As Facebook sought to become the world’s dominant
social media service, it struck agreements allowing phone and other
device makers access to vast amounts of its users’ personal information.
Facebook has reached data-sharing partnerships
with at least 60 device makers — including Apple, Amazon, BlackBerry,
Microsoft and Samsung — over the last decade, starting before Facebook
apps were widely available on smartphones, company officials said. The
deals allowed Facebook to expand its reach and let device makers offer
customers popular features of the social network, such as messaging,
“like” buttons and address books.
But the partnerships, whose scope has not
previously been reported, raise concerns about the company’s privacy
protections and compliance with a 2011 consent decree with the Federal
Trade Commission. Facebook allowed the device companies access to the
data of users’ friends without their explicit consent, even after
declaring that it would no longer share such information with outsiders.
Some device makers could retrieve personal information even from users’
friends who believed they had barred any sharing, The New York Times
found.
Most of the partnerships remain in effect,
though Facebook began winding them down in April. The company came under
intensifying scrutiny by lawmakers and regulators after news reports in
March that a political consulting firm, Cambridge Analytica, misused the private information of tens of millions of Facebook users.
In the furor that followed, Facebook’s leaders
said that the kind of access exploited by Cambridge in 2014 was cut off
by the next year, when Facebook prohibited developers from collecting
information from users’ friends. But the company officials did not
disclose that Facebook had exempted the makers of cellphones, tablets
and other hardware from such restrictions.
“You might think that Facebook or the device
manufacturer is trustworthy,” said Serge Egelman, a privacy researcher
at the University of California, Berkeley, who studies the security of mobile apps.
“But the problem is that as more and more data is collected on the
device — and if it can be accessed by apps on the device — it creates
serious privacy and security risks.”
In interviews, Facebook officials defended the
data sharing as consistent with its privacy policies, the F.T.C.
agreement and pledges to users. They said its partnerships were governed
by contracts that strictly limited use of the data, including any
stored on partners’ servers. The officials added that they knew of no
cases where the information had been misused.
The company views its device partners as extensions of Facebook, serving its more than two billion users, the officials said.
“These partnerships work very differently from
the way in which app developers use our platform,” said Ime Archibong, a
Facebook vice president. Unlike developers that provide games and
services to Facebook users, the device partners can use Facebook data
only to provide versions of “the Facebook experience,” the officials
said.
Some device partners can retrieve Facebook
users’ relationship status, religion, political leaning and upcoming
events, among other data. Tests by The Times showed that the partners
requested and received data in the same way other third parties did.
Facebook’s view that the device makers are not
outsiders lets the partners go even further, The Times found: They can
obtain data about a user’s Facebook friends, even those who have denied
Facebook permission to share information with any third parties.
In interviews, several former Facebook software
engineers and security experts said they were surprised at the ability
to override sharing restrictions.
“It’s like having door locks installed, only to
find out that the locksmith also gave keys to all of his friends so
they can come in and rifle through your stuff without having to ask you
for permission,” said Ashkan Soltani, a research and privacy consultant
who formerly served as the F.T.C.’s chief technologist.
Details of Facebook’s partnerships have emerged
amid a reckoning in Silicon Valley over the volume of personal
information collected on the internet and monetized by the tech
industry. The pervasive collection of data, while largely unregulated in
the United States, has come under growing criticism from elected
officials at home and overseas and provoked concern among consumers
about how freely their information is shared.
In a tense appearance before Congress in March,
Facebook’s chief executive, Mark Zuckerberg, emphasized what he said
was a company priority for Facebook users.“Every piece of content that
you share on Facebook you own,” he testified. ”You have complete control
over who sees it and how you share it.”
But the device partnerships provoked discussion
even within Facebook as early as 2012, according to Sandy Parakilas,
who at the time led third-party advertising and privacy compliance for
Facebook’s platform.
“This was flagged internally as a privacy issue,”
said Mr. Parakilas, who left Facebook that year and has recently emerged
as a harsh critic of the company. “It is shocking that this practice
may still continue six years later, and it appears to contradict
Facebook’s testimony to Congress that all friend permissions were
disabled.”
The partnerships were briefly mentioned in documents submitted to German lawmakers investigating
the social media giant’s privacy practices and released by Facebook in
mid-May. But Facebook provided the lawmakers with the name of only one
partner — BlackBerry, maker of the once-ubiquitous mobile device — and
little information about how the agreements worked.
The submission followed testimony by Joel
Kaplan, Facebook’s vice president for global public policy, during a
closed-door German parliamentary hearing in April. Elisabeth
Winkelmeier-Becker, one of the lawmakers who questioned Mr. Kaplan, said
in an interview that she believed the data partnerships disclosed by
Facebook violated users’ privacy rights.
“What we have been trying to determine is
whether Facebook has knowingly handed over user data elsewhere without
explicit consent,” Ms. Winkelmeier-Becker said. “I would never have
imagined that this might even be happening secretly via deals with
device makers. BlackBerry users seem to have been turned into data
dealers, unknowingly and unwillingly.”
In interviews with The Times, Facebook identified other partners: Apple and Samsung, the world’s two biggest smartphone makers, and Amazon, which sells tablets.
An Apple spokesman said the company relied on
private access to Facebook data for features that enabled users to post
photos to the social network without opening the Facebook app, among
other things. Apple said its phones no longer had such access to
Facebook as of last September.
Samsung declined to respond to questions about
whether it had any data-sharing partnerships with Facebook. Amazon also
declined to respond to questions.
Usher Lieberman, a BlackBerry spokesman, said
in a statement that the company used Facebook data only to give its own
customers access to their Facebook networks and messages. Mr. Lieberman
said that the company “did not collect or mine the Facebook data of our
customers,” adding that “BlackBerry has always been in the business of
protecting, not monetizing, customer data.”
Microsoft entered a partnership with Facebook
in 2008 that allowed Microsoft-powered devices to do things like add
contacts and friends and receive notifications, according to a
spokesman. He added that the data was stored locally on the phone and
was not synced to Microsoft’s servers.
Facebook acknowledged that some partners did
store users’ data — including friends’ data — on their own servers. A
Facebook official said that regardless of where the data was kept, it
was governed by strict agreements between the companies.
“I am dumbfounded by the attitude that anybody
in Facebook’s corporate office would think allowing third parties access
to data would be a good idea,” said Henning Schulzrinne, a computer
science professor at Columbia University who specializes in network
security and mobile systems.
The Cambridge Analytica scandal revealed how
loosely Facebook had policed the bustling ecosystem of developers
building apps on its platform. They ranged from well-known players like
Zynga, the maker of the FarmVille game, to smaller ones, like a
Cambridge contractor who used a quiz taken by about 300,000 Facebook
users to gain access to the profiles of as many as 87 million of their
friends.
Those developers relied on Facebook’s public
data channels, known as application programming interfaces, or APIs. But
starting in 2007, the company also established private data channels
for device manufacturers.
At the time, mobile phones were less powerful,
and relatively few of them could run stand-alone Facebook apps like
those now common on smartphones. The company continued to build new
private APIs for device makers through 2014, spreading user data through
tens of millions of mobile devices, game consoles, televisions and
other systems outside Facebook’s direct control.
Facebook began moving to wind down the
partnerships in April, after assessing its privacy and data practices in
the wake of the Cambridge Analytica scandal. Mr. Archibong said the
company had concluded that the partnerships were no longer needed to
serve Facebook users. About 22 of them have been shut down.
The broad access Facebook provided to device
makers raises questions about its compliance with a 2011 consent decree
with the F.T.C.
The decree barred Facebook
from overriding users’ privacy settings without first getting explicit
consent. That agreement stemmed from an investigation that found
Facebook had allowed app developers and other third parties to collect
personal details about users’ friends, even when those friends had asked
that their information remain private.
After the Cambridge Analytica revelations, the
F.T.C. began an investigation into whether Facebook’s continued sharing
of data after 2011 violated the decree, potentially exposing the company
to fines.
Facebook officials said the private data
channels did not violate the decree because the company viewed its
hardware partners as “service providers,” akin to a cloud computing
service paid to store Facebook data or a company contracted to process
credit card transactions. According to the consent decree, Facebook does
not need to seek additional permission to share friend data with
service providers.
“These contracts and partnerships are entirely
consistent with Facebook’s F.T.C. consent decree,” Mr. Archibong, the
Facebook official, said.
But Jessica Rich, a former F.T.C. official who
helped lead the commission’s earlier Facebook investigation, disagreed
with that assessment.
“Under Facebook’s interpretation, the exception
swallows the rule,” said Ms. Rich, now with the Consumers Union. “They
could argue that any sharing of data with third parties is part of the
Facebook experience. And this is not at all how the public interpreted
their 2014 announcement that they would limit third-party app access to
friend data.”
To test one partner’s access to Facebook’s private
data channels, The Times used a reporter’s Facebook account — with about
550 friends — and a 2013 BlackBerry device, monitoring what data the
device requested and received. (More recent BlackBerry devices, which
run Google’s Android operating system, do not use the same private
channels, BlackBerry officials said.)
Immediately after the reporter connected the
device to his Facebook account, it requested some of his profile data,
including user ID, name, picture, “about” information, location, email
and cellphone number. The device then retrieved the reporter’s private
messages and the responses to them, along with the name and user ID of
each person with whom he was communicating.
The data flowed to a BlackBerry app known as
the Hub, which was designed to let BlackBerry users view all of their
messages and social media accounts in one place.
The Hub also requested — and received — data
that Facebook’s policy appears to prohibit. Since 2015, Facebook has
said that apps can request only the names of friends using the same app.
But the BlackBerry app had access to all of the reporter’s Facebook
friends and, for most of them, returned information such as user ID,
birthday, work and education history and whether they were currently
online.
The BlackBerry device was also able to retrieve
identifying information for nearly 295,000 Facebook users. Most of them
were second-degree Facebook friends of the reporter, or friends of
friends.
In all, Facebook empowers BlackBerry devices to
access more than 50 types of information about users and their friends,
The Times found.
No comments:
Post a Comment