Facebook gave at least 60 device makers broad access to its users' information, potentially in conflict with what the company told Congress, a new report has revealed.
Many of the partnerships, with companies such as Apple, Amazon, BlackBerry, Microsoft and Samsung, remain in effect even after Facebook began to quietly unwind them in April, according to a lengthy report in the New York Times.
Under some of the agreements, device makers could access the data of users' friends, even if they believed that they had barred sharing, the Times reported citing company officials. The latest revelation affects every Facebook user worldwide.
Facebook co-founder, Chairman and CEO Mark Zuckerberg arrives to testify before a combined Senate Judiciary and Commerce committee hearing in April
Facing blowback from the Cambridge Analytica data harvesting scandal in March, Facebook vowed that it had put an end to that kind of information sharing, but never revealed that device makers had a special exemption.
However, Facebook blasted back at the Times report, saying the newspaper has misinterpreted the purpose and function of its so-called 'device-integrated APIs' - the software that allows hardware companies to bridge into Facebook's database to offer versions of the app on their operating systems.
'In the early days of mobile, the demand for Facebook outpaced our ability to build versions of the product that worked on every phone or operating system,' Ime Archibong, Facebook's VP of Product Partnerships, wrote in a Sunday statement responding to the Times report.
'It's hard to remember now but back then there were no app stores.'
'To bridge this gap, we built a set of device-integrated APIs that allowed companies to recreate Facebook-like experiences for their individual devices or operating systems.'
'Contrary to claims by the New York Times, friends' information, like photos, was only accessible on devices when people made a decision to share their information with those friends,' Archibong wrote.
Apple was among the companies that used device-integrated APIs to serve up a version of Facebook on its hardware, but the deals are now under scrutiny. Pictured: Apple CEO Tim Cook
Archibong said that these device interfaces are 'very different' from the type of public interfaces that allowed Cambridge Analytica to harvest data on millions of users.
On April 24, weeks after CEO Mark Zuckerberg testified to Congress about user privacy, Facebook said in an announcement to developers that it was winding down access to device-integrated APIs.
According to Archibong, 22 of the partnerships have already ended.
Zuckerberg was adamant before Congress that Facebook is seriously committed to users' privacy.
'Every piece of content that you share on Facebook you own,' he told a combined Senate Judiciary and Commerce committee. 'You have complete control over who sees it and how you share it.'
However, James Knight, principal consultant of US tech firm Digital Warfare Corp., described the NYT's findings as ‘incredibly concerning.
'This latest revelation is certainly new and affects every Facebook user worldwide.
'It is well known that information companies hold data on every area of our lives from our job history to where we have lived. This information however can be quite sterile.
‘Facebook on the other hand contains for many people their thoughts, feelings and desires. It can contain people’s political beliefs and religious affiliation. This information is very personal and should be respected.'
‘Unfortunately we all sign away many of our rights when joining leaving ourselves somewhere between the whim of Facebook and whatever privacy rights our governments have enacted,' he added.
Critics of the company say that the device-integrated APIs breached users' control over their data in a way that contradicts Zuckerberg's Congressional testimony (above)
Critics of the company say that the device-integrated APIs are a violation of that control, however, allowing device makers a direct line into user data.
Sandy Parakilas, a former third-party advertising and privacy compliance for Facebook's platform told the Times that he believes the fact that the deals continue to exist contradicts Zuckerberg's testimony.
'This was flagged internally as a privacy issue,' in 2012 said Parakilas, who left Facebook that year and is now a harsh critic of the company.
'It is shocking that this practice may still continue six years later, and it appears to contradict Facebook's testimony to Congress that all friend permissions were disabled.'
Facebook co-founder, chairman and CEO Mark Zuckerberg testified before a combined Senate Judiciary and Commerce committee hearing in the Hart Senate Office Building on Capitol Hill April 10, 2018 in Washington, DC.
Serge Egelman, a privacy researcher at the University of California, Berkeley, told the NYT that while people might assume that Facebook or the device manufacturer was trustworthy, the concern is that with the amount of data being collected on the device increasing, and which can be accessed by the device’s apps, this jeopardized people's security and privacy.
Also, several former Facebook software engineers and security experts told the Times they were surprised at the ability to override sharing restrictions, with one consultant likening it to having locks installed on your doors, to later find the locksmith had given spare keys to all your friends to come inside and take a look, uninvited.
Amazon and Samsung declined to comment on whether they had access to Facebook user data through the APIs.
Zuckerberg defended the social network's value before Congress and pledged to correct its mistakes, as senators questioned whether he will deliver after years of failed assurances that he would protect user privacy
Apple said that it had previously used the software interfaces to allow iPhone users to do things like post photos to Facebook without opening the app, but that its device access was terminated in September.
Microsoft said its API access ended in 2008, adding that the bridge was used to do things like add contacts and receive notifications, and that all data was stored locally on the user's device.
BlackBerry said that the access was only used to give its own customers access to Facebook and messages.
Asked for his advice to Facebook users given the latest revelations, James Knight of Digital Warfare Corp said: 'My advice is to expect that nothing is private anymore. Unfortunately, we have seen organizations and individuals targeted for their beliefs.
'As such, I would highly recommend that people move away from social media sites like Facebook or at least minimize what is shared.
'I also recommend that we educate the next generation of the risks of creating an internet presence and help them to minimize their footprint.'
Aiming for a 'higher standard'
In mid-April, about a week after Zuckerberg testified in front of the US Congress, Facebook’s product management director, David Baser, published information on what data the company collects when not using Facebook, and why.
He said: ‘When you visit a site or app that uses our services, we receive information even if you’re logged out or don’t have a Facebook account. This is because other apps and sites don’t know who is using Facebook. Many companies offer these types of services and, like Facebook, they also get information from the apps and sites that use them.’
Baser added: ‘I want to be clear: We don’t sell people’s data. Period.’
In response, one reader pointed out that ‘what is missing is a deeper analysis of users’ concerns: are other ‘Cambridge Analyticas’ out there we don’t know of?’
Facebook replied: ‘We’re going to set a higher standard for how developers build on Facebook, what people should expect from them, and, most importantly, from us.
‘This includes investigating all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014 and conducting a full audit of any app with suspicious activity.
‘We will ban any developer from our platform that does not agree to a thorough audit and if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps.’