Facebook data on more than 3 million people who took a personality quiz was published on a poorly protected website where it could have been accessed by unauthorized parties, according to New Scientist. In a report exposing the potential leak, New Scientist says that the data contained Facebook users’ answers to a personality trait test. While it didn’t include users’ names, in many cases it contained their age, gender, and relationship status. For 150,000 people, it even contained their status updates.
All that data was supposed to be accessible only to approved researchers through a collaborative website. However, New Scientist found that a username and password that granted access to the data could be found “in less than a minute” with an online search, enabling anyone to download the trove of personal information.
The data was gathered by a psychology test called myPersonality, according to New Scientist. Around half of the test’s 6 million participants are said to have allowed their information to be anonymously shared with researchers. The team behind myPersonality let any researcher who agreed to use the data anonymously sign up to access the information that had been collected; in total, 280 people were given access, including employees of Facebook and other major tech companies, according to the report.
The basics here all sound remarkably similar to what happened with Cambridge Analytica, which gained access to information from more than 87 million Facebook users thanks to a personality test called thisisyourdigitallife. In both cases, the tests were initially made by University of Cambridge researchers. And both even had one researcher in common: Aleksandr Kogan.
Kogan was the creator of thisisyourdigitallife, and according to New Scientist, he was listed as part of the myPersonality project until mid-2014; it sounds as though the project began around 2009. The University of Cambridge told New Scientist that myPersonality was started before its creator joined the university and did not go through its ethics review process.
It’s not known whether the data was improperly accessed using the publicly available username and password. A Facebook spokesperson told New Scientist that the app was being investigated and would be banned if it “refuses to cooperate or fails our audit.” As part of its ongoing investigation into misuse of user data, Facebook said this morning that it had so far suspended 200 apps pending review. That included myPersonality.
While a leak of 3 million users’ data is far smaller than the 87 million obtained by Cambridge Analytica, the story still serves as another warning of how easily this information can spread around and just how detailed it can be. One of the bigger issues here is that, even though the data was supposed to be anonymized, New Scientist points out that it easily could have been re-identified using the extra Facebook information attached to each personality test.