Facebook gave some companies such as Apple, Amazon and Yahoo more extensive access to users’ personal data, effectively exempting them from the company’s usual privacy rules, according to a New York Times report.
Facebook enabled partners to offer services that tap into Facebook accounts and features. For example, Spotify was able to offer a feature that lets its users share song lists with their Facebook friends. But to do that, Facebook had to give Spotify the user’s list of Facebook friends.
Facebook says it didn’t violate its users’ privacy in doing any of this. But Facebook has a history of playing fast and loose with the word “permission.” That appears to be the case here, too.
A look at the claims:
FACEBOOK: “To be clear: none of these partnerships or features gave companies access to information without people’s permission …” — from a
late Tuesday by Konstantinos Papamiltiadis, the company’s director of developer platforms.
THE FACTS: In this case, the company says that its “integration partners” — such as Amazon, BlackBerry or Microsoft — had to get authorization from people to turn on these features. Users would have done this by using their Facebook account to log in to the other services, which, technically, counted as giving permission. But people may not have realized just what they were granting permission for.
In addition, according to the Times report, Facebook from its early days formed key data-sharing partnerships with companies, sometimes giving them special access to data — without asking for users’ permission. For example, according to the report, the company used contact lists from “partners” such as Amazon, Yahoo and China’s Huawei to suggest potential Facebook friends to users. Facebook argues that its partners are essentially an extension of itself, as service providers, and thus they don’t need to get permission from users as long as they limit data use to providing Facebook-related services.
The permissions issue came up earlier this year, when Facebook was found to have been
collecting call and text histories
from Android users. The company said at the time that it got permission from users to do this. Nonetheless, many users, including the
New Zealand man
who discovered the practice after downloading his Facebook data in March, were surprised that the company was logging this data.
According to internal emails made public as part of
, the company was aware that the Android data collection could look bad. A product manager, Michael LeBeau, wrote in a February 2015 email that the permissions feature — which prompted users to grant access to call logs and SMS history — is “a pretty high-risk thing to do from a PR perspective.” But, he added, “the growth team will charge ahead and do it.”
FACEBOOK: “… nor did they violate our 2012 settlement with the FTC,” or Federal Trade Commission — from the same blog post.
The FTC agreement requires Facebook to protect user privacy. Facebook’s assertion that most of its data-sharing partnerships were exempted is on shaky ground.
The FTC’s former chief technologist, Ashkan Soltani, and three former employees of its consumer protection division told the Times that the data-sharing deals probably violated the agreement. One said the partnerships seemed to give third parties permission to harvest data without users being informed of it or giving consent.
Facebook argues that it subjected those partners to its own rules about data use — but the Times report raises questions about how well Facebook managed those partners’ access.
The question of whether it was actually justified could ultimately be decided by the FTC itself. The agency said in March it was looking into whether Facebook engaged in unfair acts that might have violated the decree.