Under fire for failing to adequately police third-party apps on its service in the wake of the recent Cambridge Analytica scandal, Facebook has permanently banned the personality quiz app myPersonality.
The decision by Facebook, announced on Wednesday, comes after it had temporarily suspended the app on April 7 shortly after it was revealed that political consulting firm Cambridge Analytica had allegedly misused Facebook user data. The myPersonality app has no direct connection to Cambridge Analytica, but it had spurred the creation of a similar app that is at the heart of that controversy.
Facebook said that myPersonality’s creators, which include David Stillwell of University of Cambridge’s Psychometrics Centre, refused to cooperate with an audit of how data their app gathered was protected and shared. Facebook also said that the protection of data collected by the app was inadequate.
In a statement to Fortune, Stillwell disputed Facebook’s conclusion, saying that “all necessary consents were explicitly and repeatedly provided by all Facebook users when using the myPersonality app.” He added, “When the app was suspended three months ago I asked Facebook to explain which of their terms was broken but so far they have been unable to cite any instances.”
Stillwell declined via email to Fortune to confirm whether he had declined an audit, and the statement doesn’t address how well secured the data was against unauthorized access.
The app, developed at the University of Cambridge in 2007, gathered profile information from about four million users, Facebook said, higher than previously estimated. The Psychometrics Centre website states that only 40%, or 2.4 million people, agreed to share the Facebook profile out of 6 million who took the test. But that number appears to be several years old. A New Scientist investigation in May 2018 suggested the number was roughly three million.
Facebook believes the four million figure is accurate, however. “This is the best estimation we can come up with—who we know who directly installed the app itself,” said a Facebook spokesperson.
Facebook said little data had been collected by the app since 2012. Stillwell stated pointedly, “The app has not been in use since July 2012 so this ban is nonsensical and purely for PR reasons.”
That New Scientist report stated that the data collected by myPersonality lacked reasonable online protections, and could be accessed easily by finding login credentials stored openly (and accidentally) in an unrelated party’s code archive. The investigation also said the data, intended to be distributed in a way that would prevent identification of individuals, contained enough personal characteristics to re-connect profile data with individual users, or deanonymize the profiles.