A letter sent from Facebook to Democratic lawmakers has shed new light on the Messenger Kids breach that took place this summer — and it’s inspired new backlash from Congress.
Earlier this year, an implementation error in the Messenger Kids app had allowed children to create group chats with unauthorized users. That violated a core promise of the app, which had pledged to give children a way to talk with friends without potentially exposing them to strangers online.
In the wake of the news, Sens. Ed Markey (D-MA) and Richard Blumenthal (D-CT) wrote to Facebook seeking more information on the flaw, specifically raising the question of whether the company had violated the Children’s Online Privacy Protection Act (COPPA). But Facebook’s response, sent August 27th, makes clear that the company does not believe the app ultimately violated that law.
“We believe… that Messenger Kids complies with COPPA,” public policy VP Kevin Martin wrote to lawmakers, “and we are committed to continually improving it to ensure we not only comply with COPPA but we meet and exceed the high standards of parents and families.”
The letter also gives more details on when the flaw was implemented, when it was discovered, and when it was ultimately patched. According to Walker, the error was introduced in October 2018, just 10 months after the app was introduced. Facebook discovered the issue the next year, on June 12th, and updated its code to fix the issue the next day. It would be more than a month later, on July 15th, that parents began to be notified, according to Walker’s timeline. Those emails were published by The Verge the following week.
“Messenger Kids takes children’s privacy and security seriously, and we are committed to ensuring any technical errors are investigated and addressed quickly,” Martin said.
Sens. Markey and Blumenthal were not impressed by the explanation.
“Facebook’s response gives little reassurance to parents that Messenger Kids is a safe place for children today,” the senators wrote. “We are particularly disappointed that Facebook did not commit to undertaking a comprehensive review of Messenger Kids to identify additional bugs or privacy issues. If Facebook wants children and parents’ trust, it has to do a lot better than this. That means dropping Facebook’s current whack-a-mole method and taking a proactive approach that makes privacy and security the platform’s number one priority—particularly for kids.”
The scandal comes at an awkward time for Facebook, as it seeks sympathetic regulation for its proposed Libra currency. Just a week after the Messenger Kids issues came to light, the Federal Trade Commission announced a $5 billion settlement with Facebook over a string of prior privacy issues — a settlement many critics found unacceptably light.
It’s still unclear whether the FTC will take any action in response to the Messenger Kids issue, although Facebook says the settlement would not currently indemnify the company from such a suit.
“We are in regular contact with the FTC on many issues and products, including Messenger Kids,” Martin said in the letter. “Consistent with our practice, we seek to be cooperative and responsive to their inquiries.”