Facebook has revealed that apps developed by the Russian technology conglomerate Mail.ru Group may have had access to user data, even beyond what it allowed after a policy change in 2014, again expanding the scope of the Cambridge Analytica probe into misuse of user data on the platform.

The social media company has said that the Mail.ru Group developed hundreds of Facebook apps, only a handful of which actually went live on Facebook. After the Cambridge Analytica scandal emerged last year, Facebook defended itself by stating that it had introduced an API change in 2014 to prevent apps from obtaining users’ friends’ data, as had happened in the case of Cambridge Analytica.

However, Facebook said it allowed for an extension of two weeks for two Mail.ru apps to wind down a feature on two messaging apps. The feature allowed users to see their Facebook friend list and message people who also were using the Mail.Ru apps. During the extension, Mail.ru could only access to people’s friends list, but no data about the friends’ likes or comments. But Mail.ru was already running apps that had never gone live, all of which operated under Facebook’s old data rules, meaning that Mail.ru apps may have collected your friends’ data which was allowed under Facebook developer rules at the time.

US Senator Mark Warner, who is on Senate Intelligence Committee, told CNN that the development called for further scrutiny into Facebook’s relationship with Mail.Ru. “In the last 6 months we’ve learned that Facebook had few controls in place to control the collection and use of user data by third parties. Now we learn that the largest technology company in Russia, whose executives boast close ties to Vladimir Putin, had potentially hundreds of apps integrated with Facebook, collecting user data. If this is accurate, we need to determine what user information was shared with mail.ru and what may have been done with the captured data.”

Facebook is now investigating Mail.ru, along with all other apps that had access to large quantities of user data prior to the changes, although it has told CNN that no evidence that the Mail.Ru Group had misused Facebook user data. Facebook granted thousands of other companies the same data access, but an extension to Mail.ru raises more eyebrows in light to widespread reports of Russian interference via social media platforms (we mean Facebook) in the 2016 US Presidential Elections.

Meanwhile, Mail.ru told Wired that it assumed compliance on the Mail.ru as well. “We assume that while changing API Facebook changed the terms for the clients who had popular applications that had not been updated to the latest version […] We definitely use our cooperation with Facebook strictly for business needs of our products and strictly according to the Facebook regulations.”

The many developments in Facebook-Cambridge Analytica

  • The UK Information Commissioner’s Office (ICO) slapped a fine of £500,000, the the maximum amount possible, for two breaches of the Data Protection Act. The Information Commissioner’s Office (ICO) concluded that Facebook failed to safeguard its users’ information and that it failed to be transparent about how that data was harvested by others.
  • Earlier in July, Facebook admitted that it had granted an extension of six months to 61 apps to give them time to comply with the API change of 2014. These 61 firms, which include Snap (which owns Snapchat), music service Spotify, social media management service Hootsuite, and rideshare app Uber, got almost six extra months to be compliant. American streaming app Saavn, which just got acquired by Reliance Jio, was one of the companies that got extended access. These apps got an extra six months of access to data access to “name, gender, birthdate, location, photos, and page likes,” Facebook told Business Insider. It’s unclear why these companies got extended access to comply with the API update since many of the names seem to have the resources to comply within the timelines that were set for other developers. (Here is the list of the 61 apps)
  • Multiple federal agencies joined the US Department of Justice to probe the statements and actions of the Facebook post the Cambridge Analytica scandal. Now, the FBI, Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) are onboard to investigate how much Facebook has said it knows and how much it actually knew about Cambridge Analytica accessing personal data of 80 million Americans.