Facebook's app cleanup may be harder than Mark Zuckerberg thinks

CNET found now-defunct apps from Apple and Samsung on Facebook that had access to all kinds of data about you and your friends. They're unlikely to be the only ones.

Shara Tibken Former managing editor
Shara Tibken was a managing editor at CNET News, overseeing a team covering tech policy, EU tech, mobile and the digital divide. She previously covered mobile as a senior reporter at CNET and also wrote for Dow Jones Newswires and The Wall Street Journal. Shara is a native Midwesterner who still prefers "pop" over "soda."
Shara Tibken
6 min read

Facebook is facing one of the biggest crises in its history.


Just how difficult is it going to be for Facebook CEO Mark Zuckerberg to clean up the world's largest social network and make sure apps aren't there waiting to potentially exploit your data?

Maybe even harder than he thinks, given what we found after just a quick check of some of the apps linked to our own profiles. Those include software from Apple and Samsung, the world's two biggest smartphone makers, that haven't actually existed on their devices for years.

A look at what those apps could access may freak you out. Some of these so-called legacy apps required user data as varied as your friends' religions, relationship statuses and photos. Bet you didn't know you still had them. Even developers may not be aware their old apps are still hanging out on Facebook.

Lucky for all of us, Apple and Samsung are used to securing user data and said they never actually kept the information on their servers. In Apple's case, it didn't even pull friend data to start with, aside from the list of who your friends were. In fact, neither company offers these kinds of Facebook apps anymore, and the ones that show up on your Facebook account are linked to devices that are several years old. One, from Samsung, goes back as far as feature phones and the days before Facebook even had a mobile app.

Enlarge Image

Samsung's old Samsung Mobile app required access to 36 different types of information about you and your friends. 

Screenshot by Shara Tibken/CNET

The fact that they may remain in your account shows just how big of a mess Zuckerberg has to clean up. Facebook is facing backlash about how poorly it's handled legacy apps -- failing to do even a basic level of housekeeping after promising in 2014 to restrict their access to your information. That's why the social networking titan is coping with one of the biggest crises in its 14-year history.

News broke last week that information from more than 50 million Facebook users was obtained without permission by Cambridge Analytica, a data analytics firm hired by the Trump campaign for the 2016 presidential election. Personal info from about 300,000 users was originally collected in 2013 for a personality quiz app called "thisisyourdigitallife," designed by Aleksandr Kogan, a Cambridge University researcher. Because of how Facebook worked at the time, Kogan was able to access data from "tens of millions" of friends of those users and share the information with Cambridge Analytica, the Facebook chief executive said on Wednesday.

Zuckerberg apologized to the social network's 2.2 billion users and said he's finally doing something about the app exploit. He vowed to investigate all apps that had access to large amounts of information and "conduct a full audit of any app with suspicious activity." The apps to be investigated will number in the thousands, Zuckerberg told The New York Times. He also said apps that haven't been used in three months will lose access to your data. And for all apps moving forward, Facebook plans to give third-party app developers only your name, profile photo and email address when you sign into apps via Facebook.

"You should not have to sign away your soul and kiss privacy goodbye to use some of the most popular platforms in the world," said Gennie Gebhart, a researcher at the privacy-oriented Electronic Frontier Foundation.

Old Galaxies

In the case of Samsung, it released several apps over the years that linked its phones to Facebook. They went as far back as feature phones and devices that couldn't actually run a Facebook app. But some apps were included on phones as recent as 2012's Galaxy S3 and Note 2, 2013's Galaxy S4 and Note 3, and 2014's Galaxy S5 and Note 4.

Those smartphones were some of the most popular Samsung has ever made and helped it become the world's biggest phone vendor. Counterpoint Research analyst Neil Shah estimated that sales of the particular devices we mentioned together totaled 348 million.

Watch this: Find out what Facebook knows about you and take action

One app, called Samsung Mobile, required permission for access to 36 pieces of information about you and your friends. That ranged from your timeline posts to your friends' photos and religious and political views. Another, the Galaxy S4 app, required far less information about your friends -- only their birthdays, status updates, events, photos and videos.

Facebook logo on a phone screen.
Getty Images

Samsung said in a statement that it needed access to the data to make it easier for its customers to use Facebook to log in to certain now-defunct Samsung services, such as Samsung Social Hub, an inbox to group messages from all your different services -- emails, instant messages, texts and social media -- in one place.

"Samsung takes customer privacy very seriously, and we design our products with privacy and security top of mind," the company said in a statement. It added that data received by the apps through the Facebook login system hasn't been transferred or stored outside the user's device without the user's permission. And it used the data only for its specific services, no other purposes, the company said.

None of those services still exist, and the apps, while still showing up in Facebook user account settings (like ours), have been discontinued.

Defunct iPhotos

It's the same case with the Apple's iPhoto, Aperture and iMovie. The apps required access to certain friend information, such as your friends' relationships, birthdays and status updates, among other items.

At the time, Apple said it had a custom integration with Facebook to make it easy to share photos and videos to the social networking site from its iPhoto and Aperture photo editing and management programs.

Enlarge Image

Apple's iPhone app used to let you post photos directly to Facebook. 

Screenshot by Roger Cheng/CNET

But Apple said it never accessed any of the data, aside from a user's friend list. The information was never sent to an Apple server or iCloud but was stored only on the user's device to make it easier to tag friends in photos, the company said. And Facebook didn't have access to all photos and videos on an iPhone or Mac, only the items a user shared on the social network.

Apple stopped development on iPhoto and Aperture in 2014 in favor of its new Photos app. Its integration with Facebook ended in 2016.

Apple has become a big proponent for user privacy in the past several years. CEO Tim Cook has even warned, in multiple interviews, about the dangers of social media and other free online services. In a 2014 interview with Charlie Rose, Cook said that "everyone has to ask, how do companies make their money? … If they're making money mainly by collecting gobs of personal data, I think you have a right to be worried. And you should really understand what's happening to that data. And companies, I think, should be very transparent about it."

Future regulation?

Zuckerberg and Facebook Chief Operating Officer Sheryl Sandberg apologized to users and others this week for the breach of trust. Along with better policing the data that third-party apps can access, they also plan to make it easier for users to see what information about them has been shared.

The executives also said they'd be open to government regulation, particularly as it relates to ad transparency, and Zuckerberg said he might testify before Congress -- if he was the person at Facebook with the most information about the topic in question.

Many app makers likely didn't care as much about your privacy as Apple and Samsung.

Ian Bogost, the creator of a popular but short-lived Facebook app called Cow Clicker, said in a column in The Atlantic that he collected enough personal data during the life of his app that he may still be able to assemble a "reasonably sophisticated profile of your interests and behavior" -- even though the app hasn't existed since 2012.

"It's not just that abusing the Facebook platform for deliberately nefarious ends was easy to do (it was)," he wrote. "But worse, in those days, it was hard to avoid extracting private data, for years even, without even trying."

Until Facebook's changes take effect, you should consider taking steps to protect your data. Look at your own settings, delete any old apps and remove access you don't want to share. You can find out how to do that here.

"As we've seen with the Cambridge Analytica information, you never really know what happens to your personal data once the relationship is severed," said Siva Vaidhyanathan, a professor of media studies at the University of Virginia and the author of an upcoming book about social media. "Facebook wants to convince you it has a handle on this whole situation, but it clearly does not."

Blockchain Decoded:  CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.

iHate: CNET looks at how intolerance is taking over the internet.