The way Facebook interacts with users is “unfair, deceptive and misleading”, according to a complaint lodged with US regulators.
The Federal Trade Commission was told the company had failed to protect the privacy of those in patient health and other groups.
Some users may have been exposed to “life-threatening privacy violations”, the complaint says.
The privacy of Facebook groups was brought into question last year when members of a restricted-access Facebook group for women with the Brca gene mutation discovered that their details could be downloaded by third parties.
While Facebook has made changes to close security loopholes, the complaint says that, under US law, the social media giant should have notified users of the downloading of their data.
“Facebook did not notify affected users within the required 60 days and we believe that Facebook has not notified the FTC of the breach within the required 10 business days,” it says.
Using Facebook patient health groups is “effectively a game of privacy roulette in which users are unable to know in advance which ‘connections’ will hurt them by downloading the data from posts in closed and secret groups”, it says.
The complaint also raises concerns about malicious users creating groups that target a vulnerable population before “being leveraged to expose Facebook users to life-threatening privacy violations”.
“It is possible that some of the Facebook-borne genocides have taken advantage of this flaw,” it says, in a probable reference to the persecution of Muslim Rohingyas in Myanmar, also known as Burma.
In response, Facebook said: “It’s intentionally clear to people that when they join any group on Facebook, other members of that group can see that they are a part of that community and can see the posts they choose to share with that community,” it said.