It appears 2018 will continue to bring more controversial decisions made by Facebook to the fore. After the Cambridge Analytica scandal, it seems that the social networking giant has been involved in several similar data sharing scandals. The company apparently gave access to "vast amounts of its users' personal information" to device makers.
According to a report by the NYT published over the weekend, the company struck agreements with at least 60 device makers, including Apple, Samsung, BlackBerry, and Amazon. "The deals allowed Facebook to expand its reach and let device makers offer customers popular features of the social network, such as messaging, “like” buttons and address books," the report reads.
The report says that the company hasn't only been sharing user data with their device makers but also their friends', as well. This could constitute a violation of Facebook's Federal Trade Commission (FTC) 2011 privacy decree since Facebook was granting device makers access to a user's relationship status, political views, education history, religion, and much more without receiving explicit consent.
The 2011 decree prohibits the company from giving third party companies access to user data without their explicit permission. This agreement with the FTC came following an investigation that discovered the social networking platform had allowed app developers to collect personal data of users' friends overriding their privacy settings.
Facebook says nope, that's not what happened
Similar to how the company initially reacts every time such a story breaks, Facebook is disputing these claims this time too. In a blog post late last night, the company said that it disagrees with the NYT piece.
These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences. Partners could not integrate the user’s Facebook features with their devices without the user’s permission. And our partnership and engineering teams approved the Facebook experiences these companies built. Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies.
Facebook said that the company introduced the API program for device makers 10 years ago “to help get Facebook onto mobile devices." The company said that since iOS and Android are so popular now, not many need these APIs to offer their own custom Facebook experiences. "It’s why we announced in April that we’re winding down access to them," the company wrote. "We’ve already ended 22 of these partnerships."
While Facebook says these agreements were important and that it had tight control over these partnerships from the get-go, even company employees weren't happy allowing outside companies to access their users' data.
"This was flagged internally as a privacy issue,” Sandy Parakilas, who was leading third-party advertising and privacy compliance for Facebook’s platform at the time, said. "It is shocking that this practice may still continue six years later, and it appears to contradict Facebook’s testimony to Congress that all friend permissions were disabled."
"What we have been trying to determine is whether Facebook has knowingly handed over user data elsewhere without explicit consent,” Elisabeth Winkelmeier-Becker, one of the German lawmakers who questioned Facebook in April, told the paper.
"I would never have imagined that this might even be happening secretly via deals with device makers. BlackBerry users seem to have been turned into data dealers, unknowingly and unwillingly.”
She has only mentioned BlackBerry because it was the only name given by Facebook when explaining or justifying its partnerships and agreements with device makers.
Facebook is trying to downplay the severity of this issue calling device makers "service providers" and not "third parties" like researchers involved in the Cambridge Analytica scandal. The company is essentially trying to say these phone makers are like the companies hired for cloud storage or banking transactions.
Facebook is trying its best to get out of this mess by confusing users with twisted terminologies, but it would have a tough time explaining its "device makers = service providers != third parties" equation to European lawmakers who demand the company to get explicit consent before sharing their data. Since Facebook has mentioned winding down this access for only 22 companies, indicating that this partnership may still be going on for tens of device makers, it could come under GDPR-fire for giving data access to a third company without "explicitly" asking for user permission.