Andrea Downing speaks during the Stanford Medicine X Conference in Palo Alto, California, in September 2017.

This breast cancer advocate says she discovered a Facebook flaw that put the health data of millions at risk

Updated 9:39 PM ET, Fri March 6, 2020

(CNN)Imagine you have a highly sensitive medical condition that you want, or need, to keep secret. Maybe you've been diagnosed with HIV, or you're trying to kick an opioid addiction.

Desperate to get some advice or talk to a kindred spirit, you bare your soul in a Facebook support group for people with your health problem.
But what if your membership in a Facebook group you assumed was confidential wasn't private?
And what if marketers could easily learn about your diagnosis and your name, email address, location and other identifying information?
Andrea Downing, a tech project manager and breast cancer advocate, has spent the past two years trying to tell the world about this alarming prospect.
Downing is an administrator for a private Facebook group helping women who have a gene mutation that puts them at risk for breast and ovarian cancer.
In 2018, she began to worry that leaks of personal data such as the Cambridge Analytica scandal, which affected up to 87 million Facebook users, could happen in the health sphere.
"There is much more wrong here than is being reported," she remembers thinking. "I kept expecting others to be on top of that and nobody was."
Downing thought there could be a similar risk for the women in her BRCA Sisterhood group who shared deeply sensitive information, including pictures of their mastectomies. Because their group was classified on Facebook as closed, members' personal information was supposed to only be visible to other members.
Downing called a cybersecurity researcher named Fred Trotter, who says he confirmed her suspicion. Trotter said he found a loophole in the privacy settings for closed Facebook groups that would allow developers, marketers and others to download the membership lists of Facebook groups for thousands of diseases and conditions, from Alcoholics Anonymous to survivors of sexual assault.
Trotter said that without more information, it's difficult to prove whether a third party developer exploited the alleged vulnerability.
"In less than an hour, I had extremely personal information that could be used against these women," Trotter told CNN. "The kinds of things that they don't tell their husbands about in some cases."

They filed a complaint about Facebook with the FTC

Trotter believes Downing's discovery had the potential for a leak "probably several orders of magnitude larger than Cambridge Analytica."
In an interview, he said that because the vulnerability would have been present for all Facebook groups labeled "closed," it would have affected far more people than that scandal, in which the Cambridge Analytica political consulting firm obtained the the personal data of millions of Americans.
Further, Trotter argued that the alleged vulnerability might be worse due to the high value of healthcare data to companies, and the high potential for malicious actors to use sensitive information for illicit purposes.
To be clear, Trotter and Downing do not point to a specific smoking gun of a third party stealing and selling health data that users shared on Facebook at mass scale.
But they do allege that users' identifiable information related to specific medical diagnoses could have been accessible for a period of years by those with Facebook developer accounts.
Fred Trotter discusses cybersecurity with Downing during a conference in February 2020.
Trotter and Downing are still concerned about this, even though they say the alleged health data vulnerability was closed in 2018 when Facebook changed its settings. Facebook told The Verge in July 2018, "While we recently made a change to closed groups, there was not a privacy loophole." A Facebook spokeswoman acknowledged to CNN that web developers did have access to membership lists for all closed groups before the fix.
Facebook says that simply being a member of a closed health group doesn't constitute a health disclosure, and that it's investing in ways to give its users clearer information about group privacy settings, particularly with regard to health groups.
Downing and Trotter have filed a complaint with the Federal Trade Commission, arguing that Facebook had an obligation to protect membership lists for health groups and that it failed to disclose this alleged vulnerability to its users.
If the FTC found that Facebook violated its health rules, the complaint could put Facebook on the hook for billions in potential fines.
It also raises troubling questions about the security of users' personal health information on the social platform -- and beyond.

It all started because Downing wanted to help women at risk for cancer

In a way, Downing's journey to becoming a health privacy crusader began many years ago -- when she was three years old and her mother was diagnosed with a hereditary cancer.
"Many of my earliest memories were not knowing whether my mom would live or die," she said.
Her mother survived.
In 2004, after graduating from the University of Texas at Austin, Downing moved to San Francisco and took a job at Salesforce, a cloud computing service.
Downing recovers from bilateral mastecomy surgery in 2012, a pre-emptive measure to protect against her genetic risk for breast cancer.
When she was 25 she learned she had a mutation on her BRCA1 gene showing she had up to an 87% chance for breast cancer and up to a 60% chance of getting ovarian cancer.
The news stunned her. Suddenly she was hurtling toward the same disease that killed her great-grandmother and grandmother and which nearly took her mother.
Downing turned to the internet to find others with the same gene mutation. In 2012 she became an administrator for a Facebook group called BRCA Sisterhood, moderating a forum that offered advice and encouragement to more than 10,000 women diagnosed with life-threatening BRCA mutations.
In those intimate communities, women shared their suffering and exchanged information that could save lives.
"These women were the only ones who were there when the healthcare system didn't work for me," Downing said. "We have a shared identity, and it's an important part of me."
But in early 2018, troubling revelations came to light that the data firm Cambridge Analytica had used stolen data from millions of Facebook users to create highly targeted political ads during the 2016 presidential campaign. After that scandal broke, Downing started questioning whether her group really was a safe space.
Downing discovered it was possible to use a browser extension to download the names, employers, locations and email addresses of all the women in her closed Facebook group. That brow