Last night, we got word of yet another Facebook privacy scandal. What is that, Number 427 for the year? In this case, a report from The New York Times revealed the social media company gave an extreme amount of access to certain partner companies, over and above what users might have expected.
According to the NYT report, Facebook offered these companies access to everything from friends lists to private messages, even after it claimed it no longer offered such access to anyone. Netflix and Spotify apparently had the ability to read, write, and delete messages for users, while Microsoft’s Bing search engine could “see the names of virtually all Facebook users’ friends without consent.”
Perhaps most alarmingly, a Russian search company, Yandex, was allegedly allowed to see user IDs as late as last year, after Facebook was supposed to have cut even partner companies off from that information.
This degree of access might have been a violation of the Federal Trade Commission (FTC)’s 2011 decree that Facebook obtain explicit permission before sharing anyone’s data. In the NYT report, Facebook‘s Director of Privacy and Public Policy Steve Satterfield said this access didn’t violate the FTC’s ruling because the ruling “did not require the social network to secure users’ consent before sharing data because Facebook considered the partners extensions of itself.”
Facebook released a statement today saying that all of the access these companies were granted was done with user permission, including the ability to write and delete messages. Konstantinos Papamiltiadis, Facebook‘s head of Developer Programs, said to a hypothetical worried user: “Our integration partners had to get authorization from people. You would have had to sign in with your Facebook account to use the integration offered by Apple, Amazon or another integration partner.”
However, near the end of the statement, he does admit the company fumbled the API ball:
Why did some partners have access to data as late as 2017, even after instant personalization was shut down? Instant personalization only involved public information, and we have no evidence that data was used or misused after the program was shut down. However, we shouldn’t have left the APIs in place after we shut down instant personalization.
Netflix, for its part, said on Twitter that it never asked for the access it was given, taking the opportunity to make what was probably an ill-timed joke:
Netflix never asked for, or accessed, anyone's private messages. We're not the type to slide into your DMs.
— Netflix US (@netflix) December 19, 2018
User response to the joke was decidedly cool, but the notion that Facebook preemptively gave big tech companies access to user data became something of a theme. When asked about the access by Variety, a Spotify rep said:
Spotify’s integration with Facebook has always been about sharing and discovering music and podcasts. Spotify cannot read users’ private Facebook inbox messages across any of our current integrations. Previously, when users shared music from Spotify, they could add on text that was visible to Spotify. This has since been discontinued. We have no evidence that Spotify ever accessed users’ private Facebook messages.
The Royal Bank of Canada, also alleged to have been given carte blanche with messages, disputed it had that power. Even Yandex claims, according to the NYT report, it didn’t ask for or realize how much access Facebook had given it.
Take these denials with whatever amount of salt you please. But assuming there’s even a grain of truth to them, it implies Facebook preemptively handed a metaphorical keyring to large partner companies without even being asked to do so, in the interests of expanding its own network of information.
We already know, via the cache of internal documents dumped by British authorities earlier this month, that the company contemplated straight-up selling user data for years, so this should not come as a big surprise.