Skip to main content

Facebook gave Spotify and Netflix access to users’ private messages

What to make of the New York Times’ latest story about Facebook’s broad data-sharing agreements? The story, which draws on internal documents describing the company’s partnerships, reports on previously undisclosed aspects of business partnerships with companies including Apple, Amazon, Microsoft, Spotify, and Netflix. In some cases, companies had access to data years after it was supposed to have been cut off.

Here’s how the story is framed by reporters Gabriel J.X. Dance, Michael LaForgia, and Nicholas Confessore:

The documents, as well as interviews with about 50 former employees of Facebook and its corporate partners, reveal that Facebook allowed certain companies access to data despite those protections. They also raise questions about whether Facebook ran afoul of a 2011 consent agreement with the Federal Trade Commission that barred the social network from sharing user data without explicit permission.

In all, the deals described in the documents benefited more than 150 companies — most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organizations. Their applications sought the data of hundreds of millions of people a month, the records show. The deals, the oldest of which date to 2010, were all active in 2017. Some were still in effect this year.

The story, which builds on reporting earlier this year from both the Times and the Wall Street Journal, describes a variety of data-sharing partnerships, some of which users were likely unaware of. They include:

  • Giving Apple access to users’ Facebook contacts and calendar entries, even if they had disabled data sharing, as part of a partnership that still exists. Apple told the Times it was unaware that it had special access, and of the data described would never leave the user’s device.
  • Giving Amazon the names and contact information of users, in a partnership that is currently being wound down. Amazon wouldn’t discuss how it used the data other than to say it had used it “appropriately.” On Twitter, Gizmodo’s Kashmir Hill speculated that Amazon may have used the data to fight review fraud.
  • Giving Bing, the Microsoft search engine, access to see names and other profile information of a user’s friends. Microsoft said it has since deleted the data. Facebook says that only user data set to “public” was accessible to Microsoft.
  • Giving Spotify, Netflix, and the Royal Bank of Canada the ability to read users’ private Facebook messages.

The access described in the Times story falls into three types of Facebook partnerships. The first are what Facebook calls “integrations,” and they refer to custom-built apps that Facebook built for OEMs like BlackBerry. Because they were integrated with phone operating systems, they require a broad exchange of data with OEMs. They’ve gotten a lot of attention this year, but I think most users would reasonably assume that their personal data was being exchanged with the phone manufacturer in those cases.

The second type of partnerships, which is represented by the Bing deal, are part of a now-defunct program called “instant personalization.” This feature, which launched in 2010, opted every Facebook user in by default. It allowed all of its partners to personalize their own services using whatever Facebook knew about you and was willing to share. Yelp, for example, would show visitors which of their Facebook friends used the site when they visited.

The program drew significant criticism when it launched, and it was eventually killed off in 2014. But according to the Times, Bing continued to have access to the data through 2017, and two other companies still had access this summer. On one hand, this was all public data — friends’ names, hometowns, and that sort of thing. On the other hand, Facebook’s failure to shut down data access here is reminiscent of the failure that sparked the Cambridge Analytica data privacy scandal: a company said it had deleted a bunch of user data turned out to have instead used it in an influence to sway the 2016 presidential election.

The final type of partnerships are essentially one-off deals that Facebook made over the years. The scariest-sounding of them all was a deal Facebook made with companies including Spotify, Netflix, and the Royal Bank of Canada in which partners were granted read and write access to users’ Facebook messages. This was the result of a broadly written API, launched in 2010 as part of an early (pre-Messenger) effort to build a messaging platform. In Spotify’s case, for example, the company plugged into your chat window to send songs to your friends. It seems possible that a rogue employee made mischief in someone’s messages, but the Times story doesn’t include any examples.

There are other worrisome details in the Times story, including reports that Yahoo and the Russian search company Yandex both retained access to user data years after it was supposed to have been cut off. Collectively, they speak to an indifference toward data security that flies in the face of recent Facebook pronouncements on the subject — most notably, chief marketing officer Carolyn Everson’s statement last week that privacy “is the foundation of our company.” Everson made her comments on the same day that Facebook opened a pop-up kiosk in New York City’s Bryant Park where users could ask questions about how their data is used on the platform.

Presumably, they would have had more questions to ask if they had access to the list of 150 companies that had been making data partnerships with Facebook over the past decade.

In response to the Times’ report, the company acknowledged it had more work to do to regain user trust. It also highlighted some of the benefits of data sharing, including the ability to create more personalized experiences on other sites and services.

“Facebook’s partners don’t get to ignore people’s privacy settings, and it’s wrong to suggest that they do,” said Steve Satterfield, director of privacy and public policy at Facebook, in an email. “Over the years, we’ve partnered with other companies so people can use Facebook on devices and platforms that we don’t support ourselves. Unlike a game, streaming music service, or other third-party app, which offer experiences that are independent of Facebook, these partners can only offer specific Facebook features and are unable to use information for independent purposes.”

I find it helpful to read the allegations in the Times’ story chronologically, starting with the integration deals, continuing with the one-off agreements, and ending with instant personalization. Do so and you read a story of a company that, after some early success growing its user base by making broad data-sharing agreements with one set of companies — OEMs — it grew more confident, and proceeded to give away more and more, often with few disclosures to users. By the time “Instant personalization” arrived, it was widely panned, and never met Facebook’s hopes for it. Shortly after it was wound down, Facebook would take action against Cambridge Analytica, and once again began placing meaningful limitations on its API.

Then basically nothing happened for three years!

Whatever is happening, it’s happening ... now. It has been only two months since the largest data breach in Facebook’s history. It has been only five days since the last time Facebook announced a significant data leak. It has been only two days since I said I would be taking the rest of the year off of writing this newsletter.

It has only been a few hours since Cher announced she was quitting.

Here are two last things to chew over as we think about this story in the coming days. One, it’s now clear that a data partnership with Facebook can create reputational risks for the companies making the deals. Every company named in the report will be held account for the Times’ findings, and they better have good and thorough answers when shareholders, lawmakers, and reporters start asking.

Two, it’s amazing how much oxygen we all have given to the false notion that Facebook sells your data — when the real story was the data they were giving away.



from The Verge - Teches https://ift.tt/2Afqg2z

Comments

Popular posts from this blog

Magic Leap is shipping across (most of) the US

As Magic Leap holds the first developer conference for its Magic Leap One mixed reality headset, that headset has started shipping across the contiguous United States, instead of in a set of select markets. The Magic Leap One Creator Edition costs $2,295, just like before, but there’s now an installment plan that starts at $96 per month. All orders are supposed to arrive within 60 days. The Magic Leap One Creator Edition went on sale in early August, and while Magic Leap has touted it as a fully functional device, it’s basically meant for people who want to design apps, games, or art for mixed reality. We were ambivalent toward the hardware, which we found limited, and we noted that Magic Leap hadn’t shown off a lot of material that showcased its potential. The company’s developer conference keynote has revealed several new projects. Among other things, Spider-Man studio Insomniac Games is building an experience that will let you grow a holographic creature on your tabletop, and...

The company behind the adorably doomed robot Kuri is shutting down

Less than a month after Mayfield Robotics said it was stopping production on its Kuri home robot, the company announced today on its blog that the company will be shutting down. Mayfield Robotics launched in 2015 as part of Bosch’s Startup Platform, but struggled to integrate with and find a business fit within Bosch. Since the cancellation of its Kuri robot, Mayfield Robotics had been looking for external partners for long-term technology development, but was unable to find investment to support its future. The company will cease all operations by October 31st. We first met Kuri at CES 2017, and it wasn’t yet able to showcase all the features it was promised to have in the future. The robot was supposed to have smart assistant functionalities like an Amazon Echo, but with a much cuter face and movable body. Promo videos showed it working as a moving home security camera that was controllable through the Kuri app, but in the demonstration we saw, it only had as much functionality a...

Amazon’s plans for a New York office are under new scrutiny

A month ago, when Amazon announced that it would build regional offices in New York and Virginia at great expense to the taxpayers there, I wrote that it had misunderstood the moment : Perhaps the furor over Amazon’s regional offices will blow over. But it’s hard not to feel today as if the company misread the room — overestimating the public’s appetite for a billion-dollar giveaway to one of the world’s biggest companies, and underestimating the public’s ability to raise hell on- and offline. Amazon may yet feel that pain, in the long run. Today, Amazon met the room: 150 protesters who showed up to the first New York City Council hearing about the plan. According to reports from the scene, demonstrators’ concerns start with the $3 billion in incentives that New York plans to give Amazon in exchange for locating there — and, it says, creating 25,000 jobs. Here’s Leticia Miranda in BuzzFeed : ”You’re worth a trillion dollars,” New York City Council Speaker Corey Johnson told the ...