“Every time that a person chooses to share something on Facebook, they’re proactively going to the service and choosing that they want to share a photo, write a message to someone,” Facebook CEO Mark Zuckerberg said in an appearance before Congress in April. “And every time, there is a control right there — not buried in settings somewhere, but right there — when they’re … posting about who they want to share it with.”
But according to a report from the New York Times over the weekend, that isn’t exactly the case when it comes to companies like Apple, Amazon, BlackBerry, Microsoft, and Samsung. Facebook reached data-sharing agreements with at least 60 device companies that allowed them to get at a broad range of information users were likely unaware of and might not have agreed to.
The report is the latest to sound alarms about Facebook’s handling of private data, and it again raises questions about how honest the company has been about what it’s collecting on users and why.
Facebook let some device companies get information on its users’ relationship status, religion, political leaning, and events, according to the Times. It gave access to information about those users’ friends as well, even in some cases when those people believed they had barred any sharing at all.
Facebook said it was winding down such partnerships in April. In a rebuttal to the Times report on Sunday, Ime Archibong, its vice president of product partnerships, said it had been “necessary” for Facebook to work with operating systems and device manufacturers to get its products into people’s hands. Archibong said that its partners were limited to using the data only to recreate “Facebook-like experiences” on their devices and that Facebook is not aware of any abuse by those companies.
The Times report also raises new questions about whether Facebook violated a 2011 consent decree with the Federal Trade Commission over charges it deceived consumers about their privacy. The FTC began an investigation into the matter after the Cambridge Analytica scandal, and the data maker sharing may give it even more to look at. The decree prevented Facebook from overriding users’ privacy settings without getting their consent.
“It’s going to intensify the FTC’s efforts to scrutinize the company’s behavior and its fulfillment of the 2011 to 2012 settlement,” former FTC Commissioner Bill Kovacic told me. “This adds additional impetus to that existing commitment to study their behavior, to see if there was compliance.”
Facebook says it can trust device companies, but can users trust Facebook?
Facebook says it provided data access to help users get the full “Facebook experience” — features such as messaging and “like” buttons — on their phones, tablets, and other gadgets and that its partners were subject to tight controls. The companies signed agreements barring them from using data for anything beyond its intended purposes, and the company disputes that it was overriding privacy settings and consent.
Several former Facebook software engineers and security experts told the Times they were surprised at the ability to override security restrictions and warned of the risks of Facebook’s data-sharing practices with device makers. Ashkan Soltani, a former chief technologist at the FTC, likened Facebook’s behavior to “having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission,” to the Times.
“Part of what this raises for me is a continuing question about information services companies: Are you explaining enough to users about what you’re doing?” Kovacic, who is now a professor at George Washington University, said. “What’s jarring, if you are a regulator and you’re following these news developments, is the sense that, ‘Oh, here’s something else you didn’t know about.’ It’s the element of being surprised.”
Zuckerberg dodged questions in April about third-party data-sharing
Zuckerberg has made several public apologies since founding the social media company, and Facebook has been caught multiple times being less than forthcoming about its technologies and practices.
In testimony before the House Energy and Commerce Committee and the Senate and Commerce Committees in April, Zuckerberg repeatedly dodged questions about whether users could control how their data was shared with and used by third parties, instead going back to explain how users can decide what their fellow Facebook users can see.
“Every piece of content that you share on Facebook you own, and you have complete control over who sees it and — and how you share it, and you can remove it at any time,” Zuckerberg told Sen. Orrin Hatch (R-UT). “That’s why every day, about 100 billion times a day, people come to one of our services and either post a photo or send a message to someone, because they know that they have that control and that who they say it’s going to go to is going to be who sees the content.”
But according to the Times’s reporting, that is not the case — not just for users but also for their friends. The publication tested Facebook’s data privacy channels using a 2013 BlackBerry device owned by one of its reporters. The BlackBerry retrieved identifying information for almost 295,000 Facebook users; the reporter has about 550 Facebook friends. The Times found Facebook let the phone access more than 50 types of information about the user and his friends.
Rep. David Cicilline (D-RI), ranking member of the House Judiciary antitrust subcommittee, tweeted about the report late Sunday evening. “Sure looks like Zuckerberg lied to Congress about whether users have ‘complete control’ over who sees our data on Facebook,” he wrote. He called for an investigation into the matter.
Sure looks like Zuckerberg lied to Congress about whether users have “complete control” over who sees our data on Facebook. This needs to be investigated and the people responsible need to be held accountable. https://t.co/rshBsxy32G— David Cicilline (@davidcicilline) June 4, 2018
In an appearance before the European Parliament in May, Claude Moraes of the British Labour Party asked whether the data privacy questions stemming from Cambridge Analytica were the end of it, or if there was more. Is it “actually the tip of the iceberg, or is there a bigger iceberg?” he asked. Given the Times’s reporting — and Facebook’s history — there’s likely more.
“It’s a recurring theme,” Kovacic said, “which is: What exactly are you doing here?”