Facebook maintained full access to friends data since 2014, says Parliament
Information Security / Facebook maintained full access to friends’ data since 2014, says Parliament
6 December 2018
Following the exposure of a massive breach of privacy of millions of Facebook users in the aftermath of the Cambridge Analytica scandal, Facebook CEO Mark Zuckerberg penned a heartfelt apology to all users in March this year, expressing regret for allowing apps to access user data and promising to provide the highest priority to user privacy.
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you. I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again. The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there’s more to do, and we need to step up and do it,” he said.
Explaining the timeline of the events that took place since 2014, Zuckerberg said that in that year, Facebook decided to dramatically limit the data apps could access, and this move stopped apps from collecting data belonging to a person’s friends unless their friends had also authorized the app.
Zuckerberg refused to cooperate with Parliament’s investigations
Despite Zuckerberg’s promise to work with users and governments to clarify Facebook’s position on data privacy of millions of users, Zuckerberg twice refused to appear before a select panel of the Digital, Culture Media and Sport Committee that wanted to question him about Facebook’s long silence after it discovered Cambridge Analytica’s illegal data collection practices, Facebook’s role in the distribution of fake news and its role during the elections.
Instead, Zuckerberg chose to send Mike Schroepfer, Facebook’s chief technology officer, to appear before the select committee whose responses did not address major concerns that necessitated the formation of the panel.
“Mr. Schroepfer, Mark Zuckerberg’s right-hand man whom we were assured could represent his views, today failed to answer many specific and detailed questions about Facebook’s business practices,” said Damian Collins MP.
Parliament seized internal Facebook docs
Frustrated by Zuckerberg’s repeated refusals to appear before the select panel and dissatisfied by Mr Schroepfer’s responses, Parliament decided to take the matter into its own hands. In late November, Damian Collins, the chair of the culture, media and sport select committee, invoked a rare parliamentary mechanism to compel the founder of Six4Three LLC, a firm that sued Facebook in the U.S. for carrying out mass surveillance of millions of users, to hand over sensitive documents to Parliament that contained, among other things, “confidential emails and messages between Facebook senior executives”.
“The Committee’s interest in the documents we have requested relates to their relevance to our ongoing inquiry into disinformation and fake news. As you know, we have asked many questions of Facebook about its policies on sharing user data with developers, how these have been enforced, and how the company identifies activity by bad actors.
“We believe that the documents we have ordered from Six4Three could contain important information about this which is of a high level of public interest. We are also interested to know whether the policies of Facebook, as expressed within these documents, are consistent with the public statements the company has made on the same issues,” Collins said.
Docs reveal Facebook continued to violate user privacy
Earlier today, Parliament released the contents of documents seized from Six4Three LLC, revealing explosive internal Facebook chatter that suggests that Facebook’s activities post-2014 were not always in sync with the company’s commitments to millions of users.
According to Collins, the documents have revealed that Facebook “maintained full access to friends data” after 2014/15 even though the company had promised to dramatically limit the data apps could access”. At the same time, the company took steps to ensure that its users did not know about a feature in its Android app that allowed it to collect a record of calls and texts sent by users.
“Facebook have clearly entered into whitelisting agreements with certain companies, which meant that after the platform changes in 2014/15 they maintained full access to friends data. It is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted or not,” he noted.
He added that the launch of Facebook’s Platform 3.0 was based on data reciprocity between Facebook and app developers and that increasing revenues from major app developers was one of the key drivers behind the Platform 3.0 changes at Facebook. The idea of linking access to friends data to the financial value of the developers relationship with Facebook is a recurring feature of the documents.
“Facebook knew that the changes to its policies on the Android mobile phone system, which enabled the Facebook app to collect a record of calls and texts sent by the user would be controversial. To mitigate any bad PR, Facebook planned to make it as hard of possible for users to know that this was one of the underlying features of the upgrade of
“Facebook used Onavo to conduct global surveys of the usage of mobile apps by customers, and apparently without their knowledge. They used this data to assess not just how many people had downloaded apps, but how often they used them. This knowledge helped them to decide which companies to acquire, and which to treat as a threat.
“The files show evidence of Facebook taking aggressive positions against apps, with the consequence that denying them access to data led to the failure of that business,” Collins added.
What this could mean is that rather than imposing a blanket ban on apps from collecting user data without prior consent or collecting data belonging to a person’s friends unless their friends had also authorized the app, Facebook allowed certain apps to continue to collect user data provided such apps ensured additional revenue for Facebook.
At the same time, those apps that did not ensure revenue generation for Facebook or did not enter into a data reciprocity agreement with Facebook were denied access to user data, thereby severely curtailing their revenues and reach.
Facebook has already been fined £500,000 by the Information Commissioner’s Office for failing to prevent data analytics firms (such as MyPersonalityApp) from harvesting personal details of millions of users. It will be interesting to see what actions the UK Parliament will take in the coming days in light of the explosive details revealed to the public today.