If you’re a member of the LGBTQ community living in a country where that can be a death sentence, odds are you don’t broadcast your sexual orientation widely on the internet.
Same goes if say, hypothetically, you’re a survivor of sexual assault and you’re looking to join an online support group but don’t want that information to be readily available to anyone with a Facebook account.
But if you joined a closed Facebook group for either of those communities believing it to be private, you nevertheless still did ― though you probably didn’t realize it.
That’s according to a CNBC investigation published Thursday, which found that a privacy loophole on the site allowed marketers ― and anyone else with basic internet know-how ― to easily access personally identifiable information from closed Facebook groups and download the information wholesale.
The only necessary tool was a browser extension called Grouply. Facebook took legal action against the company earlier this year; as a result, neither the extension nor its website are still available. But an archived version of Grouply’s website describes the Facebook groups it tapped into as a “goldmine” for marketers and touts its extension the perfect tool to capitalize on it.
“This tool is a must for any company needing to access the right target audience, right now,“ reads one testimonial.
“Facebook is filled with market opportunities,” reads another. “Grouply helps you make the most out of it.”
Grouply did not immediately respond to a request for comment Thursday.
CNBC’s inquiry was prompted when administrators for a “closed” support group for women who are genetically predisposed to breast cancer were able to use the loophole to download information on all 9,000 of its members, including their names, employers, locations, email addresses and other personal details. For obvious reasons, its members wanted to keep their identities private, moderator Andrea Downing told CNBC.
While it’s unclear if marketers used Grouply to access that particular closed group, it undoubtedly used it to harvest personal information from plenty of others.
In comments to HuffPost, Facebook acknowledged that, in the past, closed groups didn’t hide the names of people who belong to them. The company has since hidden that information, but it disputed characterizing its prior public availability as a “loophole.”
“While we recently made a change to closed groups,” the spokesperson said in an emailed statement, “there was not a privacy loophole.”
Going forward, only administrators and moderators of closed groups will be visible to non-members.
The Facebook spokesperson noted that a more restrictive “secret” group option does exist for those who require a higher level of privacy. Unlike closed groups, secret groups are not discoverable via search.