closed" Facebook groups had a privacy loophole that would make it possible for third parties to discover the names of people in them, and that the Grouply.io application was made specifically for marketers to harvest this information en masse. Requests for comment submitted to a forwarding email for the Grouply.io application, which is no longer available, were not answered. Trotter further discovered he could glean these details manually, without use of the browser extension. On May 29, he submitted a report on the problem to Facebook. A Facebook spokesperson said the social media network had previously made member lists for closed groups "viewable," but the ability to download the full list at once was not a feature on the platform. On June 20, Trotter and the BRCA members received a response from Facebook, which included an acknowledgement that member lists for these closed groups were available publicly. According to the Facebook response provided by Trotter, a company representative said: "Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members. That work is ongoing and may lead to changes that address some of your concerns going forward." A Facebook spokesperson confirmed the interaction and said the company continues to emphasize its commitment to the groups concept in allowing individuals to share sensitive experiences. Members of the BRCA group replied to Facebook that they were dissatisfied with the response on June 26. By June 29, the ability to harvest details in this way was shut down on Facebook, according to Trotter and Downing.

Social networking site not covered by HIPAA