Facebook at it again: Netflix, Spotify could read and delete private messages, Microsoft had access to users' friends without their consent

Facebook has been giving some of the world's largest technology companies - more than 150 of them, far more intrusive access to users' personal data than it has ever disclosed according to an investigation by the New York Times. The Times interviewed over 60 people including current and former employees of Facebook and its partners, former government officials and privacy advocates - and reviewed over 270 pages of Facebook's internal documents while performing technical tests and analysis to monitor what data Facebook has been handing out like candy.

The records, generated in 2017 by the company's internal system for tracking partnerships, provide the most complete picture yet of the social network's data-sharing practices. They also underscore how personal data has become the most prized commodity of the digital age, traded on a vast scale by some of the most powerful companies in Silicon Valley and beyond. -NYT

The discovery goes far beyond the Cambridge Analytica data harvesting scandal in which basic data was collected on up to 87 million users through a lifestyle survey app. Thanks to the United States having no general consumer privacy law, up to 400 million people's private information was freely shared with the likes of Google, Microsoft, Netflix, Spotify and other partners - and they didn't sell it; Facebook gave everyone's information away for free throughout the tech community in order to foster industry relationships and advance their own interests.

The exchange was intended to benefit everyone. Pushing for explosive growth, Facebook got more users, lifting its advertising revenue. Partner companies acquired features to make their products more attractive. Facebook users connected with friends across different devices and websites. But Facebook also assumed extraordinary power over the personal information of its 2.2 billion users - control it has wielded with little transparency or outside oversight. -NYT

The company allowed Microsoft's Bing search engine to see the names of virtually all Facebook users' friends without their consent.

Netflix and Spotify were given the ability to read and delete Facebook users' private messages.

Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users' private messages, and to see all participants on a thread - privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show. -NYT

Both Netflix and Spotify claim they had no idea they had such broad capabilities, while a Royal Bank of Canada spokesman denied that the bank had any such access.

Amazon was granted access to users' names and contact information through their friends, while Yahoo! was able to view streams of friends' posts as recently as this summer despite Facebook promising that it had stopped this type of sharing years earlier.

What's more? China's Huawei and Russian search giant Yandex - accused last year by Ukraine of funneling user data to the Kremlin - had access to Facebook's unique user IDs.

Facebook records show Yandex had access in 2017 to Facebook's unique user IDs even after the social network stopped sharing them with other applications, citing privacy risks. A spokeswoman for Yandex, which was accused last year by Ukraine's security service of funneling its user data to the Kremlin, said the company was unaware of the access and did not know why Facebook had allowed it to continue. She added that the Ukrainian allegations "have no merit." -NYT

In April, reeling from the Cambridge Analytica scandal, Facebook CEO Mark Zuckerberg promised lawmakers that people "have complete control" over their information on Facebook. Except it looks like certain "partners" were able to access user data anyway.

In all, the deals described in the documents benefited more than 150 companies - most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organizations. Their applications sought the data of hundreds of millions of people a month, the records show. The deals, the oldest of which date to 2010, were all active in 2017. Some were still in effect this year. -NYT

Facebook was able to circumvent a 2011 consent agreement with the Federal Trade Commission (FTC) which barred the company from sharing user data without explicit permission, because Facebook considered the partners extensions of itself - "service providers that allowed users to interact with their Facebook friends." This allowed the company to grant such unprecedented access to everyone's information. The partners were reportedly prohibited from using the personal information from purposes outside the scope of their agreement, however there has been little to no oversight.

According to Facebook, most of its data partnerships fall under an exemption to the F.T.C. agreement. The company argues that the partner companies are service providers - companies that use the data only "for and at the direction of" Facebook and function as an extension of the social network.

...

Pam Dixon, executive director of the World Privacy Forum, a nonprofit privacy research group, said that Facebook would have little power over what happens to users' information after sharing it broadly. "It travels," Ms. Dixon said. "It could be customized. It could be fed into an algorithm and decisions could be made about you based on that data." -NYT

"This is just giving third parties permission to harvest data without you being informed of it or giving consent to it," said former FTC consumer protection bureau chief David Vladeck. "I don't understand how this unconsented-to data harvesting can at all be justified under the consent decree."

"I don't believe it is legitimate to enter into data-sharing partnerships where there is not prior informed consent from the user," said Roger McNamee, an early investor in Facebook. "No one should trust Facebook until they change their business model." -NYT

Facebook began forming data partnerships as a relatively young company, as Zuckerberg and crew sought to deeply integrate the social media network into other sites and platforms in order to stay relevant and stoke growth. Each corporate partner that used Facebook data helped drive the company's expansion by onboarding new users, which drove up advertising revenue. At the same time, Facebook was collecting data from its partners on users as well.

According to two mid-level employees, Facebook had entered into so many partnerships by 2013 that it could hardly keep track of them. In order to manage the agreements, a tool was built which turned the special data access on and off, while also keeping records on what were internally referred to as "capabilities," or the level of special privileges which allowed companies to obtain data.

Among the revelations was that Facebook obtained data from multiple partners for a controversial friend-suggestion tool called "People You May Know."

The feature, introduced in 2008, continues even though some Facebook users have objected to it, unsettled by its knowledge of their real-world relationships. Gizmodo and other news outlets have reported cases of the tool's recommending friend connections between patients of the same psychiatrist, estranged family members, and a harasser and his victim.

Facebook, in turn, used contact lists from the partners, including Amazon, Yahoo and the Chinese company Huawei - which has been flagged as a security threat by American intelligence officials - to gain deeper insight into people's relationships and suggest more connections, the records show. -NYT

Some of the data shared was limited to non-identifying information with research firms, however agreements with around a dozen companies raised several privacy concerns - including companies which had the ability to see users' contact information through their Facebook friends, even after the company said in 2014 that it had stripped all applications of that ability.

As of 2017, Sony, Microsoft, Amazon and others could obtain users' email addresses through their friends. -NYT

In 2011, Facebook was investigated by the FTC over what they called "instant personalization," by which the company changed the privacy settings of their 400 million users in 2009 to make their information available to all of the internet, before sharing that information "including users' locations and religious and political leanings with Microsoft and other partners."

The FTC called the privacy changes a "deceptive practice," after which Facebook stopped mentioning the instant personalization feature in public, and entered the consent agreement with the federal agency.

Under the decree, the social network introduced a "comprehensive privacy program" charged with reviewing new products and features. It was initially overseen by two chief privacy officers, their lofty title an apparent sign of Facebook's commitment. The company also hired PricewaterhouseCoopers to assess its privacy practices every two years.

But the privacy program faced some internal resistance from the start, according to four former Facebook employees with direct knowledge of the company's efforts. Some engineers and executives, they said, considered the privacy reviews an impediment to quick innovation and growth. And the core team responsible for coordinating the reviews - numbering about a dozen people by 2016 - was moved around within Facebook's sprawling organization, sending mixed signals about how seriously the company took it, the ex-employees said. -NYT

Of note, many of Facebook's data sharing partnerships were not subject to privacy program reviews according to two former employees. Executives simply trusted that their partners would adhere to Facebook's data policies, while company officials say that the level of review "depended on the specific partnership and the time it was created."

In 2014, Facebook ended instant personalization and walled off access to friends' information. But in a previously unreported agreement, the social network's engineers continued allowing Bing; Pandora, the music streaming service; and Rotten Tomatoes, the movie and television review site, access to much of the data they had gotten for the discontinued feature. Bing had access to the information through last year, the records show, and the two other companies did as of late summer, according to tests by The Times. -NYT

Both Pandora and Rotten Tomatoes also claim they had no idea they had such vast information at their fingertips. Microsoft, meanwhile, says that Bing used the data to build profiles of Facebook users for "feature development" within Microsoft services, and not for advertising. The company says it has since deleted the data.

Facebook claims that the data sharing didn't violate users' privacy because it only allowed access to public data (including private messages?). Others have called into question whether or not the FTC is even doing its job.

"There has been an endless barrage of how Facebook has ignored users' privacy settings, and we truly believed that in 2011 we had solved this problem," said Marc Rotenberg - head of the Electronic Privacy Information Center which filed one of the first privacy complaints against Facebook. "We brought Facebook under the regulatory authority of the F.T.C. after a tremendous amount of work. The F.T.C. has failed to act."