Facebook says millions of people's posts were accidentally made public so anyone could see them

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

Millions of users' private Facebook posts were made public so that anyone could see them, the site has admitted.

The issue is just the latest privacy problem for the scandal-ridden company.

The bug meant that Facebook automatically switched the privacy settings on users' posts onto public, even if they had previously restricted them only to friends or to specific people. That meant that unless users saw the settings had changed, the posts could be seen by absolutely anyone.

The issue has now been fixed and only ever applied to new posts, according to Erin Egan, Facebook's chief privacy officer. The site will tell people who were affected and posted publicly during the several days it was active, and will tell them to check their posts.

The news follows recent furor over Facebook's sharing of user data with device makers, including China's Huawei. The company is also still recovering from the Cambridge Analytica scandal, in which a Trump-affiliated data-mining firm got access to the personal data of as many as 87 million Facebook users.

Jonathan Mayer, a professor of computer science and public affairs at Princeton University, said on Twitter that this latest privacy gaffe "looks like a viable Federal Trade Commission/state attorney general deception case." That's because the company had promised that the setting users set in their most recent privacy preferences would be maintained for future posts. In this case, this did not happen for several days.

Facebook's 2011 consent decree with the FTC calls for the company to get "express consent" from users before sharing their information beyond what they established in their privacy settings. Even if the bug was an accident on Facebook's part, Mayer said in an email that the FTC can bring enforcement action for privacy mistakes.

Facebook, which has 2.2 billion users, says the bug was active from May 18 until May 27. While the company says it stopped the error on May 22, it was not able to change all the posts back to their original privacy perimeters until later.

The mistake happened, that company said, when it was building a new way for people to share "featured items" on their profiles. These items, which include posts and photo albums, are automatically public. In the process of creating this feature, Facebook said it accidentally made the suggested audience for all new posts public.

When people post to Facebook, the service suggests and audience for their posts, based on past privacy settings. So if you made all your posts "friends only" in the past, it will suggest that you make your new post "friends only" too. You can still manually change the privacy of the posts — anywhere from "public" to "only me" — and this was the case during the bug's life span too.

Additional reporting by agencies