Facebook doesn’t seem to be learning much from its growing list of data-oriented scandals. Instead of responding by revamping its business practices, the social network appears to keep telling its 2.27 billion active monthly users, “Hold my beer!”
It’s not exactly reassuring. The latest revelation: The company shared user data, including Facebook Messenger chat logs, with a select group of some of the world’s largest tech companies. Account data from about 400 million U.S. users, segmented off from European users and the continent’s stricter privacy laws, might have been shared.
For an investigative report it published Tuesday, The New York Times interviewed more than 60 people and reviewed more than 270 pages of internal Facebook documents it had obtained that indicate tech powerhouses such as Microsoft, Amazon.com, Huawei, Yahoo, Sony, Netflix, and Spotify had access to private Facebook user data, apparently without consent from users and possibly in violation of a 2011 consent agreement with the Federal Trade Commission.
READ MORE ON FACEBOOK SECURITY AND PRIVACY
- How to tell you’re part of the 30 million user Facebook breach
- Facebook was breached. Here’s what we know (and don’t)
- What’s in your Facebook data? More than you think
- Ready to #DeleteFacebook? Follow these 7 steps
- How to recover from a Facebook hack
- 7 ways to boost your Facebook privacy
- How to block Facebook (and others) from your microphone
- Facebook, EFF security experts sound off on protecting the vulnerable
- Facebook’s Stamos on protecting elections from hostile hackers (Q&A)
The revelation spurred Sen. Ron Wyden (D-Ore.) to excoriate Facebook and its executive leaders in a column published by NBC on Thursday.
“Sheryl Sandberg personally told me that personal privacy is a matter of national security, and yet we now know that Facebook shared users’ personal information with Russian and Chinese telecom companies with strong links to their governments,” he wrote of the company’s chief operating officer and right-hand woman to CEO and founder Mark Zuckerberg.
Wyden contrasted Sandberg’s comments with the fact that two Facebook partners identified in the report are known to have strong ties to their governments. Russian search engine Yandex has been accused of sharing its user data with the Kremlin, and Chinese technology manufacturer Huawei, about which U.S. intelligence agencies have expressed concerns about Chinese-government ties for years, was accused on December 1 of covering up U.S. sanctions violations against Iran.
David Vladeck, former head of the FTC’s consumer protection bureau, echoed Wyden’s concerns in the Times story.
“This is just giving third parties permission to harvest data without you being informed of it or giving consent to it,” Vladeck said. “I don’t understand how this unconsented-to data harvesting can at all be justified under the consent decree.”
The Times reports that although Facebook did not outright sell its user data, the data-sharing agreements functioned as strategic partnerships. Facebook built special tools that can turn on or off access to user data. But once a partner had access, it often could access the data without further permission.
In exchange, Facebook learned more about its users’ social connections and how they interacted with other services Facebook didn’t control. Zuckerberg and Sandberg often personally approved these partnerships.
At least three partners, the Times reported, were given the capability to view, alter, and even delete private messages between users: “Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread—privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show.”
Some of those integrations might be as benign as allowing Gmail to work on iPhones, argues former Facebook security chief Alex Stamos.
“There very well could be serious privacy problems in the Times’ story, but it is hard to tell what is really problematic because they intentionally blur the lines between FB allowing 3rd party clients/OS integrations (like Apple) with data actually going to other companies,” he tweeted on Tuesday.
While the Times reporting indicates that third-party companies were given far greater access to Facebook user accounts than previously indicated, it does not make it fully clear which subsets of Facebook users—or even how many of them—were directly affected by the data sharing. It does make clear, however, that even if a partner was not given direct access to a user’s account, it might have obtained some level of access to it through one of that person’s Facebook friends.
Partner companies told the Times that they “appropriately” used the Facebook user data; while Facebook says its investigations turned up no abuse of data.
Security experts have long warned consumers who value their privacy to reconsider using Facebook, or at least how they use the service. It’s unclear whether consumers have gotten the memos or begun to take them seriously.
Despite recent scandals, including the revelation that the now-defunct political-consulting firm Cambridge Analytica used Facebook data to influence the 2016 U.S. presidential election, that millions of Facebook users’ photos were exposed to third-party app makers without permission, or that hackers stole 30 million detailed user records, Facebook’s growth shows no signs of slowing down. It has doubled its monthly active users over the past five years.
“I can’t be clearer on this topic: We don’t sell data. That’s not how advertising works,” Zuckerberg explained to members of Congress in an April hearing. But clearly, the company eagerly trades it.
Here’s what you need to know about the access Facebook gave tech companies, as reported by the Times.
- Microsoft: The company behind the Bing search engine can see the names of virtually all Facebook users’ friends without consent. As of 2017, it was allowed to acquire user email addresses through their friends.
- Netflix and Spotify: The media-streaming services were allowed to read, write, and delete private messages between Facebook users, and could see which users were involved in a group chat. Both companies deny knowing that they had these capabilities. Both claim to have not used them.
- Amazon: The online retailer was given access to users’ names and contact information through their friends, so that if Alice was Facebook friends with Bob, Amazon could see contact information for both of them, even if it wasn’t given direct access to Bob’s data.
- Sony: As of 2017, Sony, like Microsoft, could see and retain user email addresses through their friends.
- Yahoo: As recently as the summer of 2018, the embattled tech titan was allowed to view posts by a user’s friends—even though Facebook previously had said it stopped that type of sharing years ago.
- Yandex: As recently as 2017, Yandex had access to each Facebook user’s unique assigned identification number. Other companies no longer did. Yandex denied knowledge of the access.
- Huawei: Although Huawei is flagged in the story as a Facebook partner, it’s not clear which specific Facebook user data to which the company was given access. The report alleges that Huawei used Facebook data to provide social-media features on its smartphones.
- Royal Bank of Canada: As with Spotify and Netflix, the financial institution could access private messages between users, read, write and delete them, and see who was part of a thread.
Early Facebook adviser and investor Roger McNamee told the Times that he did not approve of the direction the company has taken. “No one should trust Facebook until they change their business model,” he said.