Skip to main content

Facebook gave Spotify and Netflix access to users’ private messages

What to make of the New York Times’ latest story about Facebook’s broad data-sharing agreements? The story, which draws on internal documents describing the company’s partnerships, reports on previously undisclosed aspects of business partnerships with companies including Apple, Amazon, Microsoft, Spotify, and Netflix. In some cases, companies had access to data years after it was supposed to have been cut off.

Here’s how the story is framed by reporters Gabriel J.X. Dance, Michael LaForgia, and Nicholas Confessore:

The documents, as well as interviews with about 50 former employees of Facebook and its corporate partners, reveal that Facebook allowed certain companies access to data despite those protections. They also raise questions about whether Facebook ran afoul of a 2011 consent agreement with the Federal Trade Commission that barred the social network from sharing user data without explicit permission.

In all, the deals described in the documents benefited more than 150 companies — most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organizations. Their applications sought the data of hundreds of millions of people a month, the records show. The deals, the oldest of which date to 2010, were all active in 2017. Some were still in effect this year.

The story, which builds on reporting earlier this year from both the Times and the Wall Street Journal, describes a variety of data-sharing partnerships, some of which users were likely unaware of. They include:

  • Giving Apple access to users’ Facebook contacts and calendar entries, even if they had disabled data sharing, as part of a partnership that still exists. Apple told the Times it was unaware that it had special access, and of the data described would never leave the user’s device.
  • Giving Amazon the names and contact information of users, in a partnership that is currently being wound down. Amazon wouldn’t discuss how it used the data other than to say it had used it “appropriately.” On Twitter, Gizmodo’s Kashmir Hill speculated that Amazon may have used the data to fight review fraud.
  • Giving Bing, the Microsoft search engine, access to see names and other profile information of a user’s friends. Microsoft said it has since deleted the data. Facebook says that only user data set to “public” was accessible to Microsoft.
  • Giving Spotify, Netflix, and the Royal Bank of Canada the ability to read users’ private Facebook messages.

The access described in the Times story falls into three types of Facebook partnerships. The first are what Facebook calls “integrations,” and they refer to custom-built apps that Facebook built for OEMs like BlackBerry. Because they were integrated with phone operating systems, they require a broad exchange of data with OEMs. They’ve gotten a lot of attention this year, but I think most users would reasonably assume that their personal data was being exchanged with the phone manufacturer in those cases.

The second type of partnerships, which is represented by the Bing deal, are part of a now-defunct program called “instant personalization.” This feature, which launched in 2010, opted every Facebook user in by default. It allowed all of its partners to personalize their own services using whatever Facebook knew about you and was willing to share. Yelp, for example, would show visitors which of their Facebook friends used the site when they visited.

The program drew significant criticism when it launched, and it was eventually killed off in 2014. But according to the Times, Bing continued to have access to the data through 2017, and two other companies still had access this summer. On one hand, this was all public data — friends’ names, hometowns, and that sort of thing. On the other hand, Facebook’s failure to shut down data access here is reminiscent of the failure that sparked the Cambridge Analytica data privacy scandal: a company said it had deleted a bunch of user data turned out to have instead used it in an influence to sway the 2016 presidential election.

The final type of partnerships are essentially one-off deals that Facebook made over the years. The scariest-sounding of them all was a deal Facebook made with companies including Spotify, Netflix, and the Royal Bank of Canada in which partners were granted read and write access to users’ Facebook messages. This was the result of a broadly written API, launched in 2010 as part of an early (pre-Messenger) effort to build a messaging platform. In Spotify’s case, for example, the company plugged into your chat window to send songs to your friends. It seems possible that a rogue employee made mischief in someone’s messages, but the Times story doesn’t include any examples.

There are other worrisome details in the Times story, including reports that Yahoo and the Russian search company Yandex both retained access to user data years after it was supposed to have been cut off. Collectively, they speak to an indifference toward data security that flies in the face of recent Facebook pronouncements on the subject — most notably, chief marketing officer Carolyn Everson’s statement last week that privacy “is the foundation of our company.” Everson made her comments on the same day that Facebook opened a pop-up kiosk in New York City’s Bryant Park where users could ask questions about how their data is used on the platform.

Presumably, they would have had more questions to ask if they had access to the list of 150 companies that had been making data partnerships with Facebook over the past decade.

In response to the Times’ report, the company acknowledged it had more work to do to regain user trust. It also highlighted some of the benefits of data sharing, including the ability to create more personalized experiences on other sites and services.

“Facebook’s partners don’t get to ignore people’s privacy settings, and it’s wrong to suggest that they do,” said Steve Satterfield, director of privacy and public policy at Facebook, in an email. “Over the years, we’ve partnered with other companies so people can use Facebook on devices and platforms that we don’t support ourselves. Unlike a game, streaming music service, or other third-party app, which offer experiences that are independent of Facebook, these partners can only offer specific Facebook features and are unable to use information for independent purposes.”

I find it helpful to read the allegations in the Times’ story chronologically, starting with the integration deals, continuing with the one-off agreements, and ending with instant personalization. Do so and you read a story of a company that, after some early success growing its user base by making broad data-sharing agreements with one set of companies — OEMs — it grew more confident, and proceeded to give away more and more, often with few disclosures to users. By the time “Instant personalization” arrived, it was widely panned, and never met Facebook’s hopes for it. Shortly after it was wound down, Facebook would take action against Cambridge Analytica, and once again began placing meaningful limitations on its API.

Then basically nothing happened for three years!

Whatever is happening, it’s happening ... now. It has been only two months since the largest data breach in Facebook’s history. It has been only five days since the last time Facebook announced a significant data leak. It has been only two days since I said I would be taking the rest of the year off of writing this newsletter.

It has only been a few hours since Cher announced she was quitting.

Here are two last things to chew over as we think about this story in the coming days. One, it’s now clear that a data partnership with Facebook can create reputational risks for the companies making the deals. Every company named in the report will be held account for the Times’ findings, and they better have good and thorough answers when shareholders, lawmakers, and reporters start asking.

Two, it’s amazing how much oxygen we all have given to the false notion that Facebook sells your data — when the real story was the data they were giving away.



from The Verge - Teches https://ift.tt/2Afqg2z

Comments

Popular posts from this blog

The PlayStation Classic has a secret debug menu that can be reached with specific keyboards

Just a day after the release of the PlayStation Classic , the Retro Gaming Arts YouTube channel has discovered that you can access the emulator’s settings menu by plugging a keyboard into a free USB slot and hitting the Esc key. Doing so reveals a host of settings for the built-in open-source PCSX ReARMed emulator, potentially allowing access to options, including save states, controls, and cheats. The discovery has raised hope that some of the criticisms of the retro console , such as a limited game library and poor image quality, could soon be addressed with third-party modding. In the discovered menus, an option to “Load CD Image” is clearly visible, which suggests it might be possible to load additional games or perhaps just the better-performing 60Hz NTSC variants. An option to enable scanlines, the horizontal lines that allow an LCD screen to emulate the look of a traditional CRT monitor, is also present. Despite the discovery, it’s unlikely that the hardware limitations o

With Toys R Us gone, Amazon wants to send out a holiday toy catalog of its own

Now that Amazon has helped kill off Toys R Us , it wants to borrow the retailer’s iconic print holiday toy catalog . The online behemoth is interested in creating its own print catalog to mail out and also be handed out at Whole Foods (which it owns), according to Bloomberg . Toys R Us was plagued with billions in debt when permanently closed last month — in part because of competition from online stores like Amazon . For many kids, its “Big Book” toy catalog was a staple of fall. The 100-page catalog would arrive near the end of October for kids to look through and create a wishlist before December. Now that the retailer is done, various companies are trying to scoop up the customers that headed to their shelves every December. Party City, for example, will open 50 pop-up toy shops for the holidays. Target will have more store space for toys . It’s just especially amusing that Amazon, having helped kill off these physical retailers, is trying to learn from them to make even mor

Amazon’s plans for a New York office are under new scrutiny

A month ago, when Amazon announced that it would build regional offices in New York and Virginia at great expense to the taxpayers there, I wrote that it had misunderstood the moment : Perhaps the furor over Amazon’s regional offices will blow over. But it’s hard not to feel today as if the company misread the room — overestimating the public’s appetite for a billion-dollar giveaway to one of the world’s biggest companies, and underestimating the public’s ability to raise hell on- and offline. Amazon may yet feel that pain, in the long run. Today, Amazon met the room: 150 protesters who showed up to the first New York City Council hearing about the plan. According to reports from the scene, demonstrators’ concerns start with the $3 billion in incentives that New York plans to give Amazon in exchange for locating there — and, it says, creating 25,000 jobs. Here’s Leticia Miranda in BuzzFeed : ”You’re worth a trillion dollars,” New York City Council Speaker Corey Johnson told the