With more than 3 billion active users, Meta is among the greatest tech giants in the world today. Its social networking products – including Facebook, Instagram and WhatsApp – have found their way into the lives of millions and profoundly shaped communication around the world. But Meta, formerly known as Facebook, Inc., has repeatedly raised concerns regarding user privacy with a string of controversies that have shaken the world over the years.
As Meta scrambles to plug the sharing of private residential information across Facebook and Instagram on Oversight Board’s advice by the end of 2022, here’s a timeline of everything that has gone wrong with the company’s privacy protection to date.
March 2022: Meta fined $19 million for data breaches
Meta was fined $19 million by the Irish Data Protection Commission (IDPC) following the conclusion of its inquiry into Facebook’s data breaches between June 7, 2018 and December 4, 2018. Around 50 million accounts were reportedly impacted, including by a software bug that enabled external developers to access photos of millions of users.
The IDPC, which is the European Union’s lead privacy watchdog for Meta, concluded that Facebook “failed to have in place technical and organisational measures.”
Meta responded by saying that “this fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information.”
September 2021: WhatsApp fails to explain user and non-user data processing
WhatsApp was ordered by the Irish Data Protection Commission (IDPC) to pay a staggering $266 million in fines for violating the European privacy laws. The messaging app was slapped with the penalty after it failed to show transparency in its handling of personal user information.
According to the watchdog, violations were found in WhatsApp’s explanation regarding its processing of user and non-user data and its sharing with other Meta companies. The fine was among the biggest handed out for violating the General Data Protection Regulation (GDPR).
April 2021: Details of more than 530 million Facebook users spilled online
Measures taken by Meta to safeguard personal data of its users were questioned once again after details of more than 530 million Facebook accounts were made available online. Although old, the data could be accessed by hackers for free and reportedly carried information – including Facebook IDs, phone numbers, email addresses, locations, etc. – from 106 countries.
The information could be abused by cybercriminals to gain access to users’ login credentials and to impersonate them, according to security researchers. Since this bulk of information was now circulating publicly, Meta could only warn its users.
Meta responded to the massive data leak by attributing it to a vulnerability that the company claimed to have patched in August 2019.
June 2020: Meta admits improper data sharing with external developers
Meta revealed that it had improperly shared data of “inactive” users with third-party app developers. The issue, which enabled the developers to gain access to personal data, was diagnosed by engineers in June 2020 and was fixed by the following month. Meta admitted the blunder in a blog post published in July 2020.
The number of developers who could access personal user information stood at around 5,000. Going against Meta’s own newly implemented privacy policy (which barred developers from receiving user information if they had not used the app in the past 90 days), the developers continued to gain information about users who had signed into their apps via Facebook.
September 2019: Massive trove of phone numbers exposed
Millions of phone numbers linked to Facebook accounts were found online as a result of a privacy blunder. The exposed server carried 133 million records on users based in the United States, 18 million records from the United Kingdom and around 50 million on those based in Vietnam. The database could be publicly accessed because the server was not protected with a password.
The massive exposure placed millions of Facebook users at the risk of spam calls and other serious threats which could lead to force-reset of their passwords on an internet account associated with the exposed phone number. The number of records contained by the server were later confirmed by Facebook to be “220 million”.
“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” a representative had said in a statement. “The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.”
April 2019: Facebook uploads 1.5 million users’ email contacts
Meta said that it might have “unintentionally uploaded” the email contacts of nearly 1.5 million users to Facebook without their permission or knowledge. Users who had signed up from May 2016 onwards would have been impacted by the privacy lapse. According to Meta, the contacts were not shared with anyone and the company was taking them down.
The email contacts were unknowingly uploaded to the website by its user during the account verification process that required them to confirm their email address by signing into their account. According to Meta, this step was meant to help users find their friends and improve adverts.
“We’ve fixed the underlying issue and are notifying people whose contacts were imported,” said a spokesperson. “People can also review and manage contacts they share with Facebook in their settings.”
March 2019: Millions of passwords – including for Instagram – exposed to employees
In an explosive reveal by security researcher Brian Krebs, over 600 million passwords were stored by Meta in plaintext, a readable format that was easily accessible to the company’s 20,000 employees. A Meta source had disclosed to Kreb that the exposure could impact between 200 and 600 million users worldwide.
According to Paulo Canahauti, Meta’s vice president of security and privacy engineering, the glitch was diagnosed in January 2019. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable.”
Some of the searchable plaintext passwords went as far back as 2012. Canahauti claimed that the passwords were never accessible to anyone outside Meta and that there was no evidence that the data had been internally abused or improperly accessed. Subsequently, it was announced that the company would notify users whose passwords had been stored in the readable format.
“We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
December 2018: Meta shares data without user permission
Facebook’s data-sharing practices surfaced to the forefront when a New York Times report revealed that the company allowed some of the world’s largest tech corporations to access personal user data, violating its own privacy rules. Meta’s trading of personal data with its business partners gave glaring insights into the tech giant’s priority for profits over user safety.
Meta reportedly sold user data to over 150 companies. The report suggested that streaming giants, including Netflix and Spotify, could intrude on a user’s privacy to the extent that they could even read their private messages. Meta was found to be running afoul of the Federal Trade Commission (FTC) whom it had earlier assured of not sharing user data without “explicit” permission.
Meta responded by saying that their FTC agreement did not require them to seek user consent before sharing their personal information with companies that Meta considered to be “extensions of itself”. In the case of Netflix and Spotify, however, that explanation falls flat.
September 2018: 90 million users logged out of Facebook accounts following data breach
Meta announced that a massive data breach by hackers had placed over 50 million Facebook accounts at the risk of malicious takeover. Following the breach, around 90 million users had been logged out of their accounts and would need to sign back in. For the 50 million users directly impacted by the breach, a notification would appear at the top of Facebook’s news feed.
Among the personal information that hackers had gained access to were profile names, genders, hometowns, etc. Meta found no evidence that the hackers were trying to break into private chats.
“This is a serious issue, and we’re committed to addressing it,” said Meta CEO Mark Zuckerberg. “This underscores that there are constant attacks from people who are trying to take over accounts or steal information from people in our community.”
May 2018: Private posts of 14 million users made public
The privacy settings of millions of Facebook users were changed without their knowledge by a bug that was active from May 18 to May 27, 2018. The content made public included posts shared with friends or in private groups. The following month, Meta announced that the bug had been removed and that the company would start notifying the 14 million users who had been impacted.
“Starting today [June 7] we are letting everyone affected know and asking them to review any posts they made during that time,” read a statement. “We’d like to apologise for this mistake.”
September 2018: Facebook exposes data of nearly 50 million profiles
At a time when the company’s handling of user data was already being questioned, Meta revealed that personal information of up to 50 million of its users had been exposed in an attack on its network. The attackers reportedly tampered with a feature in Facebook’s code which allowed them to slip into user accounts. Shortly after, Meta confirmed that it had brought the situation under control.
March 2018: More than 50 million users affected in Cambridge Analytica Scandal
Meta’s biggest and most profound privacy controversy to date, the Cambridge Analytica fiasco took the world by storm in 2018. Investigations unearthed that Facebook allowed Cambridge Analytica – a former British political consultancy – in on the personal data of nearly 87 million of its users. The data was harvested to build voter profiles for former US president Donald Trump, whose aide Stephen K Bannon was a board member at Cambridge Analytica. The data was subsequently deployed in the 2016 US presidential campaigns.
Zuckerberg broke his silence five days after the explosive leaks shrouded his company worldwide.
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” he wrote in a Facebook post. “I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again.”
June 2013: Facebook bug exposes private contact information
The personal account information of nearly six million users was compromised after being exposed by a security bug. Among the information inadvertently shared were telephone numbers and email addresses. The data leak reportedly began in 2012 as a result of what Facebook termed “technical glitches” in its archive of contact information collected from 1.1 billion users.
“Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook,” the company explained in a post.
“As a result, if a person went to download an archive of their Facebook through Download Your Information (DIY), they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.”
The DIY tool was disabled for a day until the bug was fixed.
May 2010: Facebook shares user data with advertisers
A Wall Street Journal report pointed out how Meta violated its public privacy policy. Despite repeated promises, the company was found to be sharing user data with advertisers who could view detailed profile information of some users without their consent.
The “security loophole” was fixed following the backlash that ensued the WSJ investigation. The process of data sharing provided clear insights into how Meta shared user data with the company’s business partners without the consent of its unsuspecting users.
December 2009: Previously private user information made public
Facebook caused quite a stir when it rolled out tweaks to its privacy settings. The company gave its 350 million users at the time more control over how they shared their content, including posts, photos, and videos on their profiles. But the status updates would now be visible publicly unless the settings were changed.
As a result of these changes, a user’s profile picture, city of location, gender, friends list, etc. would be publicly available.
“You will have the opportunity to customise even individual pieces of content when you upload a picture or a video,” stated Facebook.
December 2007: Facebook tracks users on the internet
Facebook plunged into a massive controversy with its launch of Beacon, an advertising programme. Beacon had the ability to track the activities of Facebook users elsewhere on the internet and blatantly monitored over 57 million users’ movement in the cybersphere. More than 69,000 people came together to sign a petition that called for the social networking site to “stop invading their privacy”. The controversy was followed by an apology by Zuckerberg.
“We’ve made a lot of mistakes building this feature, but we’ve made even more with how we have handled them,” he said in a blog post. “We simply did a bad job with this release, and I apologise for it.”
September 2006: Facebook introduces News Feed
Facebook introduced what would become the website’s most prominent feature – News Feed. The feature allowed users a look at what their friends had changed on their profile and that too in a curated feed. This relieved users of having to scroll through their friends’ profiles for updates.
Facebook’s latest offering was followed by protests from a number of people who did not like the idea of their activities being displayed on the website upon logging in. Facebook had eight million users at the time.
