The way the photo API is supposed to work is as follows: When you give an app permission to access your Facebook photos, that app is only supposed to gain access to the ones you’ve posted on your timeline.
The photos you’ve uploaded but have not shared are supposed to be strictly off limits.
Unfortunately, that’s not the case at all. According to a statement released by the company, some fifteen hundred apps controlled by 876 developers had access to every photo that users of those apps had uploaded to Facebook, whether they were a part of that user’s timeline or not.
The company reports that the bug has now been fixed, but that app developers had access to all photos between September 13th and September 25th of 2018.
The obvious question is, if the company knew about the issue back in September, and they’ve already fixed it, why is it that we’re only hearing about it now?
The company’s explanation is both thin and weak. A Facebook spokesman simply stated that it took time to investigate the matter, including finding out which apps and users were impacted by the bug, and then to build the warnings (including translations into multiple languages) to warn the potentially impacted users.
Be that as it may, the standard protocol for such incidents has been immediate notification, followed by ongoing investigation, and sending out official notices to impacted parties.
Facebook issued a standard, terse apology, but has not offered any additional explanation as to why the disclosure was such a long time coming. It’s unlikely that we’ll get an explanation beyond the one already given, unsatisfying or not.
This is but the latest in a long stream of similar “incidents” the company has reported on in recent months. One wonders how many more terse apologies we’ll be seeing in the months ahead.