A closed group for women at genetic risk for breast cancer wasn’t as private as its members thought, according to a new report from CNBC.
The BRCA Sisterhood group was created as a support network for women with the BRCA gene, a mutation that greatly increases the risk of breast cancer, often resulting in preemptive mastectomy. The group was listed as “private” because of the sensitivity of the issue. But while the content of the group was closed to outsiders, the group’s membership was broadly visible, inadvertently revealing sensitive medical information.
Sisterhood members became aware of the loophole through a Chrome extension that allowed one of the members to download detailed information for thousands of members in a matter of minutes. Though the extension drew attention to the problem, private group membership has long been visible on a user’s Facebook page. Bulk member lists could also be downloaded through a loophole involving the Group ID. Facebook acknowledged that member lists were essentially public, writing on a help page that “anyone” could see the title and member list for a closed group.
Reached by The Verge, Facebook contested that the access constituted a loophole. “While we recently made a change to closed groups, there was not a privacy loophole,” a Facebook representative said.
Groups can have private member lists if they’re set as “secret,” but that would make the group inaccessible in search results — a problem for the BRCA Sisterhood, which was actively soliciting membership from more women affected by the mutation.
Facebook appears to have changed its privacy settings in the wake of the CNBC report, although a Facebook representative said the company had already received significant feedback about membership privacy. The change, which seems to have occurred in late June, was not publicly announced, although a number of changes were made to public documentation. According to a current version of the same Facebook help page, only current members can see the membership of a closed group.
Update 5:55PM ET: Updated with Facebook comment and background on the motivations behind the change in privacy settings.