Skip to content
Naked Security Naked Security

Facebook: ‘Technical error’ let strangers into Messenger Kids chats

It won't happen again, Facebook told senators who wondered how well it's handling kids' privacy in the chat app abhorred by kids advocates.

We are “disturbed” to learn that thousands of children using Facebook’s Messenger Kids chat app were able to join group chats with strangers, senators told Facebook earlier this month.

Oops, Facebook said.

In a reply letter this week, dated Tuesday, 27 August, and addressed to Senators Edward J. Markey and Richard Blumenthal, Facebook Vice President Kevin Martin called the foul-up a “technical error”, Reuters reports.

From the letter:

Based on our review, we have determined that the technical error you have inquired above arose in October 2018. The fix we implemented is designed to prevent the issue from happening again.

In other words, the “technical error” has been affecting kids’ privacy for about 10 months. Facebook first introduced Messenger Kids in December 2017. According to The Next Web, Facebook has said that it discovered the flaw two months ago, on 12 June 2019, and that it fixed it the next day. Facebook didn’t tell parents until a month later, on 15 July, but not before identifying the affected chat threads and disabling them, TNW reports.

This all came to light last month when Facebook was forced to apologize to parents after finding that a hole in the supposed closed-loop messaging system allowed children to join group chats with people their parents hadn’t approved.

It’s going on two years ago now that Facebook decided it would be a swell idea to bring Messenger to kids aged as young as six.

And kept it going, in spite of children’s health advocates quickly begging it to torch Messenger Kids for plenty of reasons, including the increased incidence of depression, suicidal tendencies, and sleep deprivation seen in kids that are online a lot.

Hey, we’re parents, too, Facebook had initially said. We’ll take good care of your tots.

Designed to be compliant with the Children’s Online Privacy Protection Act (COPPA), Messenger Kids would obediently, law-abidingly protect children’s privacy while they’re online, Facebook said, obeying COPPA guidelines that prohibit developers of child-focused apps, or any third parties working with such app developers, from obtaining the personal information of children aged 12 and younger without first obtaining verifiable parental consent.

Not only would it have no advertising, it would be a godsend for parents, Facebook said: A messaging app that lets children “connect with people they love” but which also “has the level of control parents want”!

So much goodness! What could possibly go wrong?

The senators’ questions

Messenger Kids is an Android and iOS app designed for users as young as six years old. The service, which doesn’t allow ads, must be installed by parents, who must approve the child’s contacts. It’s impossible to search for individual children on the service. Individuals can video chat and message with children using the regular Messenger app, but only if the child’s parent approves them…

…well, that’s how it’s supposed to work, at any rate.

In their letter, Senators Blumenthal and Markey had questioned whether there was a “worrying pattern” of poor privacy protection for children using Messenger Kids. Looking for transparency, they posed these questions:

  • When did Facebook first become aware of the Messenger Kids design flaw that allowed children to engage in chats with unapproved users?
  • How long has this design flaw existed within the Messenger Kids app?
  • Are parents able to review the unapproved group chats their children were a part of or otherwise learn what information was shared in these interactions? If not, why not?
  • Has Facebook initiated a review of the Messenger Kids app to identify other flaws that present similar children’s privacy concerns? If not, will Facebook commit to doing so?
  • Does Facebook consider itself released from liability from any COPPA violations related to this design flaw because of its 24 July 2019 settlement with the Federal Trade Commission (FTC)?

Right, about that settlement… Facebook said in the letter to the senators that it’s regularly chatting with the FTC, which gave it a $5 billion wrist slap in July for losing control of users’ data.

We are in regular contact with the FTC on many issues and products, including Messenger Kids.

On Wednesday, the senators said they weren’t very impressed by Facebook’s reply:

We are particularly disappointed that Facebook did not commit to undertaking a comprehensive review of Messenger Kids to identify additional bugs or privacy issues.

How to keep your children safe on their phones

If you’re concerned about what your kids can get at on their smartphones, then good – you should be. It’s scary out there. In this video, Matt Boddy explains how you can restrict what they can access.

(Watch directly on YouTube if the video won’t play here.)

1 Comment

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?