When he stood before Congress in April, following yet another scandal at Facebook, Mark Zuckerberg declared ‘We don’t sell data to anyone’.
That may technically be the case, but a new New York Times expose has revealed that Facebook gave 150 companies access to hundreds of millions of users’ data without their knowledge or consent.
Records obtained by the Times reveal that the amount of data Cambridge Analytica received from a Facebook app paled in comparison to the access that was granted to the social media giant’s biggest partners, including Amazon, Spotify, and Netflix.
Facebook gave Netflix, Spotify, and the Royal Bank of Canada the ability to read, write, and delete Facebook users’ private messages and to see all participants on a thread, according to the internal records.
It also allowed Microsoft’s search engine, known as Bing, to see the name of all Facebook users’ friends without their consent.
Amazon was allowed to obtain users’ names and contact information through their friends, and Yahoo could view streams of friends’ posts.
As of last year, Sony, Microsoft, and Amazon could all obtain users’ email addresses through their friends.
Facebook never received monetary payment for this kind of access, which was permitted even if its users had disabled all data sharing on their profile.
It has argued that these major companies were merely acting as an extension of Facebook, which is why any information that a user shared with friends on the site could be shared with the companies without their consent.
And Facebook denied on Tuesday night that these companies misused users’ data, although it did not touch on the Times’ revelation of just how much data their partners were given access to in the first place.
‘Facebook’s partners don’t get to ignore people’s privacy settings, and it’s wrong to suggest that they do,’ Steve Satterfield, the site’s director of privacy and public policy, said in a statement.
Satterfield also told the Times that none of Facebook’s partners had violated users’ privacy or Facebook’s 2011 Consent Agreement with the Federal Trade Commission, in which it promised that Facebook users would need to give permission before their data could be shared with other companies.
But Facebook struck data sharing deals with a number of major companies – deals that helped bring in new users and, as a result, drove up its advertising revenue.
Facebook’s ‘People You May Know’, a friend suggestion tool on the site, was one such feature in which the social media giant utilized data acquired by its partners.
The tool has been controversial since it was introduced in 2008, sometimes suggesting connections between estranged family members or even a victim and their harasser.
Facebook’s business partners were exempted from the site’s usual privacy rules through the deals, according to internal records.
The deals – made with tech businesses, online retailers, automakers, entertainment sites, and media organizations – date back to 2020 and all were still active in 2017.
Some still remained in effect this year, as the Cambridge Analytica scandal plagued Facebook and raised numerous concerns about how it was handling its users’ data.
Following the controversy, Zuckerberg told Congress in April that Facebook users now ‘have complete control’ over everything they share on the site.
But an extensive investigation by the Times has revealed that wasn’t the case as it interviewed more than 50 former Facebook employees and government officials and reviewed more than 270 pages of the company’s internal documents.
The Times also performed a number of technical tests to determine exactly what information was being passed between Facebook to its partner websites.
Facebook made deals with over 60 makers of smartphones, including Apple.
Records show that Apple devices could access users’ contact numbers and calendar entries, even if those same users had disabled all sharing.
Apple was also given the ability to hide the fact that its devices were asking for data from Facebook’s users.
And Yandex, a Russian social media company accused of having ties to the Kremlin, could access Facebook users’ unique IDs as recently as 2017 – despite the fact that Facebook had stopped sharing them with other applications for years due to security concerns.
Facebook began dabbling in data sharing in 2009, suddenly making some of the information of 400 million of its users available to all of the World Wide Web.
It also began sharing information about its users, including their locations and religion, to partners such as Microsoft.
Facebook claimed this practice – which it dubbed ‘instant personalization’ – would help customize the internet to people’s preferences and make the online world a more enjoyable and personal experience for everyone.
But the FTC soon caught wind of what Facebook was doing and found that the social media giant had defied promises to keep its users’ information private.
Facebook entered into the consent agreement with the FTC, even hiring chief privacy officers and auditor Privewaterhouse Coopers to oversee its practices.
But still, records show, the deals that Facebook had made with major companies persisted. Some were even vetted by Zuckerberg and COO Sheryl Sandberg.
Two years after the consent agreement, Facebook had agreed to so many partnerships that a tool was built to turn this special access on and off.
Former employees revealed that the same privacy team touted to the FTC only had a limited ability to review these data-sharing partnerships.
Facebook has claimed that most of these data partnerships were exempted from the FTC agreement because they were only working ‘for and at the direction of’ the social media site.
But that claim has been disputed by a number of former FTC officials.
‘The only common theme is that they are partnerships that would benefit the company in terms of development or growth in an area that they otherwise could not get access to,’ said former FTC chief technologist Ashkan Soltani.
‘This is just giving third parties permission to harvest data without you being informed of it or giving consent to it,’ added David Vladeck, who ran the FTC consumer protection bureau.
‘I don’t understand how this unconsented-to data harvesting can at all be justified under the consent decree.’
The shocking expose comes as it was revealed that Zuckerberg has lost almost a quarter of his net worth following a year of scandals at the site.
Meanwhile, Sandberg has been doing damage control this week after a Senate Intelligence Committee report revealed that Russian-backed actors targeted African-American Facebook users in an attempt to influence the 2016 presidential election.
‘Facebook is committed to working with leading US civil rights organizations to strengthen and advance civil rights on our service. They’ve raised a number of important concerns, and I’m grateful for their candor and guidance,’ Sandberg said on Tuesday.
‘We know that we need to do more: to listen, look deeper and take action to respect fundamental rights.’