Facebook has been caught on the back foot again over its data privacy practices, following an investigation by the New York Times.
The newspaper has disclosed fresh details about ways the social network shared access to users’ data with other tech firms, including Amazon, Apple, Microsoft, Netflix, Spotify and Yandex.
In some cases, the other companies have said they were not even aware they had special access.
Facebook has defended its behaviour.
It said it never gave others access to personal data without people’s permission and had seen no evidence that the data had been misused.
However, it has acknowledged again that it should have prevented third parties being able to tap into users’ data, after publicly announcing that it had ended the privilege for security reasons.
Examples given by the NYT include allowing others’ products the ability to read users’ private messages and to see the names, contact details and activities of their friends.
Facebook’s handling of the matter has drawn criticism, including tweets from its own former chief security officer Alex Stamos, who has called on it to disclose more details about what special access it provided to whom.
The latest revelations follow a series of scandals including the Cambridge Analytica data harvest, incitement to violence in Myanmar, also known as Burma, evidence of Russian and Iranian meddling in the US elections, and several data-exposing bugs.
These have undermined public confidence in Facebook, led to calls for new regulations and prompted demands for a leadership rethink.
“We have to seriously challenge the claim by Facebook that they are not selling user data,” commented Damian Collins MP, chair of the UK Parliament’s Digital, Culture, Media and Sport Committee.
“They may not be letting people take it away by the bucket load, but they do reward companies with access to data that others are denied, if they place a high value on the business they do together. This is just another form of selling.”
The Irish Data Protection Commission, which takes the lead on Facebook in the EU, has issued a brief statement: “We are aware of the media reporting from earlier today. We are currently assessing what next steps, if any, are required.”
Analysis: Dave Lee, North America technology reporter
Facebook, as ever, thinks it’s being unfairly picked on. Indeed, as recently as this week, former security boss Alex Stamos described the Cambridge Analytica scandal as an overreaction.
With its statement on Wednesday, Facebook took the same tone it has since this whole mess began in March: users gave consent, everybody knew, nothing to see here.
For added cheekiness, its statement linked to a piece in the New York Times from 2010 that seemed to reference at least one of the features revealed in this latest investigation.
But what Facebook underestimates, continually, is the extent to which this year has produced a “data-awakening” among the general public, and how now is the time for the company to lay it all out on the table.
If I was a Facebook employee, or shareholder, I’d be telling Mark Zuckerberg: “It’s time to be completely open about who has or had access to data.”
That’s the only way to stop 2019 being like 2018: a drip-drip of headlines that have eroded Facebook’s reputation, perhaps irreparably.
Who got what?
The NYT bases its analysis on hundreds of pages of documents and dozens of interviews, the full details of which it has not shared.
In total, it said the social network had special arrangements with more than 150 companies to share its members’ personal data. Most of these, it said, were other tech firms, but the list also included online retailers, car-makers and media organisations, including the NYT itself, among others.
Of the examples given it reported:
- Microsoft’s Bing search engine was able to see the names of “virtually all” Facebook users’ friends without those friends’ consent in order to personalise the results it showed
- The music-streaming service Pandora and film review platform Rotten Tomatoes also had access to friends’ information in order to customise their results
- Apple devices could access the contact numbers and calendar entries of users even if they had disabled all sharing in their Facebook settings. Moreover, it said Apple’s devices did not need to alert users to the fact they were seeking data from Facebook
- Netflix, Spotify and the Royal Bank of Canada were able to read, write and delete users’ private messages and see all participants on a chat thread
- Russian search provider Yandex was allowed to index users’ identities from public pages and posts to improve its search results after Facebook stopped other applicants from continuing the activity
- Yahoo could view live feeds of friends’ posts
- Sony, Microsoft and Amazon could access members’ email addresses via their friends
- Blackberry and Huawei were among companies that could pull Facebook’s data to power their own social media apps
Facebook has long maintained that it does not sell its users’ data.
But the NYT said that one of the arrangements it struck was to get contact lists from Amazon, Yahoo and Huawei, which it used to run its own People You May Know facility.
The feature suggests more acquaintances users might want to add to their friends, which helps increase engagement.
What is Facebook’s response?
The firm distinguishes between two different types of relationships it formed.
The first type it calls “integration partnerships”. It defines these as arrangements that allowed others to offer Facebook’s features outside of its own app or website.
Facebook actually provided a long list of such partners to Congress in July.
It said the arrangement made it possible for other companies to do things like consolidate posts from Facebook, Twitter and other social media providers in a single app, or provide alerts from a range of services via a web browser.
But it noted that to do this, its members had to have signed into their Facebook accounts to give permission. It added that “nearly all” of these partnerships had been shut down in recent months.
Facebook refers to the second type of arrangements as being “instant personalisation”.
It said these allowed other apps to see Facebook’s private messages so that, for example you could send a song recommendation to a friend without having to leave Spotify’s app.
It added that users’ public information was also shared so that, for example, you could see what TV shows your friends had watched within Netflix.
Facebook said that for the most part, it ended its personalisation partnerships in 2014, but continued in some select cases into 2017.
It acknowledged, however, that it had not always withdrawn the application programming interfaces (APIs) that allowed others to tap into its data, as it should have.
“We’re in the midst of reviewing all our APIs and the partners who can access them,” it concluded.
What have the other firms said?
Microsoft has issued a brief statement saying: “Throughout our engagement with Facebook, we respected all user preferences.”
The BBC understands it ended its Bing contract with Facebook in February 2016, and the social network’s data stopped appearing in its search results at that point.
Netflix has said that it stopped taking advantage of its ability to recommend content to members’ Facebook friends in 2015 as the service had not been popular.
“At no time did we access people’s private messages on Facebook or ask for the ability to do so,” it added.
Spotify had indicated it was unaware of the degree of access Facebook had provided to it. Apple has also said that it was also not aware of its devices being granted special access.
Yahoo said it only tapped into Facebook’s data once users had opted in, and did not do so for advertising purposes.
Yandex has said its arrangement was limited to users in Russia, Turkey, Ukraine, Belarus, Kazakhstan and other Commonwealth of Independent States (CIS) countries, and added that it stopped receiving Facebook’s data in 2015.
Why does this matter?
Part of the issue is that Facebook promised a US regulator – the Federal Trade Commission (FTC) – in 2011 that it would not share user data without explicit consent.
Facebook insists it has not breached that pledge, but some privacy experts suggest otherwise.
“Time and again Facebook has been unable to clearly and in plain language explain to people how the company is collecting, storing, sharing, and retaining people’s data,” a spokeswoman for Privacy International told the BBC.
“The sheer scope of the Facebook scandals in 2018 alone is mind-boggling and shows that data exploitation is a rampant and systemic.”
The other risk is that the more negative stories there are in the press, the more likely users are to quit Facebook and its other apps – including Instagram and WhatsApp – or at least stop sharing personal information with them.