What finally caused Facebook to close the loophole were complaints from a group of women with the BRCA gene, a gene mutation associated with an elevated risk of breast cancer. The BRCA Sisterhood group, which did not want members’ names to be known, ran a “closed” Facebook group. Technically, “secret” is Facebook’s most restrictive setting, but choosing to make a group “secret” hides it from public listings entirely. The BRCA Sisterhood was open to new members and selected the “closed” setting for that reason.
A security researcher who helped the BRCA Sisterhood moderators investigate whether the plugin could harvest their personal information also found that Facebook groups for individuals coping with other sensitive issues, such as addiction recovery and HIV/AIDS, were easily searchable using the Chrome plugin.
This type of personal data can be used in marketing and advertising. But it comes with another more fraught consideration for Facebook: healthcare privacy compliance. While a social media site like Facebook is not required to be compliant under the Health Insurance Portability and Accountability Act (HIPAA) in the United States, it may catch the attention of European regulators, where Facebook is facing an uphill battle under new General Data Protection Regulation (GDPR) rules.
Facebook issued a cease-and-desist letter to Grouply.io developers, who discontinued the Chrome plugin earlier this year. Facebook has also says it closed the third-party loophole overall.