In a major Friday night data dump, Facebook handed Congress a ~750-page document with responses to the 2,000 or so questions it received from US lawmakers sitting on two committees in the Senate and House back in April.
The document (which condensed into a tellingly apt essence — “people data… Facebook information” — above, when we ran it through Word It Out‘s word cloud tool) would probably come in handy if you needed to put a small child to sleep, given Facebook repeats itself a distressing amount of times.
TextMechanic‘s tool spotted 3,434 lines of duplicate text in its answers — including Facebook’s current favorite line to throw at politicians, where it boldly states: “Facebook is generally not opposed to regulation but wants to ensure it is the right regulation”, followed by the company offering to work with regulators like Congress “to craft the right regulations”. Riiiiight.
While much of what Facebook’s policy staffers have inked here is an intentional nightcap made of misdirection and equivocation, one nugget of new intel that jumps out is a long list of partners Facebook gave special data access to — via API agreements it calls “integration partnerships”.
Some names on the list have previously been reported by the New York Times. And as the newspaper pointed out last month, the problem for scandal-hit Facebook is these data-sharing arrangements appear to undermine some of its claims about how it respects privacy because users were not explicitly involved in consenting to the data sharing.
Below is the full list of 52 companies Facebook has now provided to US lawmakers — though it admits the list might not actually be comprehensive, writing: “It is possible we have not been able to identify some integrations, particularly those made during the early days of our company when our records were not centralized. It is also possible that early records may have been deleted from our system”.
The listed companies are also by no means just device makers — including also the likes of mobile carriers, software makers, security firms, even the chip designer Qualcomm. So it’s an illustrative glimpse of quite how much work Facebook did to embed into services across the mobile web — predicated upon being able to provide so many third party businesses with user data.
Company names below that are appended with * denote partnerships that Facebook says it is “still in the process of ending” (it notes three exceptions: Tobii, Apple and Amazon, which it says will continue beyond October 2018), while ** denotes data partnerships that will continue but without access to friends’ data.
21. MediaTek/ Mstar
23. Miyowa /Hape Esia
31. Opentech ENG
32. Opera Software**
47. Virgin Mobile
49. Warner Bros
50. Western Digital
52. Zing Mobile*
NB: Number 46 on the list — Verizon — is the parent company of TechCrunch’s parent, Oath.
The number and scope of the partnerships raised fresh privacy concerns about how Facebook (man)handles user data, casting doubt on its repeat claims to have “locked down the platform” in 2014/15, when it changed some of its APIs to prevent other developers doing a ‘Kogan‘ and sucking out masses of data via its Friends API.
After the Cambridge Analytica story (re)surfaced in March Facebook’s crisis PR response to the snowballing privacy scandal was to claim it had battened down access to user data back in 2015, when it shuttered the friends’ data API.
But the scope of its own data sharing arrangements with other companies show it was in fact continuing to quietly pass over people’s data (including friend data) to a large number of partners of its choosing — without obtaining users’ express consent.
This is especially pertinent because of a 2011 consent decree that Facebook signed with the Federal Trade Commission — agreeing it would avoid misrepresenting the privacy or security of user data — to settle charges that it had deceived its customers by “telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public”.
Yet, multiple years later, Facebook had inked data-sharing API integrations with ~50 companies that afforded ongoing access to Facebook users’ data — and apparently only started to wind down some of these partnerships this April, right after Cambridge Analytica blew up into a major global scandal.
Facebook says in the document that 38 of the 52 have now been discontinued — though it does not specify exactly when they were ended — adding that an additional seven will be shut down by the end of July, and another one will be closed by the end of October.
“Three partnerships will continue: (1) Tobii, an accessibility app that enables people with ALS to access Facebook; (2) Amazon; and (3) Apple, with whom we have agreements that extend beyond October 2018,” it adds, omitting to say what exactly Amazon does with Facebook data. (Perhaps an integration with its Fire line of mobile devices.)
“We also will continue partnerships with Mozilla, Alibaba and Opera — which enable people to receive notifications about Facebook in their web browsers — but their integrations will not have access to friends’ data,” it adds, so presumably the three companies were previously getting access to friend data.
Facebook claims its integration partnerships “differed significantly” from third-party app developers’ use of its published APIs to build apps for consumers on its developer platform — because its staff were approving the applications its partners could build.
It further says partners “were not permitted to use data received through Facebook APIs for independent purposes unrelated to the approved integration without user consent” — specifying that staff in its partnerships and engineering teams managed the arrangements, including by reviewing and approving how licensed APIs were integrated into the partner’s products.
“By contrast, our Developer Operations (“Dev Ops”) team oversees third-party developers, which determine for themselves how they will build their apps — subject to Facebook’s general Platform Policies and Dev Ops approval for apps seeking permission to use most published APIs,” it writes, essentially admitting it was running a two-tier system related to user data access, with third party developers on its platform not being subject to the same kind of in-house management and reviews as its chosen integration partners.
Aleksandr Kogan, the Cambridge University academic who made the quiz app which harvested Facebook users’ data in 2014 so that he could sell the information to Cambridge Analytica, has argued Facebook did not have a valid developer policy because it was not actively enforcing its T&Cs.
And certainly the company is admitting it made fewer checks on what developers were doing with user data vs companies it selectively gave access to.
In further responses to US lawmakers — who had asked Facebook to explain what “integrated with” means, vis-a-vis its 2016 data policy, where it stated: “When you use third-party apps, websites or other services that use, or are integrated with, our Services, they may receive information about what you post or share” — Facebook also makes a point of writing that integration partnerships were “typically… defined by specially-negotiated agreements that provided limited rights to use APIs to create specific integrations approved by Facebook, not independent purposes determined by the partner”.
The word “typically” is a notable choice there — suggesting some of these partnerships were rather more bounded than others. Though Facebook does not go into further detail.
We asked the company for more information — such as whether it will be listing the purposes for each of these integration partnerships, including the types of user and friends data each partner received, and the dates/durations for each arrangement — but a spokesman said it has nothing more to add at the moment.
In the document, Facebook lists four uses for people’s information as being some of the purposes its integration partners had for the data — namely: Saying some partners built version of its app for their device, OS or product that “replicated essential Facebook features that we built directly on the Facebook website and in our mobile apps”; some built social networking ‘hubs’ — which aggregated messages from multiple social services; some built syncing integrations to enable people to sync their Facebook data with their device in order to integrate Facebook features on their device (such as to upload pictures to Facebook and to download their Facebook pictures to their phones, or to integrate their Facebook contacts into their address book); and some developed USSD services — to provide Facebook notifications and content via text message, such as for feature phone users without mobile Internet access.
Also notably Facebook does not specify exactly when the integration partnerships began — writing instead that they:
“[B]egan before iOS and Android had become the predominant ways people around the world accessed the internet on their mobile phones. People went online using a wide variety of text-only phones, feature phones, and early smartphones with varying capabilities. In that environment, the demand for internet services like Facebook, Twitter, and YouTube outpaced our industry’s ability to build versions of our services that worked on every phone and operating system. As a solution, internet companies often engaged device manufacturers and other partners to build ways for people to access their experiences on a range of devices and products.”
Which sounds like a fairly plausible explanation for why some of the data-sharing arrangements began. What’s less clear is why many were apparently continuing until just a few weeks ago.
Facebook faces another regulatory risk related to its user data-sharing arrangements because it’s a signatory of the EU-US Privacy Shield, using the data transfer mechanism to authorize exporting hundreds of millions of EU users’ information to the US for processing.
However legal pressure has been mounting on this mechanism for some time. And just last month an EU parliament committee called for it to be suspended — voicing specific concerns about the Facebook Cambridge Analytica scandal, and saying companies that fail to safeguard EU citizens’ data should be removed from the Privacy Shield list.
Facebook remains a signatory of Privacy Shield for now but the company can be removed by US oversight bodies if it is deemed not to have fulfilled its obligations to safeguard EU users’ data.
And in March the FTC confirmed it had opened a fresh investigation into its privacy practices following revelations that data on tens of millions of Facebook users had been passed to third parties without most people’s knowledge or consent.
If the FTC finds Facebook violated the consent decree because it mishandled people’s data, there would be huge pressure for Facebook to be removed from Privacy Shield — which would mean the company has to scramble to put in place alternative legal mechanisms to transfer EU users’ data. Or potentially risk major fines, given the EU’s new GDPR data protection regime.
Facebook’s current use of one alternative data transfer method — called Standard Contractual Clauses — is also already under separate legal challenge.