An explosive report from The New York Times is getting heavy pushback from Facebook’s PR team.
After months of scandal in the wake of revelations that Cambridge Analytica exploited the Facebook platform to access millions of users’ records without their consent, the social media company spotlighted its privacy protocols and promised to shutter many of its current data collection habits.
As part of its defense, the company asserted it no longer allows third-parties access to user data without users’ consent, starting in 2015. However, it appears that device makers were exempted from these more stringent policies, leaving the public to speculate about Facebook’s honesty and how safe its data gathering truly is.
Facebook has reached data-sharing partnerships with at least 60 device makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung — over the last decade, starting before Facebook apps were widely available on smartphones, company officials said. The deals allowed Facebook to expand its reach and let device makers offer customers popular features of the social network, such as messaging, “like” buttons and address books.
But the partnerships, whose scope has not previously been reported, raise concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission. Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders.
Facebook is defending the agreements with device-makers as shortcuts for developing “bespoke Facebook experiences.”
The New York Times has today written a long piece about our device-integrated APIs — software we launched 10 years ago to help get Facebook onto mobile devices. While we agreed with many of their past concerns about the controls over Facebook information shared with third-party app developers, we disagree with the issues they’ve raised about these APIs. Here’s why.
In the early days of mobile, the demand for Facebook outpaced our ability to build versions of the product that worked on every phone or operating system. It’s hard to remember now but back then there were no app stores. So companies like Facebook, Google, Twitter and YouTube had to work directly with operating system and device manufacturers to get their products into people’s hands. This took a lot of time — and Facebook was not able to get to everyone.
To bridge this gap, we built a set of device-integrated APIs that allowed companies to recreate Facebook-like experiences for their individual devices or operating systems. Over the last decade, around 60 companies have used them — including many household names such as Amazon, Apple, Blackberry, HTC, Microsoft and Samsung.
However, The Times isn’t ready to accept Facebook’s explanation.
Some device partners can retrieve Facebook users’ relationship status, religion, political leaning and upcoming events, among other data. Tests by The Times showed that the partners requested and received data in the same way other third parties did.
Facebook’s view that the device makers are not outsiders lets the partners go even further, The Times found: They can obtain data about a user’s Facebook friends, even those who have denied Facebook permission to share information with any third parties.
Other outside critics also have a bone to pick with Facebook’s explanation.
A former Facebook employee who led third-party ad and privacy compliance, Sandy Parakilas, noted that the program was controversial even within Facebook. “This was flagged internally as a privacy issue,” he said. “It is shocking that this practice may still continue six years later, and it appears to contradict Facebook’s testimony to Congress that all friend permissions were disabled.”
The issue has also caught the attention of the US government. “Sure looks like Zuckerberg lied to Congress about whether users have ‘complete control’ over who sees our data on Facebook,” tweeted Rhode Island Congressman (D) and consumer privacy advocate David Cicilline. “This needs to be investigated and the people responsible need to be held accountable.”
Observers noted the scope of this latest scandal for Facebook as it tries to rebuild public trust and abide by new data-security laws.
It’s potentially a very big problem for Facebook.
Firstly, it may violate the “consent decree” deal that Facebook struck with the FTC in 2011. That settlement followed complaints from users that Facebook wasn’t allowing them to keep their information on the social network private—Facebook promised to get consent from users before sharing their data with third parties, and to avoid making deceptive claims about its privacy practices.
The Cambridge Analytica scandal already led the FTC to investigate whether Facebook broke this settlement. Now this new scandal could add fuel to the fire, as the data being shared with device manufacturers includes information that people set to private.
[…] There’s one extra issue to worry about here: the European Union’s General Data Protection Regulation (GDPR). It only came into force around 10 days ago, but if Facebook is still sharing people’s data without their consent—especially sensitive personal data about things like religious beliefs—then it could be in big trouble in the EU. The company has already been the subject of GDPR privacy complaints, despite the new legal regime’s tender age.
Some are beginning to poke holes in Facebook’s previous statements to reporters after the Cambridge Analytica debacle.
Sheryl Sandberg on @NPR, April 5:
Q. Were there other firms… who used data in the same way that Cambridge Analytica did?
A. We don’t know.. we’re doing… an audit.
Now NYT says FB was “winding down” other data deals in April.
— Steve Inskeep (@NPRinskeep) June 4, 2018
So #Zuckerberg was not totally honest when he said: “Everything that you share on FB you own. You have complete control over who sees it & how you share it.” This limitless data sharing of users has to stop. People have the right to have some privacy. https://t.co/zqMdhO5I0p
— Guy Verhofstadt (@guyverhofstadt) June 4, 2018
Others are sharing their Facebook fatigue:
I’m sooooooooo over Facebook… https://t.co/KBJZ6SIQgd
— Charles M. Blow (@CharlesMBlow) June 4, 2018
Some aren’t buying Facebook’s apology this time:
So if a Facebook friend of yours had the Facebook app on *their* phone, Facebook shared *YOUR* private data with device-makers, even if you had somehow managed to turn off third-party sharing.
— zeynep tufekci (@zeynep) June 4, 2018
Many are calling for an investigation:
Sure looks like Zuckerberg lied to Congress about whether users have “complete control” over who sees our data on Facebook. This needs to be investigated and the people responsible need to be held accountable. https://t.co/rshBsxy32G
— David Cicilline (@davidcicilline) June 4, 2018
What do you think of Facebook’s response?