The complaint, which was filed with the FTC last month, alleges that “Facebook deceptively solicited patients to use its ‘Groups’ product to share personal health information about their health issues. Facebook has marketed this product as a Personal Health Record. Facebook then leaked to the public health data that those patients uploaded. At least in some cases, this was done contrary to the specific privacy decisions made by Facebook users.”
The issue came to light last summer when members of a group for women with the BRCA gene discovered that their personal information, including names and email addresses, could easily be downloaded in bulk, either manually or through a Chrome extension.
And while Facebook did make changes to Groups that ended the practice, the complaint explains that this did not fix the entire problem.
“While it is no longer possible for non-Group-members to download the member lists from thousands of Closed Groups and millions of users in a single attack, it is still possible to download the member list if you are a member of the Group,” according to the complaint, which was filed by a security researcher and BRCA advocates, among others. “We have seen some evidence in an uptick in ‘fake membership applications’ to a small sample of Closed clinical Groups. We believe that this could be the response of malicious actors who are now using Suck Puppet accounts that previously had generous access to Closed Group membership data, that are now seeking to restore their access.”
In addition, the complaint goes on to say that Facebook hasn’t been clear about what personal information users might be giving up when they join a group.