The data consulting firm Cambridge Analytica, which harvested as many as 87 million Facebook users' personal data, also could have accessed the private inbox messages of some of those affected. Facebook slipped this previously undisclosed detail into the notifications that began appearing at the top of News Feeds on Monday. These alerts let users know whether they or their friends had downloaded a personality quiz app called This Is Your Digital Life, which would have caused their data to be collected and potentially passed on to Cambridge Analytica.
Facebook buried the disclosure in the details about what information was compromised: "A small number of people who logged into 'This Is Your Digital Life' also shared their own News Feed, timeline, posts and messages which may have included posts and messages from you."
'The harvesting of personal Facebook messages wasn't disclosed, yet again, until the last second.'
Jonathan Albright, Columbia University
A Facebook spokesperson confirmed that the app, which was designed by Cambridge University researcher Aleksandr Kogan to collect data on Americans on behalf of Cambridge Analytica’s British counterpart SCL, requested access to user inboxes through the read_mailbox permission. Unlike the collection of specific user friend information, which Facebook says it phased out in April 2015 unless both people had downloaded the same app, the read_mailbox permission didn't fully deprecate until that October.
Users had to agree to give apps access to their inboxes, but that request for highly personal information would be bundled up with a list of other more benign data points, including birthdays or profile pictures. It's possible some users approved this access, never knowing how much of themselves they were giving up, not just to Cambridge Analytica, but to every app that requested these permissions until