LONDON — A voter engagement app used by the populist party that is the senior partner in Italy’s coalition government is being investigated by Facebook as part of a broader probe into potential historical data misuse.
The Five Star Movement (M5S), an antiestablishment party that won the most seats in Italy’s 2018 general election, launched the app in 2013, the year of the party’s breakthrough onto the national stage.
The Attivista 5 Stelle — 5 Star Activist — app invited M5S supporters to complete tasks on Facebook such as sharing posts, promoting campaign events, and adding the party’s logo to profile pictures, in exchange for points. The highest scoring activists would win a dinner with M5S cofounder, former comedian Beppe Grillo.
A Facebook spokesperson said an investigation into the app was ongoing. There is nothing at this stage to suggest data was misused by the app’s developers.
“The Attivista 5 Stelle app is not currently active on our platform and has not been for over a year,” the spokesperson said in an emailed statement to BuzzFeed News. “We are currently investigating the app within the App Developer Investigation.”
Facebook’s App Developer Investigation began in March last year as a response to the Cambridge Analytica scandal, the UK political consulting and voter profiling firm that harvested the private information of up to 87 million Facebook users without their permission in one of the social network’s biggest data breaches. The breach was first disclosed by the Observer and the New York Times. In the immediate aftermath, Facebook’s market value fell by more than $36 billion, and the company’s founder and CEO, Mark Zuckerberg, was hauled before Congress to testify.
Although the Attivista 5 Stelle app was removed from Facebook by M5S web developers last year, a Facebook login button is still visible on a cached version of the app’s sign up page, the existence of which was first reported by the Italian website Linkiesta earlier this month.
By examining the parameters that are contained in the URL of the login button, it is possible to view the permissions that users granted the app — showing what data the app could have potentially accessed from not only the people who used it, but their friends too.
The list of permissions granted, all legitimately accessible through Facebook’s API at the time, included:
Friends’ about me information
Friends’ religion and politics
Permissions to access users’ email addresses, read streams, create events and publish on users’ streams
The cached privacy page of the Attivista 5 Stelle app shows that Casaleggio Associati, a tech firm set up by M5S cofounder Gianroberto Casaleggio, was responsible for handling data collected through the app. The company, which is now presided over by Casaleggio’s son Davide, is umbilically linked to the M5S. BuzzFeed News has previously revealed that M5S websites and Grillo’s popular blog had similar setups for handling their data.
A spokesperson for Casaleggio Associati told BuzzFeed News that the app did not process all the data that was technically accessible via Facebook at the time, and the data it did use was limited to enabling essential features such as allowing users to change their profile picture and check how many friends used the application.
In addition to asking activists to add the M5S logo to their Facebook profiles, a blog entry from 2014 used to promote the app lists various other actions for users to carry out. These included calls to invite friends to donate to the party, share the M5S manifesto on users’ feeds, and promote events and candidate lists.
The Casaleggio Associati spokesperson said data was never used to profile third parties or users’ friends. The spokesperson added that the company had already provided answers to questions it had received from Facebook.
Facebook’s App Developer Investigation has already seen millions of apps reviewed and tens of thousands suspended. Facebook investigates apps based on signals associated with potential data misuse and other potential policy violations, as well as when there are concerns on how the information people choose to share with an app may have been used.
As an investigation is ongoing, Facebook was unable to share additional details of its probe, including the total number of users whose data was accessed through the app. Casaleggio Associati said the company was unable to provide figures for the app’s users and activity because it no longer had access to that data having deleted it.
As such, it is not known exactly how many users the app had and how much data was collected in the five years it was active, but estimates provided to BuzzFeed News suggest it could have had access to the personal information of millions of people.
Marco Canestrari, who between January 2007 and June 2010 worked as M5S’s community manager, told BuzzFeed News that the party would have had about 30,500 activists at the time. Facebook itself said in 2014 that Facebook users in Italy had on average 300 friends each, which, Canestrari estimates, would put the total pool of direct users and their friends connected through the app well into seven figures. Canestrari used to work for Casaleggio Associati before becoming a whistleblower and authoring two books about the M5S. The company disputed the estimate.
Critics like Canestrari argue that the unusually close relationship between the M5S party and Casaleggio Associati means the latter, a private company, controlled the data — and this, they claim, raises important questions about what it potentially could have done with that data given the sector the firm operates in.
The Casaleggio Associati spokesperson said: “All data used by the application has been used exclusively for the public functions of the application, has been subsequently deleted and therefore has not been used for any other purpose.”
There is no evidence to suggest that the data collected through the app was sold to third parties or otherwise misused.
While the Cambridge Analytica scandal broke in 2018, Facebook actually announced in 2014 that it was shutting down developers’ access to friends’ data amid privacy concerns.
The cached pages for the sign-up page of the M5S app between mid-2014 and 2017 reflect these changes. The URLs linked from the Facebook sign up buttons show the app requesting access to the email address of the user and asks for a list of a user’s friends that also use the app, as well as permission to publish relevant actions on a user’s profile.
Casaleggio Associati said the app was only actively used in 2013 and 2014. After that it was only possible to see the ranking of the contest the M5S had run through the app, said a company spokesperson.
The Italian Data Protection Authority told BuzzFeed News that it had received several reports flagging the app and as per usual procedure it was looking into the case.
The M5S did not respond to a request for comment.
Lam Vo contributed to this story.