Responding to a report in the New York Times which revealed Facebook gave at least 60 major device manufacturers unprecedented access to user data, Democratic Congressman David Cicilline (RI) tweeted on Sunday: “Sure looks like Zuckerberg lied to Congress about whether users have “complete control” over who sees our data on Facebook,” adding “This needs to be investigated and the people responsible need to be held accountable.”
Sure looks like Zuckerberg lied to Congress about whether users have “complete control” over who sees our data on Facebook. This needs to be investigated and the people responsible need to be held accountable. https://t.co/rshBsxy32G
— David Cicilline (@davidcicilline) June 4, 2018
The Times reported Sunday evening that Facebook gave at least 60 major device manufacturers access to user data over the last decade – including Apple, Amazon, BlackBerry, Microsoft and Samsung – as part of a data-sharing partnership program which allowed the companies to integrate various features such as messaging and “like” buttons into their products.
The agreement has allowed manufacturers to access information on relationship status, calendar events, political affiliations and religion, among other things. An Apple spokesman, for example, said that the company relied on private access to Facebook data to allow users to post on the social network without opening the Facebook app, among other things.
Even more disturbing, the manufacturers were able to access the data of users’ friends without their explicit consent, despite Facebook declaring they would not let outside companies access user data. The catch? The NYT explains.
Facebook’s view that the device makers are not outsiders lets the partners go even further, The Times found: They can obtain data about a user’s Facebook friends, even those who have denied Facebook permission to share information with any third parties.
In interviews, several former Facebook software engineers and security experts said they were surprised at the ability to override sharing restrictions. –NYT
“It’s like having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission,” said Ashkan Soltani, a research and privacy consultant and former chief technologist for the Federal Trade Commission (FTC).
The Times even performed a test to verify their claims:
To test one partner’s access to Facebook’s private data channels, The Times used a reporter’s Facebook account — with about 550 friends — and a 2013 BlackBerry device, monitoring what data the device requested and received. (More recent BlackBerry devices, which run Google’s Android operating system, do not use the same private channels, BlackBerry officials said.)
Immediately after the reporter connected the device to his Facebook account, it requested some of his profile data, including user ID, name, picture, “about” information, location, email and cellphone number. The device then retrieved the reporter’s private messages and the responses to them, along with the name and user ID of each person with whom he was communicating.
The data flowed to a BlackBerry app known as the Hub, which was designed to let BlackBerry users view all of their messages and social media accounts in one place.
The Hub also requested — and received — data that Facebook’s policy appears to prohibit. Since 2015, Facebook has said that apps can request only the names of friends using the same app. But the BlackBerry app had access to all of the reporter’s Facebook friends and, for most of them, returned information such as user ID, birthday, work and education history and whether they were currently online.
The BlackBerry device was also able to retrieve identifying information for nearly 295,000 Facebook users. Most of them were second-degree Facebook friends of the reporter, or friends of friends.
In all, Facebook empowers BlackBerry devices to access more than 50 types of information about users and their friends, The Times found. -NYT
And as we noted early Monday, despite winding down the partnerships in April – including the posting capabilities used by Apple, Facebook has defended the data-sharing agreements, saying they comply with the company’s privacy policies and a 2011 consent decree issued by the FTC. Facebook officials say they don’t know of any cases where user information has been misused.
“These partnerships work very differently from the way in which app developers use our platform,” said Ime Archibong, a Facebook vice president. Unlike developers that provide games and services to Facebook users, the device partners can use Facebook data only to provide versions of “the Facebook experience,” the officials said.
“These contracts and partnerships are entirely consistent with Facebook’s F.T.C. consent decree,” said Archibong.
Former FTC official Jessica Rich, however, disagreed with that assessment.
“Under Facebook’s interpretation, the exception swallows the rule,” said Ms. Rich, now employed by the Consumers Union. “They could argue that any sharing of data with third parties is part of the Facebook experience. And this is not at all how the public interpreted their 2014 announcement that they would limit third-party app access to friend data.”
And because Facebook does not consider the device makers to be outsiders, the data sharing partnerships go even further, The Times discovered, which is what allows the companies to access user data of a Facebook user’s friends – even if they’ve denied Facebook permission to share information with third parties.
Apparently Facebook discussed the issue as early as 2012 and simply decided not to change the arrangements, despite the data-sharing agreements being flagged as a privacy issue.
But the device partnerships provoked discussion even within Facebook as early as 2012, according to Sandy Parakilas, who at the time led third-party advertising and privacy compliance for Facebook’s platform.
“This was flagged internally as a privacy issue,” said Parakilas, who left Facebook in 2012 and has emerged as a new voice against the company’s data handling policies. “It is shocking that this practice may still continue six years later, and it appears to contradict Facebook’s testimony to Congress that all friend permissions were disabled.”
As for the various answers given by the device manufacturers (via The Times):
- Samsung declined to respond to questions about whether it had any data-sharing partnerships with Facebook. Amazon also declined to respond to questions.
- Usher Lieberman, a BlackBerry spokesman, said in a statement that the company used Facebook data only to give its own customers access to their Facebook networks and messages. Mr. Lieberman said that the company “did not collect or mine the Facebook data of our customers,” adding that “BlackBerry has always been in the business of protecting, not monetizing, customer data.”
- Microsoft entered a partnership with Facebook in 2008 that allowed Microsoft-powered devices to do things like add contacts and friends and receive notifications, according to a spokesman. He added that the data was stored locally on the phone and was not synced to Microsoft’s servers.
- Facebook acknowledged that some partners did store users’ data — including friends’ data — on their own servers. A Facebook official said that regardless of where the data was kept, it was governed by strict agreements between the companies.
On Monday, Facebook pushed back against the Times, claiming that the data shared with manufacturers was never abused.
“These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences,” wrote Ime Archibong, Facebook’s vice president of product partnerships
“Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends.”