Facebook has been giving user data to at least 60 major device manufacturers over the last decade – including Apple, Amazon, BlackBerry, Microsoft and Samsung – as part of a data-sharing partnership program which allowed the companies to integrate various features such as messaging and “like” buttons into their products.
The data-sharing agreement, reported Sunday evening by the New York Times, allowed manufacturers to access information on relationship status, calendar events, political affiliations and religion, among other things. An Apple spokesman, for example, said that the company relied on private access to Facebook data to allow users to post on the social network without opening the Facebook app, among other things.
What’s more, the manufacturers were able to access the data of users’ friends without their explicit consent, despite Facebook declaring they would not let outside companies access user data. The catch? The NYT explains.
Facebook’s view that the device makers are not outsiders lets the partners go even further, The Times found: They can obtain data about a user’s Facebook friends, even those who have denied Facebook permission to share information with any third parties.
In interviews, several former Facebook software engineers and security experts said they were surprised at the ability to override sharing restrictions. –NYT
“It’s like having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission,” said Ashkan Soltani, a research and privacy consultant and former chief technologist for the Federal Trade Commission (FTC).
To test one partner’s access to Facebook’s private data channels, The Times used a reporter’s Facebook account — with about 550 friends — and a 2013 BlackBerry device, monitoring what data the device requested and received. (More recent BlackBerry devices, which run Google’s Android operating system, do not use the same private channels, BlackBerry officials said.)
Immediately after the reporter connected the device to his Facebook account, it requested some of his profile data, including user ID, name, picture, “about” information, location, email and cellphone number. The device then retrieved the reporter’s private messages and the responses to them, along with the name and user ID of each person with whom he was communicating.
“This was flagged internally as a privacy issue,” said Parakilas, who left Facebook in 2012 and has emerged as a new voice against the company’s data handling policies. “It is shocking that this practice may still continue six years later, and it appears to contradict Facebook’s testimony to Congress that all friend permissions were disabled.”