This story is over 5 years old.


Facebook waited 16 days to tell people their private posts were actually public

While Congress refuses to act on a bill that would require companies to disclose breaches within 72 hours.

On Thursday, Facebook revealed that a bug in a new feature it was testing had made public posts that 14 million of its users thought were private. The company reportedly knew about the problem on May 22, but they waited 16 days to disclose it.

Facebook will not say why it delayed the announcement for so long, but because of lax regulations in the U.S. the company is under no obligation to disclose the information in a timely manner. And despite Congress appearing to come down hard on CEO Mark Zuckerberg, during congressional hearings last month, proposed bills that would put stricter rules on the Silicon Valley giant appear to be going nowhere fast..


Back in April, in the wake of Zuckerberg’s 10-hour marathon sessions in front of the House and Senate, Democrat Sen. Amy Klobuchar and Republican Sen. John Kennedy, introduced a bill to protect the privacy of users’ online data. Among the rules it would put in place was a mandate that consumers be told about a privacy violation within 72 hours. But since then support for the bill has been almost non-existent, and there has yet to be a single hearing.

If such legislation were in place today, Facebook would have breached it by almost two weeks. However, there appears little appetite in Congress to impose regulations on Silicon Valley, and instead, companies like Facebook are allowed to self-regulate.

Read: Facebook shared data with a Chinese company the U.S. considers a security risk

On May 18 Facebook began testing a new feature for “building a new way to share featured items on your profile.” For the next four days a bug in that new feature meant that all posts made by the 14 million people testing it were set to public — even if users meant them to be private.

After the bug was spotted May 22 it took Facebook five days to manually go back through all posts of the users affected and change the setting from public to private — even if some of those posts were intentionally meant to be public.

Those 14 million users — which represents a tiny fraction of the company’s 2.2 billion user base — will get a notification when they log into Facebook urging them to “Please Review Your Posts” and a link to a list of what they shared on Facebook while the bug was active.


It is unclear why Facebook has waited until 11 days after all posts were fixed to inform users about the problem. The company didn’t respond when asked about the delay Friday.

Facebook has also declined to say where the affected users are located, and that could have a major bearing on whether Facebook broke the law.

If, for example, some of the users are based in Europe, under the EU’s new strict data protection rules, companies like Facebook are required to report data breaches within 24 hours of first detecting it to the relevant authority.

In this case, it would Ireland’s Data Protection Commissioner where Facebook’s international headquarters is based. The commissioner didn’t immediately respond to a question about whether or not Facebook has been in touch about this issue.

Read: Apple really is starting a war with Facebook over privacy

Facebook has attempted to downplay the significance of the breach. “To be clear, this bug did not impact anything people had posted before, and they could still choose their audience just as they always have,” the company said in a blog post on Thursday.

While it is true that those affected could choose to change the setting back, they would have no reason to believe their settings were changed without their consent or knowledge.

It means that posts people only intended to share with their friends could have been made public, letting everyone from your boss, parents, or your ex partners see what you were posting.


Facebook on Thursday questioned how the bug was reported in the media, saying on Twitter that “no private posts were made public.” But the 14 million people affected did not know they were making public posts — because the company didn’t tell them.

As well as Klobuchar and Kennedy’s Social Media Privacy and Consumer Rights Act, a separate piece of legislation, known as the CONSENT Act, would also empower the Federal Trade Commission to enact regulations requiring companies like Facebook to notify consumers if a data breach occurs and “harm is reasonably likely to occur.”

Neither Kennedy nor Klobuchar responded to a request for comment on Friday, but earlier this week Klobuchar once again called for more regulation following revelations that Facebook shared user data with dozens of electronics manufacturers, including Chinese companies like Huawei.

“I’m extremely concerned that we are just now learning that even more personal user data was provided without consent,” Klobuchar said. “That’s why my focus is on protecting consumers’ privacy online and promoting transparency in how their data is handled—which is why we need to pass my bipartisan bill with Senator Kennedy.”

Cover image: Mark Zuckerberg, chief executive officer and founder of Facebook Inc., waits to begin a joint hearing of the Senate Judiciary and Commerce Committees in Washington, D.C., U.S., on Tuesday, April 10, 2018. (Photo: Andrew Harrer/Bloomberg via Getty Images)