Facebook Caps Off 2018 With Yet Another Massive Privacy Scandal [Updated]

This has been a terrible 2018 for Facebook so far, from numerous revelations about its shady privacy practices and high-profile political spats to admissions it helped enable genocide. With 13 days left in the year, it’s still getting worse. Much worse.

According to a bombshell report in the New York Times on Wednesday, Facebook’s behind-the-scenes efforts to give select corporate partners access to user data have been far more expansive than previously reported, including allowing certain third-party companies access to user contact lists and access to users’ private messages.

Yes, that’s right, Facebook gave Netflix and Spotify the ability to read users’ messages, and other tech giants including Microsoft, Amazon, and Sony access to data on users’ friends, according to hundreds of internal documents obtained by the paper and interviews with dozens of “former employees of Facebook and its corporate partners.” The Times writes:

The social network allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.

Facebook permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier…. As of 2017, Sony, Microsoft, Amazon and others could obtain users’ email addresses through their friends.

A third company, the Royal Bank of Canada, was also listed in the documents as having access to messages.

Spotify, Netflix, and the Royal Bank of Canada have all denied knowing the full extent to which Facebook reportedly granted them access to private user data.

Tech giant Apple, the Times wrote, is listed in the documents as having been granted the ability to “hide from Facebook users all indicators that its devices were asking for data,” as well as access to contacts and calendar entries regardless of whether users had enabled sharing. Apple told the paper it was not aware of any special access rights and that the data in question never left devices.

According to the Times report, approximately 150 companies were included in the special arrangements, “most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organisations”—and those companies’ apps reportedly collectively requested data on hundreds of millions of Facebook users a month. Some of the deals date as far back as 2010, the Times added, and were all active in 2017, with some extending to 2018. About a dozen of them raise privacy concerns beyond the guise of anonymized data-sharing.

The extent of the deals calls into question Facebook’s compliance with a 2011 agreement with the Federal Trade Commission not to share user data without getting explicit consent—something that’s already come up in relation to the company’s Cambridge Analytica data-sharing scandal and could trigger massive fines.

CEO Mark Zuckerberg told the House Committee on Energy and Commerce earlier this year that users “have complete control” over their data via the platform’s privacy settings, yet the data-sharing arrangements allowed some companies access to the data regardless of user settings, the Times wrote. The report also indicates that Facebook staff zeroed in on a service provider exemption in the FTC deal, claiming that an increasing array of firms that had little in common with each other were “integration partners” permitted under the arrangement.

The point of various agreements with third parties was, reportedly, to integrate Facebook into services and platforms all across the web—and in exchange, Facebook got even more data like contacts from the partners, which helped it build out functions like its People You May Know tool and helped fuel engagement with its platform. In some cases, the Times added, Facebook admitted that it left data-sharing functionality turned on long after the deals themselves had faded into the past, and it seems to have made some questionable decisions about their choice of partners.

According to the Times, records show that the company even shared unique user IDs with Yandex, a Russian search company, after it had terminated sharing that data with other firms due to security risks:

A spokeswoman for Yandex, which was accused last year by Ukraine’s security service of funelling its user data to the Kremlin, said the company was unaware of the access and did not know why Facebook had allowed it to continue. She added that the Ukrainian allegations “have no merit.”

A Facebook spokesperson told the paper that the company had no reason to suspect any of the partner companies abused their privileges. (Never mind that Facebook disclosed earlier this year that an FTC-ordered review of its privacy practices in 2013 found only “limited evidence” it monitors partners for potential misuse of data.) The Times wrote that Spotify and Netflix spokespeople told them they weren’t even aware they could view private messages, while the Royal Bank of Canada issued a flat denial it ever had that power.

Another representative, Facebook’s director of privacy and public policy, Steve Satterfield, rolled off a now-familiar script about how the company still has “work to do to regain people’s trust” in an interview with the Times. He also asserted that many of the arrangements did not violate the FTC deal, due to their mumbo-jumbo reading of the service provider exemption:

Still, Facebook executives have acknowledged missteps over the past year. “We know we’ve got work to do to regain people’s trust,” Mr. Satterfield said. “Protecting people’s information requires stronger teams, better technology and clearer policies, and that’s where we’ve been focused for most of 2018.” He said that the partnerships were “one area of focus” and that Facebook was in the process of winding many of them down.

… With most of the partnerships, Mr. Satterfield said, the F.T.C. agreement did not require the social network to secure users’ consent before sharing data because Facebook considered the partners extensions of itself—service providers that allowed users to interact with their Facebook friends. The partners were prohibited from using the personal information for other purposes, he said. “Facebook’s partners don’t get to ignore people’s privacy settings.”

Experts interviewed by the Times mostly appeared to view that explanation incredulously, with former FTC consumer protection bureau chief David Vladeck saying, “This is just giving third parties permission to harvest data without you being informed of it or giving consent to it.”

Update 9:40am: A Netflix spokesperson provided the following statement to Gizmodo Australia:

“Over the years we have tried various ways to make Netflix more social. One example of this was a feature we launched in 2014 that enabled members to recommend TV shows and movies to their Facebook friends via Messenger or Netflix. It was never that popular so we shut the feature down in 2015. At no time did we access people’s private messages on Facebook, or ask for the ability to do so.”

[New York Times]