Facebook gives or has given third parties access to the data not only of its users, but also of their friends, according to a New York Times report. The social network has been sharing users data with mobile device manufacturers such as Apple, Samsung, BlackBerry and Amazon—to an extent that could constitute a violation of Facebook’s 2011 privacy deal with the Federal Trade Commission (FTC.)
Many makers of phones and tablets allow people to use Facebook without actually opening the Facebook app, by integrating some of its functionality into their own software. This means that the software of companies including Apple, Amazon, Samsung, Microsoft and BlackBerry gets to plug into Facebook’s systems and access data that does not belong to the specific person who’s using that software.
The Times piece uses the example of BlackBerry’s Hub app, which aims to consolidate a user’s messages from various platforms—from Facebook notifications to Gmail emails—into one interface. A Times reporter logged into his Facebook account on that app, gaining access not only to detailed information about 556 friends, including sensitive stuff about religious and political leanings, but also to identifying information on 294,258 friends-of-friends.
The issue here is not that a Facebook user can access data about friends and friends-of-friends—it’s that they’re giving a non-Facebook company’s software access to that information.
Apple said it stopped giving iPhones this sort of access to Facebook last September. Microsoft said any data its software got from Facebook stayed on users’ devices and was not uploaded to its own servers. Samsung and Amazon did not respond to the Times’ questions.
Facebook admitted that some of these “service provider” partners did store the data of users and their friends on their own servers.
This data sharing may violate the deal that Facebook struck with the FTC in 2011. That settlement followed complaints from users that Facebook wasn’t allowing them to keep their information on the social network private—Facebook promised to get consent from users before sharing their data with third parties, and to avoid making deceptive claims about its privacy practices.
Facebook’s take on this is that the device manufacturers are “service providers” rather than third parties of the sort where consent would be needed to share information. It doesn’t think it’s violated the FTC deal, but former FTC official Jessica Rich told the Times that “under Facebook’s interpretation, the exception swallows the rule.”
Facebook CEO Mark Zuckerberg told Congress in March that Facebook’s users have “complete control over who sees [their data] and how [they] share it.”
Facebook said it started winding down the partnerships in April, as they were no longer needed to serve users.
The European Union’s General Data Protection Regulation (GDPR) only came into force around 10 days ago, but if Facebook is still sharing people’s data without their consent—especially sensitive personal data about things like religious beliefs—then it could be in big trouble in the EU. The company has already been been the subject of GDPR privacy complaints, despite the new legal regime’s tender age.