Facebook defends practice of giving deep data access to device makers

Thanks to Facebook and its coziness with phone and device manufacturers, setting up your profile so as not to share your personal information is a futile act, according to reports by the New York Times:

Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing.

According to Facebook officials, over the past decade – before Facebook apps were widely available on mobile phones – the social network developed data-sharing partnerships with “at least” 60 device makers, including the big ones: Apple, Amazon, BlackBerry, Microsoft and Samsung.

The point of the partnerships was to help Facebook expand and to enable device makers to offer Facebook’s popular features: for example, messaging, “like” buttons and address books.

Now that the scope of the data sharing has been brought to light, questions have arisen about how this jibes with a 2011 consent decree with the Federal Trade Commission (FTC). That decree required that Facebook notify users and receive explicit permission before sharing personal data beyond users’ specified privacy settings.

This practice of sharing data with device makers, sans explicit permission, didn’t come to a screeching halt because of the Cambridge Analytica scandal that erupted in March. The Times reports that most of the partnerships are still in effect, though Facebook started shutting them down in April, during its soul searching on privacy and data practices in the wake of the Cambridge Analytica fiasco.

The scope of how much data Facebook has fumbled over the years, through a diverse collection of data harvesters, continues to expand: initial estimates of data that Cambridge Analytica siphoned off for micro-targeted political ads was in the region of 50 million users.

Next, it was déjà data-analytics vu in April, when Facebook suspended a second firm, Cubeyou, for dressing up its personal-data snarfing as “nonprofit academic research,” in the form of personality quizzes, and handing over the data to marketers.

Last month, a triplet was born: it emerged that yet another popular Facebook personality app used as a research tool by academics and companies – myPersonality – fumbled the data of three million Facebook users, including their answers to intimate questionnaires. Then, Facebook suspended 200 apps as part of its probe into the data-sharing scandal.

The most recent: on Friday, the Financial Times reported that AggregateIQ – an analytics firm reported to be tied to CA that allegedly left its code lying around, open for all to access – collected and stored data on thousands of Facebook users.

Facebook had already banned the AIQ app. But last week, security researcher Chris Vickery found an app on Facebook called “AIQ Johnny Scraper,” registered to the company, which raises fresh questions about how effective Facebook’s policing really is.

On Friday, Facebook took down another 13 apps that might prove to be tied to AggregateIQ.

During the furor that’s followed these revelations, Facebook’s leadership has repeatedly insisted to the media and to Capitol Hill that users have “complete control” over who sees their data. CEO Mark Zuckerberg, during his testimony before Congress in March:

Every piece of content that you share on Facebook you own. You have complete control over who sees it and how you share it.

Facebook has also said that the kind of access to users’ data that Cambridge Analytica exploited in 2014 was cut off in 2015, when Facebook shut down its API for giving friends’ data to apps.

But throughout these revelation-packed months, Facebook officials haven’t mentioned that the company had exempted manufacturers of mobile phones, tablets or other hardware from that sharing.

Facebook’s thinking on the matter: device partners aren’t “outsiders.” They’re just extensions of Facebook itself, helping the company to serve its two billion users. The Times quotes Ime Archibong, a Facebook vice president:

These partnerships work very differently from the way in which app developers use our platform.

Facebook officials told the newspaper that device partners are restricted to using Facebook users’ data only to provide versions of “the Facebook experience.” But testing done by the Times didn’t detect any difference from how partners and third parties collect data. Some partners, the newspaper found, can get at intimate data including Facebook users’ relationship status, religion, political leaning and upcoming events.

Because Facebook considers the device manufacturers to be “insiders,” the companies can also get data about users’ friends, regardless of whether they’ve turned off sharing of data with third parties.

Facebook Vice President Archibong says there’s nothing to see here and that Facebook hasn’t violated the 2014 FTC consent decree:

These contracts and partnerships are entirely consistent with Facebook’s FTC consent decree.

But former FTC official Jessica Rich, who helped lead the investigation that resulted in the decree, and who’s now working with Consumers Union, disagreed:

Under Facebook’s interpretation, the exception swallows the rule.

They could argue that any sharing of data with third parties is part of the Facebook experience. And this is not at all how the public interpreted their 2014 announcement that they would limit third-party app access to friend data.

The FTC confirmed in March that it’s investigating Facebook over its dealings with Cambridge Analytica.