Buried in Facebook's latest message to 87,000,000 users who had their data stolen by Cambridge Analytica is this eye-popping nugget: "A small number of people who logged into 'This Is Your Digital Life' also shared their own News Feed, timeline, posts and messages which may have included posts and messages from you."
That is to say, "We think Cambridge Analytica may have been reading your private messages, but we can't be sure."
Facebook has made a habit of burying the lede; a week ago they buried the fact that the Cambridge Analytica heist affected 87,000,000 users, not 50,000,000, in a long, anodyne snoozefest, apparently thinking no one would notice.
As Wired's Issie Lapowsky points out, this is another blow to Facebook's insistence that they only gave your data to Cambridge Analytica because you asked them to -- even if you naively clicked an agreement to let Cambridge Analytica rummage through your private messages, the people who sent you those messages certainly didn't.
A Facebook spokesperson confirmed that the app, which was designed by Cambridge University researcher Aleksandr Kogan to collect data on Americans on behalf of Cambridge Analytica’s British counterpart SCL, requested access to user inboxes through the read_mailbox permission. Unlike the collection of specific user friend information, which Facebook says it phased out in April 2015 unless both people had downloaded the same app, the read_mailbox permission didn't fully deprecate until that October.
Users had to agree to give apps access to their inboxes, but that request for highly personal information would be bundled up with a list of other more benign data points, including birthdays or profile pictures. It's possible some users approved this access, never knowing how much of themselves they were giving up, not just to Cambridge Analytica, but to every app that requested these permissions until 2015.
Cambridge Analytica Could Also Access Private Facebook Messages [Issie Lapowsky/Wired]