Facebook reportedly gave other big tech companies "intrusive access" to the personal data of its 2.2. billion users — in some instances to private messages, usernames and contact information — raising questions about whether the company ran afoul of a 2011 consent agreement with the Federal Trade Commission.
These secretive arrangements were ostensibly meant to benefit Facebook's never-ending push for growth and enable the companies it works with to add features to their products to improve them. However, the findings underscore just how much power the Menlo Park, Calif.-based company wields over the data of its users.
The arrangements are detailed in a blockbuster New York Times report based on over 270 pages of internal Facebook documents and interviews with about 50 former company employees.
According to the Times, Facebook allowed Microsoft's Bing search engine to see the names of almost all Facebook users' friends without consent and gave Netflix and Spotify access to Facebook users' private messages. The Mark Zuckerberg-led company allowed Amazon to get users' names and contact information through their friends and permitted Yahoo to view streams of friends' posts. Facebook also reportedly allowed Spotify, Netflix and the Royal Bank of Canada to read and delete users' private messages and to see all participants on a thread.
The deals detailed in the internal documents benefited over 150 companies, including some entertainment sites, automakers and media organizations. Their applications gathered the data of hundreds of millions of people per month, with the oldest deal dating to 2010 and most deals still active as of 2017.
In a statement posted to its blog, Facebook said none of these features or partnerships gave companies access to information without people's permission, nor did they violate its settlement with the Federal Trade Commission (FTC).
"To put it simply, this work was about helping people do two things. First, people could access their Facebook accounts or specific Facebook features on devices and platforms built by other companies like Apple, Amazon, Blackberry and Yahoo. These are known as integration partners. Second, people could have more social experiences – like seeing recommendations from their Facebook friends – on other popular apps and websites, like Netflix, The New York Times, Pandora and Spotify."
The company said it has been public about these features and that many of the partnerships, with the exception of Amazon and Apple, have been shut down over the last few months. Facebook also noted in its blog post that users would've had to sign in with their Facebook account to use any integration offered by Apple, Amazon or other partners.
"Still, we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs," the company said in its statement. "We’re already in the process of reviewing all our APIs and the partners who can access them."
Over the years, different studies have confirmed that most people don't read the fine print buried in terms of service agreements. Data privacy experts pushed back on Facebook's assertions that the partnerships were all above board.
“The only common theme is that they are partnerships that would benefit the company in terms of development or growth into an area that they otherwise could not get access to,” Ashkan Soltani, former chief technologist at the FTC, told the Times.
Another former FTC employee said the data-sharing likely violated the 2011 consent decree.
“This is just giving third parties permission to harvest data without you being informed of it or giving consent to it,” David Vladeck, who formerly ran the FTC’s consumer protection bureau, told the newspaper. “I don’t understand how this unconsented-to data harvesting can at all be justified under the consent decree.”
Nick Stamos, Facebook's former chief security officer, tweeted that Facebook bungled its response to the Times investigation by blending "all kinds of different integrations and models into a bunch of prose," making it hard to match the company's response with the Times' reporting. Still, he did defend his former employer, noting that third-party client access is a "pro-competition move."
Stamos gave the following advice to Facebook: "What they really need is a table that gets updated over the next several days that lists the company, the kind of integration, what data was accessible, what steps a user took to activate the integration, and when/whether it was shut down."
Amazon, Microsoft and Yahoo representatives told the Times that they used the data appropriately, but they would not discuss the arrangements in detail. Netflix said in a tweet on Wednesday that it "never asked for, or accessed, anyone's private messages," adding, "We're not the type to slide into your DMs." Spotify told the Times that it was unaware of the access Facebook had give them, while a Royal Bank of Canada spokesperson disputed that the bank had any such access.
Among the revealed partnerships, which the Times reports is only a fraction of such deals, was that Facebook obtained data from multiple partners for a controversial (and critics say, rather creepy) feature known as "People You May Know." That feature, which was introduced a decade ago, still continues despite the fact that users have reported to other news outlets that it would recommend connections between harassers and victims or between patients of the same psychiatrist.
"Facebook, in turn, used contact lists from the partners, including Amazon, Yahoo and the Chinese company Huawei — which has been flagged as a security threat by American intelligence officials — to gain deeper insight into people’s relationships and suggest more connections, the records show," the Times reports.
The Times also uncovered more information about the details and reach of sharing deals that Facebook made with over 60 makers of smartphones and tablets.
That included a partnership with Apple which reportedly allowed Apple "to hide from Facebook users all indicators that its devices were asking for data. Apple devices also had access to the contact numbers and calendar entries of people who had changed their account settings to disable all sharing."
Apple told the Times it was not aware of any special access granted by Facebook, adding that any shared data remained on devices and was not available to anyone other than the users.
According to the Times, two former Facebook employees also said that many of these special sharing partnerships, which were largely negotiated by more senior officials at the company, were not subjected to extensive privacy program reviews. Facebook said the level of review "depended on the specific partnership and the time it was created."
Pam Dixon, executive director of the World Privacy Forum, a nonprofit privacy research group, said that Facebook would have little power over what happens to users’ information after sharing it broadly. “It travels,” Ms. Dixon said. “It could be customized. It could be fed into an algorithm and decisions could be made about you based on that data.”
Other privacy advocates faulted the FTC for not reining in the tech giant.
“There has been an endless barrage of how Facebook has ignored users’ privacy settings, and we truly believed that in 2011 we had solved this problem,” Marc Rotenberg, head of the Electronic Privacy Information Center, an online privacy group that filed one of the first complaints about Facebook with federal regulators, told the Times. “We brought Facebook under the regulatory authority of the FTC after a tremendous amount of work. The FTC has failed to act.”
"The flagrancy with which Facebook has flouted its consent decree shows it doesn't take [the FTC] seriously."
Facebook claims these data partnerships fall under an exemption to the FTC agreement because the partner companies are service providers that use the data only "for and at the direction of" Facebook, functioning in a way as an extension of the social platform.
However, former FTC officials told the newspaper that Facebook was interpreting the exemption too broadly, adding that the provision was meant to allow Facebook to perform basic, everyday functions, such as sending and receiving information over the Internet or processing credit card transactions, without violating the consent decree.
Freedom From Facebook, a group which has previously called for the tech giant to be broken up, said the newest revelations should pressure the FTC to act.
"This is a make-or-break moment for the FTC," said Sarah Miller, Chair of Freedom From Facebook, in a statement to Fox News. "The flagrancy with which Facebook has flouted its consent decree shows it doesn't take the agency seriously. The idea that Facebook should be broken up, or never allowed to acquire Instagram and WhatsApp, has gone mainstream. If the FTC wants to be taken seriously again -- not only by corporations but by the public, on whose behalf it is expected to work -- the FTC can't allow Facebook's monopoly to continue to exist."
Another so-called integration partner was the Russian search company Yandex, which had access to Facebook's unique user IDs in 2017. A spokeswoman for Yandex, which was accused last year by Ukraine’s security service of funneling its user data to the Kremlin, said the company was unaware of the access and did not know why Facebook had allowed it to continue. She also told the Times that the Ukrainian allegations “have no merit.”