Facebook gave access to data on users and their friends to 60 device makers

Facebook may have violated a settlement with the FTC and promises made to users, as well as lied to Congress over giving users' complete control of their data.

Facebook gave access to user data to 60 device makers
Thought Catalog (CC0)

Facebook allowed at least 60 device makers, including Apple, Microsoft, Samsung, and BlackBerry, to access not only users’ data but their friends’ data without obtaining consent. If the accusations — which Facebook denies — are true, then Facebook may have breached an agreement it made the FTC in 2011, as well as a privacy pledge it made to users in 2014. Oh, and Zuck may even have lied to Congress.

According to a report by The New York Times, Facebook failed to obtain explicit consent before giving 60 device manufacturers access to the personal data of users and their friends. The partnerships with those companies allowed them to use Facebook features such as posting a photo, messaging, and “like” buttons without using the Facebook app. By integrating the social network’s functionality into device makers’ software, the companies could access personal data about users, their friends, and even friends of friends — even if those friends had denied Facebook permission to share information with third parties.

The Times tested it out on a reporter’s BlackBerry Hub app. After he logged into Facebook, the BlackBerry Hub app had access to detailed data on his 556 friends, including more than 50 types of information, such as their “birthday, work and education history,” as well as “relationship status, religious and political leanings and events they planned to attend.” The app could also access unique identifying information on 294,258 friends of his friends.

“The data of users’ friends could be accessed, despite data sharing being turned off,” the Times reported.

Ashkan Soltani, a former FTC chief technologist, told the Times, “It’s like having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission.”

Facebook acknowledged that some partners did store users’ data — including friends’ data — on their own servers. A Facebook official said that regardless of where the data was kept, it was governed by strict agreements between the companies.

Facebook rejects The New York Times' accusations

After the NYT piece, Facebook denied that it gave popular device makers “deep” access to users’ personal data, striking back in a blog post titled, “Why we disagree with The New York Times.”

Ime Archibong, vice president of Facebook Product Partnerships, wrote that 10 years ago before mobile apps were commonplace, device makers used Facebook’s device-integrated APIs to recreate the Facebook experience.

“These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences. Partners could not integrate the user’s Facebook features with their devices without the user’s permission,” he said.

Contrary to claims by The New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies.

“Around 60 companies” used those APIs over the last decade, but Facebook said it has “ended 22 of these partnerships.” During the Cambridge Analytica scandal fallout in April, Facebook said it was “winding down access to device-integrated APIs.”

Nevertheless, it remains to be seen if this Facebook practice did run foul of the company’s 2011 settlement with the FTC.

Others, such as U.S. Rep. David Cicilline (D-R.I.), question whether Facebook CEO Mark Zuckerberg lied to Congress when he testified in March, saying, “Every piece of content that you share on Facebook you own. You have complete control over who sees it and how you share it.”

The Times had reported that this Facebook program with device makers was controversial even within Facebook. Sandy Parakilas, a former Facebook employee who oversaw third-party advertising and privacy compliance, said, “This was flagged internally as a privacy issue. It is shocking that this practice may still continue six years later, and it appears to contradict Facebook’s testimony to Congress that all friend permissions were disabled.”

NEW! Download the Winter 2018 issue of Security Smart