Facebook changes settings after outing members of a medical support groupJuly 12, 2018
A closed group for women at genetic risk for breast cancer wasn’t as private as its members thought, according to a new report from CNBC.
The BRCA Sisterhood group was created as a support network for women with the BRCA gene, a mutation that greatly increases the risk of breast cancer, often resulting in preemptive mastectomy. The group was listed as “private” because of the sensitivity of the issue. But while the content of the group was closed to outsiders, the group’s membership was broadly visible, inadvertently revealing sensitive medical information.
Sisterhood members became aware of the loophole through a Chrome extension that allowed one of the members to download detailed information for thousands of members in a matter of minutes. Though the extension drew attention to the problem, private group membership has long been visible on a user’s Facebook page. Bulk member lists could also be downloaded through a loophole involving the Group ID. Facebook acknowledged that member lists were essentially public, writing on a help page that “anyone” could see the title and member list for a closed group.
Groups can have private member lists if they’re set as “secret,” but that would make the group inaccessible in search results — a problem for the BRCA Sisterhood, which was actively soliciting membership from more women affected by the mutation.
Facebook appears to have changed its privacy settings in response to the CNBC report. On June 26th, shortly after being contacted by CNBC reporters, Facebook quietly changed the privacy settings for closed groups, making member lists inaccessible to outsiders. The change was not publicly announced, although a number of changes were made to public documentation. According to a current version of the same Facebook help page, only current members can see the membership of a closed group.