Facebook Gave Device Makers Deep Access to Data on Users and Friends
June 3, 2018
By GABRIEL J.X. DANCE, NICHOLAS CONFESSORE and MICHAEL LaFORGIA, New York Times
As Facebook sought to become the world’s dominant social media service, it struck agreements allowing phone and other device-makers access to vast amounts of its users’ personal information.
Facebook has reached data-sharing partnerships with at least 60 device-makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung — during the last decade, starting before Facebook apps were widely available on smartphones, company officials said. The deals, most of which remain in effect, allowed Facebook to expand its reach and let device-makers offer customers popular features of the social network, such as messaging, “like” buttons and address books.
But the partnerships, whose scope has not previously been reported, raise concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission. Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device-makers could retrieve personal information even from users’ friends who believed they had barred any sharing, The New York Times found.
Facebook came under intensifying scrutiny by lawmakers and regulators after news reports in March that a political consulting firm, Cambridge Analytica, misused the private information of tens of millions of Facebook users. In the furor that followed, Facebook’s leaders said that the kind of access exploited by Cambridge in 2014 was cut off by the next year, when Facebook prohibited developers from collecting information from users’ friends. But the company officials did not disclose that Facebook had exempted the makers of cellphones, tablets and other hardware from such restrictions.
“You might think that Facebook or the device manufacturer is trustworthy,” said Serge Egelman, a privacy researcher at the University of California, Berkeley, who studies the security of mobile apps. “But the problem is that as more and more data is collected on the device — and if it can be accessed by apps on the device — it creates serious privacy and security risks.”
In interviews, Facebook officials defended the data sharing as consistent with its privacy policies, the FTC agreement and pledges to users. They said its partnerships were governed by contracts that strictly limited use of the data, including any stored on partners’ servers. The officials added that they knew of no cases where the information had been misused.
The company views its device partners as extensions of Facebook, serving its more than 2 billion users, the officials said.
Some device partners can retrieve Facebook users’ relationship status, religion, political leaning and upcoming events, among other data. Tests by The Times showed that the partners requested and received data in the same way other third parties did.
In interviews, several former Facebook software engineers and security experts said they were surprised at the ability to override sharing restrictions.
Details of Facebook’s partnerships have emerged amid a reckoning in Silicon Valley over the volume of personal information collected on the internet and monetized by the tech industry. The pervasive collection of data, while largely unregulated in the United States, has come under growing criticism from elected officials at home and overseas and provoked concern among consumers about how freely their information is shared.
But the device partnerships provoked discussion even within Facebook as early as 2012, according to Sandy Parakilas, who led Facebook’s third-party advertising and privacy compliance department at the time. “This was flagged internally as a privacy issue,” said Parakilas, who left Facebook that year and has recently emerged as a harsh critic of the company. “It is shocking that this practice may still continue six years later, and it appears to contradict Facebook’s testimony to Congress that all friend permissions were disabled.”
The partnerships were briefly mentioned in documents submitted to German lawmakers investigating the social media giant’s privacy practices and released by Facebook in mid-May. But Facebook provided the lawmakers with the name of only one partner — BlackBerry, maker of the once-ubiquitous mobile device — and little information about how the agreements worked.
The submission followed testimony by Joel Kaplan, Facebook’s vice president for global public policy, during a closed-door German parliamentary hearing in April. Elisabeth Winkelmeier-Becker, one of the lawmakers who questioned Kaplan, said in an interview that she believed the data partnerships disclosed by Facebook violated users’ privacy rights.
In interviews with The Times, Facebook identified other partners: Apple and Samsung, the world’s two biggest smartphone makers, and Amazon, which sells tablets. An Apple spokesman said the company relied on private access to Facebook data for features that enabled users to post photos to the social network without opening the Facebook app, among other things. Apple said its phones no longer had such access to Facebook as of last September.
Samsung declined to respond to questions about whether it had any data-sharing partnerships with Facebook. Amazon also declined to respond to questions. Usher Lieberman, a BlackBerry spokesman, said in a statement that the company used Facebook data only to give its own customers access to their Facebook networks and messages. Lieberman said that the company “did not collect or mine the Facebook data of our customers,” adding that “BlackBerry has always been in the business of protecting, not monetizing, customer data.”
Microsoft entered a partnership with Facebook in 2008 that allowed Microsoft-powered devices to do things like add contacts and friends and receive notifications, according to a spokesman. He added that the data was stored locally on the phone and was not synced to Microsoft’s servers.
“I am dumbfounded by the attitude that anybody in Facebook’s corporate office would think allowing third parties access to data would be a good idea,” said Henning Schulzrinne, a computer science professor at Columbia University who specializes in network security and mobile systems.
Those developers relied on Facebook’s public data channels, known as application programming interfaces, or APIs. But starting in 2007, the company also established private data channels for device manufacturers. At the time, mobile phones were less powerful, and relatively few of them could run stand-alone Facebook apps like those now common on smartphones. The company continued to build new private APIs for device-makers through 2014, spreading user data through tens of millions of mobile devices, game consoles, televisions and other systems outside Facebook’s direct control.
Facebook began moving to wind down the partnerships in April, after assessing its privacy and data practices in the wake of the Cambridge Analytica scandal. Archibong said the company had concluded that the partnerships were no longer needed to serve Facebook users. About 22 of them have been shut down.
The decree barred Facebook from overriding users’ privacy settings without first getting explicit consent. That agreement stemmed from an investigation that found Facebook had allowed app developers and other third parties to collect personal details about users’ friends, even when those friends had asked that their information remain private.
Facebook officials said the private data channels did not violate the decree because the company viewed its hardware partners as “service providers,” akin to a cloud computing service paid to store Facebook data or a company contracted to process credit card transactions. According to the consent decree, Facebook does not need to seek additional permission to share friend data with service providers.
But Jessica Rich, a former FTC official who helped lead the commission’s earlier Facebook investigation, disagreed with that assessment.
Immediately after the reporter connected the device to his Facebook account, it requested some of his profile data, including user ID, name, picture, “about” information, location, email and cellphone number. The device then retrieved the reporter’s private messages and the responses to them, along with the name and user ID of each person with whom he was communicating.
The Hub also requested — and received — data that Facebook’s policy appears to prohibit. Since 2015, Facebook has said that apps can request only the names of friends using the same app. But the BlackBerry app had access to all of the reporter’s Facebook friends and, for most of them, returned information such as user ID, birthday, work and education history and whether they were currently online.
In all, Facebook empowers BlackBerry devices to access more than 50 types of information about users and their friends, The Times found.
Copyright 2018. Lawsuit Against Crooks, a Division of Nabor One Company. All Rights Reserved.