Facebook gave more than 150 companies, including Microsoft, Netflix, Spotify, Amazon, and Yahoo, unprecedented access to users’ personal data, according to a New York Times report published Tuesday.
The Times obtained hundreds of pages of Facebook documents, generated in 2017, that show that the social network considered these companies business partners and effectively exempted them from its privacy rules.
Facebook allowed Microsoft’s search engine Bing to see the names of nearly all users’ friends without their consent, and allowed Spotify, Netflix, and the Royal Bank of Canada to read, write, and delete users’ private messages, and see participants on a thread.
It also allowed Amazon to get users’ names and contact information through their friends, let Apple access users’ Facebook contacts and calendars even if users had disabled data sharing, and let Yahoo view streams of friends’ posts “as recently as this summer,” despite publicly claiming it had stopped sharing such information a year ago, the report said. Collectively, applications made by these technology companies sought the data of hundreds of millions of people a month.
On Tuesday night, a Facebook spokesperson told BuzzFeed News that the social media giant solidified different types of partnerships with major tech and media companies for specific reasons. Apple, Amazon, Yahoo, and Microsoft, for example, were known as “integration partners,” and Facebook helped them build versions of the app “for their own devices and operating systems,” the spokesperson said.
Facebook solidified its first partnerships around 2009–2010, when the company was still a fledgling social network. Many of them were still active in 2017, the spokesperson said. The Times reported that some of them were still in effect this year.
Around 2010, Facebook linked up with Spotify, the Bank of Canada, and Netflix. Once a user logged in and connected their Facebook profile with these accounts, these companies had access to that person’s private messages. The spokesperson confirmed that there are probably other companies that also had this capability, but said that these partners were removed in 2015 and, “right now there is no evidence of any misuse of data.”
Other companies, such as Bing and Pandora, were able to see users’ public information, like their friend lists and what types of songs and movies they liked.
The spokesperson said that Facebook has a “robust investigation process” and many “checks and balances to make sure partners don't abuse data.” Currently, there is no evidence that companies misused data, they said. However, BlackBerry, which worked with the social media company to build its own Facebook app, told the Times that it had never been audited.
The records also show that Russian search giant Yandex, which was accused last year by Ukraine’s security service of giving user data to the Kremlin, also had access to Facebook’s unique user IDs in 2017. A Yandex spokesperson told the Times that the company was unaware of the access to user data provided by Facebook.
A Yandex spokesperson later told BuzzFeed News the agreement allowed it to index “public data from Facebook pages and public Facebook posts for users in Russia, Turkey, Ukraine, Belarus, Kazakhstan and other CIS countries,” and “was limited to content posted by users under 'Public' privacy settings.”
They went on: “No user data from other countries was shared between Facebook and Yandex. Yandex and other search engines stopped receiving data from Facebook in 2015 after Facebook deprecated the relevant API enabling the data feed. Yandex complied with all terms of the agreement for receiving data... a significant part of our commitment to users everywhere is protecting their privacy and security.”
In response to the report, Steve Satterfield, Facebook’s director of privacy and public policy, defended the actions of the social network.
“Facebook’s partners don’t get to ignore people’s privacy settings, and it’s wrong to suggest that they do,” he said in a statement to BuzzFeed News. “Over the years, we’ve partnered with other companies so people can use Facebook on devices and platforms that we don’t support ourselves. Unlike a game, streaming music service, or other third-party app, which offer experiences that are independent of Facebook, these partners can only offer specific Facebook features and are unable to use information for independent purposes.”
“We know we’ve got work to do to regain people’s trust. Protecting people’s information requires stronger teams, better technology, and clearer policies, and that’s where we’ve been focused for most of 2018. Partnerships are one area of focus and, as we’ve said, we’re winding down the integration partnerships that were built to help people access Facebook.”
In a follow-up email sent to BuzzFeed News, Facebook said that it relied on “users and others to identify potential violations” with partners, as well as its own employees to flag concerning behavior from outside companies now working with the social media giant. And late on Tuesday night, the company published a blog post called “Let's Clear Up a Few Things About Facebook's Partners,” where it said, among other things, how companies like Spotify and Netflix got access to users' private messages.
An Apple spokesperson declined to comment and pointed BuzzFeed News to a paragraph in the Times story that said that Apple was not aware that Facebook had granted its devices any special access, and that any shared data that remained on Apple devices wasn't available to anyone other than the users themselves.
Microsoft said it ended its contract with Facebook in February 2016 and that data stopped appearing in search results after that. “Throughout our engagement with Facebook, we respected all user preferences,” said a Microsoft spokesperson to BuzzFeed News.
A Netflix spokesperson issued the following statement to BuzzFeed News: “Over the years we have tried various ways to make Netflix more social. One example of this was a feature we launched in 2014 that enabled members to recommend TV shows and movies to their Facebook friends via Messenger or Netflix. It was never that popular so we shut the feature down in 2015. At no time did we access people’s private messages on Facebook, or ask for the ability to do so.”
A Yahoo spokesperson told BuzzFeed News that it did not use information for advertising purposes. The information allowed Yahoo users, on an opt in basis, to import their Facebook contacts into their Yahoo mail account. An additional functionality allowed for Yahoo users to view their Facebook newsfeed in the Yahoo environment. These services were only available if a user opted in to use them.
Spotify did not immediately respond to BuzzFeed News requests for comment.
Facebook has been rocked by privacy scandals this year. Last week, the company said that it had found a security flaw that exposed the public and private photos of 6.8 million users on its platform to developers. In September, the company announced a breach that exposed the emails and phone numbers, as well as profile information such as gender, birth date, location, and recent search history of 30 million users. And earlier this year, the company came under fire after British data analytics firm Cambridge Analytica obtained the personal data of up to 87 million Facebook users without their consent.
In a blog post responding to the Cambridge Analytica scandal in March, Facebook CEO Mark Zuckerberg wrote: “We have a responsibility to protect your data, and if we can't then we don't deserve to serve you. I've been working to understand exactly what happened and how to make sure this doesn't happen again.”
And last week, Facebook set up a privacy pop-up in New York City's Bryant Park to educate users about privacy on the platform.
This is a developing story. Check back soon for updates and follow BuzzFeed News on Twitter.