Facebook allowed certain apps to enjoy unlimited access to user data
19 December 2018
Despite its promises to limit the amount of personal data third-party apps could access, Facebook allowed over 150 companies to access large amounts of customer data and did not extend its stated privacy rules to such firms, an investigation carried out by The New York Times and The Times has revealed.
In late November, in an unprecedented move, Damian Collins, the chair of the culture, media and sport select committee, invoked a rare parliamentary mechanism to compel the founder of Six4Three LLC, a firm that sued Facebook in the U.S. for carrying out mass surveillance of millions of users, to hand over sensitive documents to Parliament that contained, among other things, “confidential emails and messages between Facebook senior executives”.
Earlier this month, Parliament released the contents of documents seized from Six4Three LLC, revealing explosive internal Facebook chatter that suggested that Facebook’s activities post-2014 were not always in sync with the company’s commitments to millions of users.
According to Collins, the documents revealed that Facebook “maintained full access to friends data” after 2014/15 even though the company had promised to dramatically limit the data apps could access”. At the same time, Facebook entered into “whitelisting agreements with certain companies, which meant that after the platform changes in 2014/15 they maintained full access to friends data”.
Collins added that the launch of Facebook’s Platform 3.0 was based on data reciprocity between Facebook and app developers and that increasing revenues from major app developers was one of the key drivers behind the Platform 3.0 changes at Facebook. Basically, rather than imposing a blanket ban on apps from collecting user data without prior consent or collecting data belonging to a person’s friends unless their friends had also authorized the app, Facebook allowed certain apps to continue to collect user data provided such apps ensured additional revenue for itself.
At the same time, those apps that did not ensure revenue generation for Facebook or did not enter into a data reciprocity agreement with Facebook were denied access to user data, thereby severely curtailing their revenues and reach.
Investigation reveals Facebook gave certain apps preferential access to user data
In a clear vindication of Parliament’s position on Facebook’s inconsistent data collection practices, a new investigation carried out by The New York Times and The Times has revealed that Facebook allowed over 150 companies to enjoy unlimited access to user data, in violation of its commitment to limit the data third-party apps could access.
Firms that enjoyed unlimited access to the data of millions of users included online retailers, entertainment sites, automakers, media organisations, and technology businesses. Even though Facebook claims to have updated its policies in 2014 to limit the data third-party apps could access, apps owned by such firms continued to enjoy the kind of access to user data post-2014 that they did back in 2010.
For instance, without obtaining prior consent, Microsoft’s Bing search engine could view the names of virtually all Facebook users’ friends, Netflix, Royal Bank of Canada and Spotify apps could read or delete private messages of users, Amazon could obtain names and contact information of users through their friends, and Yahoo could view streams of friends’ posts until recently.
Post-2014, even companies such as Pandora and Rotten Tomatoes continued to access user data the way they did when they struck deals with Facebook and such agreements lasted until this summer when Facebook started getting pulled up for violating its own privacy norms.
Facebook could face colossal fines all over the world
“We pointed this out in 2013. If the allegations are true, Facebook may face a colossal volume of individual and collective lawsuits demanding billions in damages, let alone sanctions imposed by regulators from all over the world. Many European countries have persistent budget deficiency and will be happy to jump on this windfall,” said Ilia Kolochenko, CEO and founder of High-Tech Bridge.
“However, many very complicated issues of law, discovery, burden of proof and calculation of damages will appear, and the outcomes are far from being certain. Facebook will likely find a way to settle, but the amount may border with the most expensive lawsuits in the history.
“Otherwise, it was pretty clear since the very beginning that nothing is “free” in the Internet. The price Facebook users paid to stay connected and socialized – is their privacy. Our society will either have to accept this or pay for using social networks – nobody will host gigabytes of your data and offer you a 24/7 platform free of charge,” he added.
“With tech giants like Facebook, Twitter, Google, Apple and Microsoft able to collect untold information on users – not only what’s explicitly shared but what can be inferred from behaviours – it’s incumbent upon them to treat that data with greater respect than we’ve seen to date,” said Tim Mackey, senior technical evangelist at Synopsys.
“While Konstantinos Papamiltiadis, Facebook’s Director of Developer Platforms and Programs, argues that users authorised the sharing of their information, until recently Facebook wasn’t explicit about the types of information shared when API access was granted, and Facebook itself has a spotty history with clear disclosure of privacy settings.
“When viewed through the lens of various API issues facing social media companies ranging from access token leakage, image API management, API retirement and API reuse, it’s clear that data collection and data interchange with third parties has a greater business focus for these companies than securing access to the information throughout its lifecycle,” he added.