A new report in The New York Times contains a startling fact: Working with a 2013 BlackBerry device, a reporter was recently able to use special access Facebook had granted the phone manufacturer to glean some identifying information about 294,258 people.
Facebook said this special access to data existed only for old devices that did not have a native Facebook application. These people were friends of the reporter’s friends—and their information was available to the BlackBerry application, regardless of their Facebook privacy settings. Facebook admitted that it had private data-sharing arrangements with approximately 60 phone manufacturers including players like Apple and Samsung.
The story centers on what reporters could accomplish with that old BlackBerry phone, though it gestures at the other phone makers. This might be confusing. So, here’s what we know so far:
- Facebook and 60 phone makers had heavy-duty agreements for integrating Facebook services and data into different kinds of phones.
- These grew out of a “desire for people to be able to use Facebook whatever their device or operating system,” as Facebook put it. Many phones in the early smartphone era (say, 2007 to 2012) did not have native Facebook applications. In those cases, Facebook allowed for a “re-creation” of their service’s experience on these devices. They said they worked closely with the device manufacturers in developing versions of Facebook for their devices—viewing them like extensions of Facebook itself. For that reason, Facebook argues that this data use was not like other “third-party” data use.
- This is important because Facebook allowed remarkable access to these device manufacturers, including obtaining “data about a user’s Facebook friends, even those who have denied Facebook permission to share information with any third parties,” as the Times put it.
- This kind of friend data became a central privacy concern in the wake of the Cambridge Analytica scandal. Facebook said that from 2014 to 2015 they had shut off developer access to friends’ data.
- In 2011, the Federal Trade Commission cut a deal with Facebook allowing them to operate under a consent decree that required the company to get explicit consent from users before overriding their privacy settings. So, if the device-manufacturer apps were third parties, then ... it doesn’t look so good from the FTC perspective. The former CTO of the FTC, Ashkan Soltani, is quoted in the Times saying: “It’s like having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission.”
- The drive for growth led Facebook to share data with device manufacturers. Device manufacturers were competing for market share themselves, and needed a Facebook experience to be competitive. Many companies engaged in similar practices. YouTube, for example, did not build their own iOS app until 2012.
- Facebook’s massive data stores about social networks are a major reason the company’s products work. But in the post–Cambridge Analytica era, that data is also seen as especially sensitive and deserving of more scrutiny than other types of data that companies share with each other.
- These facts have been interpreted to have very broad implications: that people with the Facebook app on their iPhone or Galaxy are transferring their friends’ data directly to Apple and Samsung. But the story addresses older agreements that governed a small slice of today’s phones. The specific method described by the Times does not apply to the phones that most readers have in their pockets.
- The BlackBerry phone the Times used probably does not represent the way today’s big phone manufacturers integrated Facebook. Apple, the company maintains, did not use Facebook data except to do what a user asked, like post a photo or find friends on Apple Music. It did not suck in vast amounts of Facebook data as a standard operating procedure, even after the app had been deleted off the phone. On the other hand, there were 60 or so manufacturers, and in some cases, depending on their architectures, Facebook user data was stored on device manufacturers’ servers. Which companies did this? What did they do with that data? Facebook says it has never seen an example of misuse, and that they’ve spot-checked through time. The company has said it began to wind down the many agreements in April.
- There are many open questions. For example, all these phone makers got special, private routes to Facebook data. “What, in substance, did the device makers have to agree to for this level of access?” asked Aaron Rieke of Upturn, a technology and social-justice think tank, in an email.
The takeaway from this complex, technical story is this: The Times exposed a new way user data could be transferred out of Facebook’s hands. That doesn’t mean that every—or any—phone manufacturer used this data in a nefarious way or handed it off to the Trump campaign. Your data or your friends’ data is not any more insecure today than it was yesterday (unless you use a very old device).
But the story is yet another indication that in the rush to win the mobile wars, technology companies were able and willing to offer user data as a negotiating chip. The mess this generated is what journalists, activists, regulators, and the companies themselves have been trying to understand and clean up for the last several years.