Facebook defends giving tech giants access to extensive user data

In a story which unfortunately just keeps giving, Facebook has yet again awarded us with a privacy scandal worthy of note.

Facebook has defended its data-sharing practices with other technology firms while at the same time admitting that lax API control may have exacerbated what has already been a trying year for the social networking giant.

On Tuesday, Konstantinos Papamiltiadis, Director of Developer Platforms and Programs said in a blog post on Facebook that recently exposed data-sharing practices were all about "helping people," and said nothing was done without a measure of user consent.

The note was published as the social media giant's response to a New York Times report this week which claimed that for years Facebook has conducted "special arrangements' with major technology companies that gave them access to intrusive data on users.

According to the NYT, these businesses became exempt from standard privacy rules due to these inside deals. Microsoft's Bing was able to see the names of almost all Facebook user friends without consent; Netflix and Spotify were able to read private messages; Yahoo could view Facebook friend post streams, and Amazon was able to obtain usernames and contact information through friend connections.

Papamiltiadis said in response that these features -- many of which are now defunct and no longer in use -- were used for purposes including receiving Facebook notifications while in an active browsing session; integration for song recommendations, to create search results based on the "public information" friends have shared, and the upload of contacts from Facebook to email services.

"Take Spotify for example," the post reads. "After signing in to your Facebook account in Spotify's desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person's messages in order to power this type of feature."

"Over the years we have tried various ways to make Netflix more social," a Netflix spokesperson told ZDNet. "One example of this was a feature we launched in 2014 that enabled members to recommend TV shows and movies to their Facebook friends via Messenger or Netflix. It was never that popular so we shut the feature down in 2015. At no time did we access people's private messages on Facebook or ask for the ability to do so."

"Amazon uses APIs provided by Facebook in order to enable Facebook experiences for our products," Amazon said in a statement. "For example, giving customers the option to sync Facebook contacts on an Amazon Tablet. We use information only in accordance with our privacy policy."

Microsoft added that "all user preferences" were respected in relation to its dealings with Facebook.

While these deals were designed to benefit all companies involved -- potentially as many as 150 firms in total -- and generate revenue, in light of the Cambridge Analytica scandal, it seems such deals are now coming back to haunt Facebook at the worst time.

According to the publication, some of these deals date back as far as 2010, and some were still active this year. Questions have now also been raised as to whether the tech giant has broken a 2011 consent agreement with the US Federal Trade Commission (FTC). 

Facebook really doesn't need to raise the ire of regulators any further this year, and this is a suggestion that Papamiltiadis vehemently denies, as users would need to sign in with their Facebook account to agree to the data-sharing. 

See also: Best place to work? Google, Facebook slip down rankings after year of controversy

The executive defended the deals, blurring the lines between the social network and so-called "integration partners" by saying the data-sharing practices were established for the purpose of creating more "social experiences."

Papamiltiadis added that instant personalization was closed in 2014, and many other partnerships were wound down over 2018.

"We recognize that we've needed tighter management over how partners and developers can access information using our APIs," the executive said. "We're already in the process of reviewing all our APIs and the partners who can access them."

Amazon, Apple, Tobil, Alibaba, Mozilla, and Opera integration systems are still in effect. Facebook says that there is "no evidence" that the instant personalization data-sharing agreements and APIs were abused, but the APIs were still left in place after the program was shut down.

CNET: Facebook expects to test privacy tool to 'clear history' in spring 2019

"We've taken a number of steps this year to limit developers' access to people's Facebook information, and as part of that ongoing effort, we're in the midst of reviewing all our APIs and the partners who can access them," Papamiltiadis said. "This is important work that builds on our existing systems that track APIs and control who can access to them."

That is all well and good, but considering how much criticism Facebook has faced in the past 12 months over its data-sharing practices, perhaps it is now time to remove the vagarities and soft approach to such reports, and simply be transparent about what deals involved who, and when.

This is an approach which wouldn't necessarily be taken every time a company had poor data protection and inappropriate data sharing allegations thrown their way, but in Facebook's case, trust in the company has been undermined again and again over such a short period and so perhaps more radical, transparent action needs to be taken.

As noted by Alex Stamos, Facebook's former Chief Security Officer (CSO), Facebook's response "blends all kinds of different integrations and models into a bunch of prose." 

"There very well could be serious privacy problems in the Times' story, but it is hard to tell what is really problematic because they intentionally blur the lines between FB allowing 3rd party clients/OS integrations (like Apple) with data actually going to other companies," Stamos added. "Putting your response in a wall of PR-text aimed at end consumers just isn't effective."

TechRepublic: Were your private photos exposed due to Facebook's security bug?

Earlier this month, Facebook revealed the existence of a bug which may have permitted unauthorized access to the private photos 6.8 million users. The leak was due to an API left in backend code between September 13 to September 25, 2018.

It is believed up to 1,500 apps built by 876 developers were involved in the security lapse.

It seems that time and time again this year, Facebook has taken a battering when it comes to user trust and its reputation as a social media platform. As a damage control measure, back in May, Facebook CEO Mark Zuckerberg announced a privacy tool called "clear history" which would give users the option to wipe out their browsing activities on the platform.

This new tool is expected to be released next year.

Previous and related coverage