Facebook has been struggling to keep its data privacy woes at bay this week, between banning apps on its social media platform – and pulling its own app from Apple’s store.

Facebook was hit with a double privacy punch regarding data privacy on Wednesday. First, Facebook acknowledged in a public post that one of the apps on its platform, myPersonality, inappropriately shared 4 million users’ data with researchers. Also on Wednesday, The Wall Street Journal reported that Facebook pulled its data security service, Onavo Protect, from Apple’s official App Store after Apple said that the app violated its data collection policies.

Facebook responded: “We will continue to investigate apps and make the changes needed to our platform to ensure that we are doing all we can to protect people’s information.”

The news comes as privacy experts are pushing the social media giant to double-down on its efforts around social media data privacy – especially on the heels of its backlash around the Cambridge Analytica scandal in March.

The recent incidents also reveal a behind-the-curtains look at how the giant is still struggling to navigate data privacy.

myPersonality Ban

Facebook VP of Product Partnerships Ime Archibong said on Wednesday that the company will ban an app called myPersonality and notify the roughly 4 million impacted users after discovering that the app had misused information collected from them.

“Today we banned myPersonality — an app that was mainly active prior to 2012 — from Facebook for failing to agree to our request to audit and because it’s clear that they shared information with researchers as well as companies with only limited protections in place,” Archibong said in a post.

MyPersonality is a Facebook app, created in 2007, enabling users to participate in psychological research by filling in a personality questionnaire, and then also offered users feedback on their scores. David Stillwell, the creator of the app, did not respond to a request for comment on the situation from Threatpost.

“As well as the data from the tests, around 40% of the respondents also opted in to share data from their Facebook profile, resulting in one of the largest social science research databases in history,” according to the app project’s website. “The application was active until 2012 and collected data from over 6 million volunteers during this time. This data was anonymised and samples of it were shared with registered academic collaborators around the world through the myPersonality project, resulting in over 45 scientific publications in peer-reviewed journals.”

Facebook did not specify what specific data was passed to researchers, and where the specific violations occurred. There is no current evidence that myPersonality had accessed the Facebook “friends” of those impacted – though that may change, Facebook said.

But apps passing data to outside third parties is a sore spot for Facebook. In March, the company’s firestorm around data privacy and misuse started with an app developer violating the company’s platform policies by collecting data via an app under the pretense of using it for psychological research – and instead passing users’ personal information to Cambridge Analytica and its parent company SCL.

myPersonality is only one of many apps that the company has looked at – Facebook said that since March, it has investigated thousands of apps, and suspended 400 of those due to concerns around data misuse and user data privacy.

Interestingly, last week one of those initially suspended apps, Crimson Hexagon, announced that it has been un-suspended from Facebook’s platform.

Facebook, in July, said it had suspended Crimson Hexagon due to concerns about the collection and sharing of data. The company launched an investigation into the Boston-based company’s collection of public user data was a violation of its policies concerning using data for government surveillance.

Fast forward to last week, Crimson Hexagon announced that it has been re-instated on Facebook and its customer base will now be able to once again access those data sources.

“Several of Facebook’s questions focused on a small number of our government customers, which represent less than 5 percent of our business,” said Dan Shore, senior vice president with Crimson Hexagon in a post. “Historically, we have vetted potential government customers similar to our other customers — with a goal of understanding their proposed use of our platform in order to make them successful. To our knowledge, no government customer has used the Crimson Hexagon platform for surveillance of any individual or group.”

Onavo Protect

In another turn of events around data privacy, Facebook’s data security app Onavo Protect was pulled from Apple’s app store after the phone company said it violated its data policies, according to The Wall Street Journal report.

Onavo Protect is a mobile VPN app that encrypts users’ personal information and monitors their data to help customers manage their mobile data usage and limit apps that use lots of data.

Onavo Protect, which was acquired by Facebook in 2013 and alerts customers when they visit a potentially malicious website, was collecting and analyzing users’ behavior to understand customer activity outside of Facebook’s app, the report alleged.

Facebook confirmed to Threatpost that they pulled the app from Apple’s App Store, however: “We’ve always been clear when people download Onavo about the information that is collected and how it is used,” a spokesperson told us. “As a developer on Apple’s platform we follow the rules they’ve put in place.”

According to the report, Onavo Protect violates Apple’s developer agreement preventing apps from utilizing data that is not relevant to the their purpose. The app also did not follow new rules that Apple unveiled earlier this summer to limit developer data harvesting. Onavo Protect’s website shows that the app is still available on Android.

Between the Onavo Protect incident and its investigation of apps on its own platform, it’s clear that Facebook is struggling to navigate the data privacy policy landscape in an environment filled with data, experts say.

“The [March] Facebook breach made it clear: social media platforms need to be completely transparent and ask for double opt-in,” Andrew Avanessian, chief operations officer at Avecto told Threatpost. “We need these platforms to have different incentives than they have in the past and dedicate their companies to protecting user data. There needs to be a fundamental overhaul for social platforms.Data privacy is everyone’s issue and I think it will make developers stop and think about how they are using other people’s data.”

Morten Brøgger, CEO of Wire, agreed: “Every company and customer has the right to know where their data is going and how it is being used,” he said. “Businesses need to be choose which applications they use wisely, and should only allow those which are fully open sourced and independently audited to be used in the business setting.”