Woman using phone

marcoverch/Flickr (CC-BY)

Newly reported data leak affected 4 million Facebook users

The app, myPersonality, was made a verified application on Facebook in 2009.


Christina Bonnington


Cambridge Analytica wasn’t the only company taking advantage of Facebook’s lax data protection policies. An app called myPersonality also reportedly leaked data on 4 million Facebook users to third-party companies.

The app’s creators, however, paint a different picture of the situation: myPersonality was mostly active on Facebook before 2012, Facebook Vice President of Product Partnerships Ime Archibong wrote in a blog post. The app was banned Wednesday for reportedly failing to agree to an audit request, and because it was clear the app shared information on users with both outside companies and researchers. Roughly 4 million Facebook users accessed the app, and as far as Facebook is currently aware, information from friends was not accessed. Facebook will begin notifying users who participated in the app.

According to Facebook, it would appear that myPersonality simply misused access to Facebook data. The researchers behind myPersonality, David Stillwell and Michal Kosinski, offer a different view in an explanation they penned online in May.

According to this website, the app was created in 2007 as a way for people to participate in psychological research. Users completed a personality questionnaire and were given a score in return. Users could opt in to give their data for research, and 40 percent of participants did so. The app shut down in 2012. According to its explanation, written in May when the app was first suspended from Facebook, no information was sold to third-party companies for commercial purposes.

Developers maintain that they did not break any Facebook rules—in fact, Facebook invited the app’s founder, Stillwell, to a Silicon Valley workshop centered on promoting the role of Facebook data in academic research in 2011. As recently as 2015, Facebook invited Kosinski to present myPersonality-related research as part of a Facebook-organized academic symposium at a Society for Personality and Social Psychology annual meeting.

The researchers do admit that there was one instance where data was potentially “leaked”:

In April 2018, it was brought to our attention that one of the scholars who had access to our anonymized data (a professor at a prestigious American university) put their login credentials in a file intended to be shared with their students on Github, an online code repository. However, the file was publicly available on the Internet, which is clearly a breach of the terms that academics agreed to when requesting a collaboration with myPersonality. Once we learned of this, we closed their account.

Stillwell responded to questions about the situation with a statement to the Daily Dot. He believes Facebook’s press release is “misleading in a number of respects.” For example, Facebook has long been aware of the application’s use of data for research—Facebook even “certified the app as compliant with their terms by making it one of their first ‘verified applications’” in 2009, beyond engaging with the researchers and their published works for many years.

“It is therefore odd that Facebook should suddenly now profess itself to have been unaware of the myPersonality research and to believe that the data may have been ‘misused,’” Stillwell said.

Stillwell also disputes the claim that his app refused to undergo an audit. “Facebook knows that I was and remain willing to provide any information to which they are entitled under their terms of use,” Stillwell said. “For four months I have been asking them to identify any specific breach of those terms, but they have been unable to do so.” And as far as he is aware, he says, all parties involved in the myPersonality project acted ethically, lawfully, and in good faith at all times. 

While its activities and research prior to 2018 may have been justified—or even embraced—by Facebook, in the post-Cambridge Analytica era, the company decided that the app dataset was “too loose,” and that the data was “not adequately anonymized.” If any user data was improperly shared or stored, it does not appear to be on the same scope (or with the same weaponized intent) as with Cambridge Analytica.

The situation seems to be an example of Facebook’s changing attitudes toward researcher and third-party access to user data—something that was a free-for-all in its early years, and something much more closely guarded today.

H/T Variety

Share this article

*First Published:

The Daily Dot