Device makers given Facebook data access
Some see firm’s partnership deals as circumventing ’11 consent decree
As Facebook sought to become the world’s dominant social media service, it struck agreements allowing phone and other device-makers access to vast amounts of its users’ personal information.
Facebook has reached data-sharing partnerships with at least 60 device-makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung — during the past decade, company officials said.
But the partnerships, whose scope has not previously been reported, raise concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission. Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device-makers could retrieve personal information even from users’ friends who believed they had barred any sharing, The New York Times found.
Facebook came under intensifying scrutiny by lawmakers and regulators after news reports in March that a political consulting firm, Cambridge Analytica, misused the private information of tens of millions of Facebook users.
In the furor that followed, Facebook’s leaders said that the kind of access exploited by Cambridge in 2014 was cut off by the next year, when Facebook prohibited developers from collecting information from users’ friends. But the company officials did not disclose that Facebook had exempted the makers of cellphones, tablets and other hardware from such restrictions.
In interviews, Facebook officials defended the data sharing as consistent with its privacy policies, the FTC agreement and pledges to users.
The company views its device partners as extensions of Facebook, serving its more than 2 billion users, the officials said.
“These partnerships work very differently from the way in which app developers use our platform,” said Ime Archibong, a Facebook vice president. Unlike developers that provide games and services to Facebook users, the device partners can use Facebook data only to provide versions of “the Facebook experience,” the officials said.
Some device partners can retrieve Facebook users’ relationship status, religion, political leaning and upcoming events, among other data. Tests by The Times showed that the partners requested and received data in the same way other third parties did.
Facebook’s view that the device-makers are not outsiders lets the partners go even further, The Times found: They can obtain data about a user’s Facebook friends, even those who have denied Facebook permission to share information with any third parties.
In interviews, several former Facebook software engineers and security experts said they were surprised at the ability to override sharing restrictions.
“It’s like having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission,” said Ashkan Soltani, a research and privacy consultant who formerly served as the FTC’s chief technologist.
The partnerships were briefly mentioned in documents submitted to German lawmakers investigating the social media giant’s privacy practices and released by Facebook in mid-May. But Facebook provided the lawmakers with the name of only one partner — BlackBerry, maker of the once-ubiquitous mobile device — and little information about how the agreements worked.
In interviews with The Times, Facebook identified other partners: Apple and Samsung, the world’s two biggest smartphone makers, and Amazon, which sells tablets.
The broad access Facebook provided to device-makers raises questions about its compliance with a 2011 consent decree with the FTC.
The decree barred Facebook from overriding users’ privacy settings without first getting explicit consent. That agreement stemmed from an investigation that found Facebook had allowed app developers and other third parties to collect personal details about users’ friends, even when those friends had asked that their information remain private.
After the Cambridge Analytica revelations, the FTC began an investigation into whether Facebook’s continued sharing of data after 2011 violated the decree, potentially exposing the company to fines.
Facebook officials said the private data channels did not violate the decree because the company viewed its hardware partners as “service providers,” akin to a cloud computing service paid to store Facebook data or a company contracted to process credit card transactions.
According to the consent decree, Facebook does not need to seek additional permission to share friend data with service providers.
But Jessica Rich, a former FTC official who helped lead the commission’s earlier Facebook investigation, disagreed with that assessment.
“Under Facebook’s interpretation, the exception swallows the rule,” said Rich, now with the Consumers Union. “They could argue that any sharing of data with third parties is part of the Facebook experience. And this is not at all how the public interpreted their 2014 announcement that they would limit third-party app access to friend data.”