By Joe Pinkstone For Mailonline
09:55 EDT 13 Jul 2018, updated 09:56 EDT 13 Jul 2018
• The loophole in Facebook was first unearthed by the BRCA Sisterhood
• This ‘closed’ group was created for women living with a breast cancer gene
• Private information from members could be taken using a browser plugin
• Grouply.io obtained emails, names and locations of those in the private group
• The plugin is now disabled and Facebook has tweaked its privacy settings
Facebook has fallen fowl of another data privacy risk
A loophole in the social network allowed third-party firms to siphon private information about members of closed Facebook groups.
The issue was exposed after BRCA Sisterhood, an online support network based on Facebook for women with a high genetic risk of breast cancer, discovered their personal information could be taken without their knowledge or consent.
After reaching out to a security researcher, BRCA Sisterhood discovered that a third-party plugin for the Google Chrome web browser could take emails, names and locations of members from closed groups.
The BRCA Sisterhood have raised concerns that personal information siphoned from the private groups could lead to discrimination from healthcare insurers, and other companies.
Facebook has since closed the loophole used by the web browser plugin.
Scroll down for video ” class=”img-share” src=”https://i.dailymail.co.uk/i/newpix/2018/07/13/14/050CAD48000007D0-5950417-A_Facebook_loophole_let_marketing_companies_spy_on_people_in_pri-m-19_1531487397419.jpg” width=”634″ height=”454″ alt=”A Facebook loophole let marketing companies spy on people in private groups, stealing their private data. The privacy breach was discovered when a Facebook group that supports women with a breast cancer gene with discovered a Chrome extension that obtained the information” />
A Facebook loophole let marketing companies spy on people in private groups, stealing their private data. The privacy breach was discovered when a Facebook group that supports women with a breast cancer gene with discovered a Chrome extension that obtained the information
The ability to siphon private information from users in ‘closed’ Facebook groups was first highlighted by a moderator of BRCA Sisterhood.
Using a third-party plugin, known as Grouply.io, enabled anybody to download the names, employers, locations, and email addresses of private group members.
Worse still, the members of the closed group would not aware the data had been taken.
Facebook sent-out a cease-and-desist letter to the developers behind the application. Grouply.io is no available to download for Google Chrome.
The Menlo Park-based company also closed the loophole that enabled the information to be taken from ‘closed’ groups.
A spokesperson for Facebook said shutting down the ability to view members of closed groups was a recent decision that was based on ‘several factors’, but was not related to outreach from the BRCA Sisterhood.
Share this article
The women in BRCA Sisterhood use the private, members-only Facebook group as a support network to help get through living with the BRCA gene.
They grew concerned when they realised details of their condition were available, and could be uncovered by insurance companies and other third-party firms.
BRCA Sisterhood moderator Andrea Downing contacted a friend who works in cyber-security, Fred Trotter, after she discovered the privacy flaw.
Mr Trotter found that ‘closed’ Facebook groups were set-up in a way which allowed third parties to find information on the members of the group.
Although the ability to find a list of members in a ‘closed’ group has always been available, Grouply.io was designed by marketers to obtain information on all of the members of a private group in bulk.
Facebook has since made changes to its privacy settings to stop the practice.
Social network users might not realise, but sharing information in a ‘confidential’ or ‘closed’ context on a website like Facebook does not carry the same protections as sharing it in a medical context.
‘A genetic test result like BRCA is protected by HIPAA [the Health Insurance Portability and Accountability Act] and it can’t be shared with marketers, if it is in a medical record,’ explained Deven McGraw, chief regulatory officer for Ciitizen, a health information sharing application, in an interview with CNBC.
‘But a social networking site is not covered by HIPAA.’
WHAT IS THE BRCA GENE?
Having a mutated BRCA gene – as famously carried by Angelina Jolie – dramatically increases the chance a woman will develop breast cancer in her lifetime, from 12 per cent to 90 per cent.
Between one in 800 and one in 1,000 women carry a BRCA gene mutation, which increases the chances of breast and ovarian cancer.
Both BRCA1 and BRCA2 are genes that produce proteins to suppress tumours. When these are mutated, DNA damage can be caused and cells are more likely to become cancerous.
The mutations are usually inherited and increase the risk of ovarian cancer and breast cancer significantly.
When a child has a parent who carries a mutation in one of these genes they have a 50 percent chance of inheriting the mutations.
About 1.3 percent of women in the general population will develop ovarian cancer, this increase to 44 percent of women who inherit a harmful BRCA1 mutation.
<img id=”i-4833df615022390e” class=”img-share” src=”https://i.dailymail.co.uk/i/newpix/2018/07/13/12/4E31BB8600000578-5950417-After_Facebook_sent_a_cease_and_dessist_letter_to_the_applicatio-a-54_1531480756320.jpg” width=”634″ height=”406″ alt=”After Facebook sent a cease-and-dessist letter to the application’s developers, the plugin is no longer available.Facebook is trying to build its reputation back up after a string of privacy concerns have rocked the firm in recent times (stock)” />
After Facebook sent a cease-and-dessist letter to the application’s developers, the plugin is no longer available.Facebook is trying to build its reputation back up after a string of privacy concerns have rocked the firm in recent times (stock)
According to a spokesperson for Facebook, speaking to Mr Trotter: ‘Our Groups team has been exploring potential changes related to group membership and privacy controls for groups, with the goal of understanding whether providing different options can better align the controls with the expectations of group administrators and members.
‘That work is ongoing and may lead to changes that address some of your concerns going forward.’
Facebook has been rocked by a string of privacy concerns in recent months.
The social networking company is working to restore faith in its services after the Cambridge Analytica scandal earlier this year, in which 87 million people had their data shared the political consultancy firm.
Facebook has also come under scrutiny after Russian trolls used the social network to meddle in the 2016 US presidential election.
WHAT IS THE CAMBRIDGE ANALYTICA SCANDAL?
Communications firm Cambridge Analytica has offices in London, New York, Washington, as well as Brazil and Malaysia.
The company boasts it can ‘find your voters and move them to action’ through data-driven campaigns and a team that includes data scientists and behavioural psychologists.
‘Within the United States alone, we have played a pivotal role in winning presidential races as well as congressional and state elections,’ with data on more than 230 million American voters, Cambridge Analytica claims on its website.
The company profited from a feature that meant apps could ask for permission to access your own data as well as the data of all your Facebook friends.
d=”i-c3d658e9ba3ec36″ class=”img-share” src=”https://i.dailymail.co.uk/i/newpix/2018/03/21/08/1AD5AD6C00000514-5526195-image-m-2_1521621412971.jpg” width=”586″ height=”417″ alt=”The data firm suspended its chief executive, Alexander Nix (pictured), after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump” />
The data firm suspended its chief executive, Alexander Nix (pictured), after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump
This meant the company was able to mine the information of 87 million Facebook users even though just 270,000 people gave them permission to do so.
This was designed to help them create software that can predict and influence voters’ choices at the ballot box.
The data firm suspended its chief executive, Alexander Nix, after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump.
This information is said to have been used to help the Brexit campaign in the UK.