An investigation by The New York Times has revealed that Facebook shared data on users and their friends, without consent, with around 60 device makers. The report goes on to add that despite changes to Facebook’s privacy policies over the years, these device makers continued to have unrestricted access.
The policies were originally put in place to enable device makers, a list that includes Apple, Samsung, BlackBerry and Microsoft, to provide Facebook-specific features on their devices. As TechCrunch notes, this happened at a time when app stores didn’t really exist. The Facebook integration allowed device makers to offer users features such as messaging, "like" buttons and address books, reports NYT.
The investigation revealed that Facebook gave access to personal information on not just users, but their friends as well. “Some device partners can retrieve Facebook users’ relationship status, religion, political leaning and upcoming events, among other data. Tests by The Times showed that the partners requested and received data in the same way other third parties did,” adds the report.
The data of users who had explicitly blocked data sharing with 3rd parties was also available to these device makers.
Apparently, Facebook started “winding down” these agreements only in April this year, which was directly after the Cambridge Analytica scandal hit the news, revealing Facebook’s total lack of concern for user privacy.
Facebook took to its blog to respond to NYT’s claims. According to Facebook, device-integrated APIs were originally necessary to deliver a Facebook experience on the myriad mobile platforms available at the time. It was the only way, claims Facebook, to deliver Facebook features to customers on every platform of their choosing.
Facebook goes on to claim that given the sensitive nature of the data being shared, Facebook “tightly controlled” the APIs and made partners sign “agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences.”
The social media giant also stated, “We are not aware of any abuse by these companies.”
We’d like to point out here that Cambridge Analytica in 2014 claimed that it had destroyed all data acquired via Facebook (it didn’t). Facebook claims to have taken them at their word and didn't bother to audit Cambridge Analytica. Clearly, Facebook is not aware of who has access to user data and how it's being used.
Facebook is trying to skirt around the fact that it is unaware of how the data was used by device manufacturers. Just because Facebook is stating that it's not aware of any misuse doesn’t mean that there was no misuse.
Facebook also noted in its blog that they’ve now ended 22 of the partnerships and that given the popularity of Android and iOS, these APIs were no longer needed. Again, Facebook isn’t discussing the real issue, namely, Facebook’s negligent attitude towards user privacy.
What’s not clear right now is exactly what data Facebook’s partners had access to, and for how long. Just because the APIs aren’t being used in many consumer devices today doesn’t mean that Facebook’s partners don’t have access to data, and Facebook is being mum on that front.