select all

Facebook Gave Device-Makers Privileged Access to User Data

Mark Zuckerberg. Photo: Marlene Awaad/Bloomberg via Getty Images

What if I told you that Facebook had a data-sharing agreement that allowed third parties access to pull data about you and your friends and friends of your friends? I’m sure you’d respond with something like, “Well, yes, as we’ve learned from the Cambridge Analytica dustup, developers did at one point have access to a lot of sensitive personal data.” But then you might say, in Facebook’s defense, “But Facebook removed the ability to extract data on a user’s friends from their API years ago!” Which is true … with some very big exceptions. Device manufacturers like Apple and Samsung and BlackBerry retained access to methods of data extraction — methods not available to regular developers — even after Facebook shut down the method that allowed Cambridge Analytica to happen.

The New York Times reports that more than 60 device-makers had privileged access to Facebook’s data, and that “Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing.” When Facebook shut down the ability to access data on a user’s friends in 2015, Facebook exempted these manufacturers from the restriction.

Facebook also did not mention the exemption when the Cambridge Analytica scandal broke earlier this year, and the Times was still able to extrapolate data on 294,258 users from the connections of a single account with the help of a BlackBerry app. Apple, Samsung, BlackBerry, and Microsoft told the Times that their phones do not mine or harvest user data.

Facebook told the Times that the arrangements do not violate a 2011 consent decree on protecting user data “because the company viewed its hardware partners as ‘service providers,’ akin to a cloud computing service paid to store Facebook data or a company contracted to process credit card transactions,” and thus do not need user permission to share info. In other words, Facebook is arguing that Apple, Samsung, and other telephone manufacturers are extensions of Facebook. If that sounds like bullshit that’s because it is. The issue had been flagged as early as 2012 as a privacy issue.

The specifics of this case are probably less interesting than what they represent. Over and over again, we will find out that Facebook had lax policing over access to user data, and it will try to wriggle out of its responsibility with semantic arguments (like classifying competitors as extensions of itself). This is far from the last time that we’ll hear about Facebook’s privacy guards being made of Swiss cheese.

Facebook Gave Device-Makers Privileged Access to User Data