Facebook gave certain companies special access to customer data

What do Russian internet company Mail.ru, car maker Nissan, music service Spotify, and sports company Nike have in common? They, and 57 other companies, were revealed by Facebook in a US House of Representatives’ Energy and Commerce Committee submission to have been given temporary extensions to access private Friends data API despite the company supposedly changing the policy allowing this in May 2015.

This is news because it shouldn’t have been possible. As Facebook explains the policy, first communicated to all companies in April 2014:

We made clear that existing apps would have a year to transition – at which point they would be forced to migrate to the more restricted API and be subject to Facebook’s new review and approval protocols.

It wasn’t a long extension, amounting to six months for all bar one company, accessibility app company Serotek, which was given eight months in total.

Facebook doesn’t make clear why this happened, a frustrating omission in a document that runs to 747 pages of answers to around 2,000 questions sent by US lawmakers following Mark Zuckerberg’s Senate grilling in April.

It’s the latest story to emerge from what in retrospect looks like a slightly botched and inconsistent transition from one API policy to another, more restrictive one.

Contentiously, the earlier policy was not only allowing access to the data of each app’s users – name, gender, location, birth date – but that of their friends too, if they had their profiles set to Public.

Post-Cambridge Analytica, and suddenly everyone’s looking at Facebook’s privacy modus operandi and asking why the new API policy was allowed to slide for some but not others.

For the most part, the policy change has only served to draw attention to the fact that it was in need of changing. That such a policy was ever in place highlights the sort of access Facebook has been giving partners without anyone – least of all its users – knowing about it.

To make matters worse, it seems some had highly privileged access all along: 60 device makers, including Apple, Samsung, Amazon, and BlackBerry had separate, long-term agreements allowing them access to the same Friends data.

It’s almost as if sharing restrictions depended on that company’s value to Facebook. Said researcher and former FTC chief technologist, Ashkan Soltani, to the New York Times:

It’s like having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission.