Facebook & # 39; s Messenger Kids app is built around a simple principle: children should not be able to talk to users who have not been approved by their parents. But a design flaw allowed users to bypass protection through the group chat system, allowing children with unauthorized strangers to get into group chat.
Facebook has quietly closed those group chats and warned users over the past week, but has not made any public statements announcing the issue. The warning, which was obtained by The edge, sounds like this:
We found a technical error that allowed the friend of (CHILD) (FRIEND) to create a group chat with (CHILD) and one or more of the parents-approved friends of (FRIEND). We want you to know that we have disabled this group chat and ensure that such group chats are not allowed in the future. If you have any questions about Messenger Kids and online safety, visit our Help Center and Messenger Kids Parental Control. We also appreciate your feedback.
Facebook confirmed to The edge that the message was authentic and that the message had been sent to thousands of users in recent days. "We recently informed some parents of users of Messenger Kids accounts of a technical error that we discovered regarding a small number of group chats," said a Facebook representative. "We have disabled the relevant chats and provided parents with additional information about Messenger Kids and online safety."
The bug was caused by the way the unique permissions of Messenger Kids were applied in group chat. In a standard one-on-one chat, children can only enter into conversations with users who have been approved by the child's parents. But those permissions became more complex when they were applied to a group chat because of the multiple users involved. Each individual child can invite an authorized user to a group chat, even if that user was not authorized to chat with the other children in the group. As a result, thousands of children were left behind in chats with unauthorized users, a violation of Messenger Kids' core promise.
It is unclear how long the bug was present in the app, which was launched in December 2017 with group functions.
The privacy deficit is particularly legally sensitive because Messenger Kids is designed for children under 13 years of age and therefore subject to the Children & # 39; s Online Privacy Protection Act (COPPA). Some privacy groups have already accused Messenger Kids of violating COPPA by collecting user data, and this latest privacy deficit will only exacerbate those concerns.
The problem also comes at a difficult time for Facebook as a company, which is currently charging costs with Cambridge Analytica at the Federal Trade Commission. Rumor has it that this settlement could be announced as soon as this week a mandatory privacy commission and $ 5 billion in fines for Facebook as a company, but not a step toward personal liability for CEO Mark Zuckerberg. As a result, it has been that way generally criticized as insufficient to force the company to adopt stricter privacy protection.