NYT: Bing could see nearly “all Facebook users’ friends without consent.”
On Tuesday evening, the New York Times revealed more startling news about Facebook: the company “gave some of the world’s largest technology companies more intrusive access to users’ personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules.”
The news comes days after Facebook disclosed a massive photo bug, weeks after 50 million people were affected by an access-token harvesting attack, and less than a month after it was revealed that Facebook considered selling access to its users’ data. All of those scandals are on top of the Cambridge Analytica debacle. In June 2018, Facebook dodged some lawmakers’ questions in written testimony, after two days of CEO Mark Zuckerberg’s appearance before the US Senate.
The newspaper cited “hundreds of pages” of internal documents, which it did not publish.
As the Times reported:
Pushing for explosive growth, Facebook got more users, lifting its advertising revenue. Partner companies acquired features to make their products more attractive. Facebook users connected with friends across different devices and websites. But Facebook also assumed extraordinary power over the personal information of its 2.2 billion users—control it has wielded with little transparency or outside oversight.
Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.
Jennifer Valentino DeVries, a Times reporter who was not bylined on the story, tweeted:
Per the Times, these arrangements apparently let selected partners continue to access users’ contact details via friends—despite the fact that in 2014 Facebook said it was ending such access. Sony, Microsoft, and Amazon were specifically named as companies that had this ability.
“Some of the largest partners, including Amazon, Microsoft and Yahoo, said they had used the data appropriately, but declined to discuss the sharing deals in detail,” the newspaper reported.
This new revelation appears related to, but separate from, the recent revelation that Facebook extended access companies that paid for the privilege while shutting it down in 2015. In April 2014, Facebook changed the way the previously permissive Graph API works. The social media giant restricted some data access and eliminated all access to the earlier version by June 2015.
In the wake of the Times‘ reporting, Sen. Brian Schatz (D-Hawaii) tweeted his frustration.
Facebook spokeswoman Katy Dormer declined to provide Ars with a copy of the documents referenced in the story. She did not respond to Ars’ specific questions, but included two statements from two executives, neither of which denied or refuted the Times’ reporting.
“We know we’ve got work to do to regain people’s trust,” Steve Satterfield, Director of Privacy and Public Policy at Facebook, said in one of the statements.
“Protecting people’s information requires stronger teams, better technology, and clearer policies, and that’s where we’ve been focused for most of 2018. Partnerships are one area of focus and, as we’ve said, we’re winding down the integration partnerships that were built to help people access Facebook.”