Facebook Is Accused Of Giving Over 60 Device Makers Inappropriate Access To User Data

A report from The New York Times has accused Facebook of sharing inappropriate amounts of user data with device manufacturers like Apple, Microsoft, Samsung, and Blackberry.

Starting 10 years ago, Facebook began making deals with these companies to help them build Facebook apps for their phones and tablets, and to integrate Facebook functionality into their operating systems. (For example, letting users share photos with Facebook friends without directly visiting Facebook’s app or website.) In order for these integrations to function, Facebook gave these companies access to user data through so-called private APIs. The Times suggests that the level of access given to companies raises concerns about Facebook’s compliance with FTC privacy legislation. Facebook rejects this claim and says its deals were “tightly” controlled and above board.

The Times’ story includes one example of how these private APIs share data. Using a 2013 BlackBerry smartphone, a reporter used his Facebook account to log on to BlackBerry’s proprietary Hub software (which combines social network feeds with messaging and email). After this, BlackBerry’s software was able to retrieve not only data about the reporter’s 556 Facebook friends (including relationship statuses, religious, and political leanings), but also “identifying information” belonging to nearly 300,000 friends of the reporter’s friends.

The Times notes that this level of data sharing is against Facebook’s current privacy policy, which only allows third-party apps to request the names of users’ friends. The report says that Facebook made similar deals with “at least 60 device makers,” but it is not clear what level of data access was agreed on in each case.

Facebook’s core defense here is that these were necessary deals, and that when users logged onto device makers’ apps or services, they were able to consent (or not) to sharing their data. However, as the Times notes, there are similarities between these agreements and the Cambridge Analytica scandal, which revealed how third-party developers were taking advantage of Facebook’s loose privacy policies to siphon huge amounts of data from the company’s platform.

Facebook says the two situations are “very different,” and indeed, sharing personal data with fly-by-night developers or marketing firms is not the same as sharing it with big tech companies. The latter have the resources to protect the information, can be held accountable if they abuse it, and don’t make money from leveraging user data.

However, what the Cambridge Analytica scandal really revealed was how today’s digital ecosystem is built on the relatively free exchange of personal information, and how easy it is for tech companies to fudge the concept of user “consent” by getting people to agree to sharing data without actually understanding what it is they’re agreeing to. In the case of Facebook’s deals with device makers, it’s fair to ask whether users who logged into BlackBerry’s Hub software, for example, really knew how their information was going to be shared and used. And while Facebook says that it’s now shutting down these partnerships (22 have been ended and an unknown number remain), it’s clear that the company’s preeminent position in the industry was built, in part, on these sorts of agreements.

When Facebook’s CEO Mark Zuckerberg appeared before Congress in March, he stressed that the company gives users’ complete control over their data and what happens to it. “Every piece of content that you share on Facebook you own,” said Zuckerberg. ”You have complete control over who sees it and how you share it.”

But Facebook’s deals with device manufacturers – even if they are a common practice – shows that “complete control” doesn’t necessarily mean complete understanding.