Facebook (Photo: Shutterstock.com)

Facebook gave users the weekend to ponder one of the great philosophical questions of all time: When is a post not really a post? On Friday, the social media giant posted a statement on its Facebook for Developers page disclosing that an API bug may have exposed the photos of up to 6.8 million users.

Some of those photos hadn't even been posted yet—just uploaded. Facebook has had its share of troubles this year, but the involvement of photographs is something fairly new. Indeed, it's not entirely clear whether current privacy laws would even cover the novel incident at hand.

“There's nothing I can think of off-hand that seems quite comparable, and that's what I think raises so many questions about this incident. It's not entirely clear how the potential legal ramifications of this will play out,” said April Doss, a privacy and cybersecurity attorney with Saul Ewing Arnstein & Lehr.

Facebook's statement said an API bug might have given third-party apps access to photos over a 12-day period in September. It's not yet clear when the platform discovered the problem, but the relatively narrow scope of U.S. breach laws might provide it with some leeway on notification.

Where the GDPR casts a broad net that includes any information related to an identified or identifiable natural person, U.S. regulations tend to be more concerned with Social Security numbers or payment card and health-related data. A breached photo might not fit neatly into existing American laws or statutes.

“It is absolutely possible that Facebook's biggest legal exposure is with European privacy regulators,” Doss said.

There are other ambiguities to consider too, such as how can there be a photo to breach if the user never finished posting it. According to the note on the Facebook for Developers page, uploaded photos are stored for three days in the event the user returns to complete unfinished business.

If that's news to the average consumer, then Facebook may have a problem with the FTC. Per Doss, the heart of the agency's enforcement under the FTC Act falls under the category of unfair and deceptive practices. In other words, the regulatory implications could come down to what Facebook made explicit versus the assumptions of an average consumer.

“I feel sure that one of the things that people will go back and comb through are the Facebook privacy policies and whether or not those adequately warned users about this,” Doss said.

To be sure, Facebook's terms and services do spell out that the platform has a right to “store, copy and share with others” photos that a user has already elected to share on the site. That agreement is terminated when the content in question is deleted or the account itself is closed, but even then there's a grace period where copies of the original material will continue to exist for a “limited time.”

Still, the fine print isn't black and white. Photos that were uploaded but never posted may or may not constitute a “share”—and the issue itself could become a moot point if regulators were to decide that it was unfair to expect the average consumer to parse those nuances.

“I think that many users would be surprised to learn that it was possible for there to be a compromise on Facebook that affects photos that only existed that only existed on their own personal devices, that again, had never been posted anywhere,” Doss said.