On Sunday, The New York Times revealed that Facebook had deals with phone manufacturers including Apple, Amazon, Microsoft, and Blackberry going back a decade that gave the device makers access to copious amounts of personal data about users and their friends in order to re-create a mobile version of Facebook on their devices.
Facebook had deals with 60 companies, granting those firms access to information like users’ relationship status, religion, political leaning, events they planned to attend, and whether the user was online. What’s more, some deals let device makers override a user’s privacy setting. Smartphone manufacturers could obtain information about a user’s Facebook friends even if that user denied Facebook permission to share their information with third parties.
Unlike the scandal over Cambridge Analytica, there are no known instances where outsiders abused the terms of their arrangement with Facebook.
The partnerships dated back to a time before app stores were well-oiled machines, when Facebook needed help to render a good experience on feature phones. They appear to have survived after Facebook changed its policies in 2014 to restrict the data it shared with app makers.
But the Times report again raises questions about oversight of a consent decree Facebook signed with the Federal Trade Commission in 2011 that was supposed to protect users from having their data shared with third parties without consent.
“It raises some huge red flags. I don’t really know how Facebook is going to justify this kind of sharing under the consent decree,” says David Vladeck, former director of the FTC’s Bureau of Consumer Protection who oversaw the Facebook investigation that led to the 2011 decree.
A Facebook spokesperson said the company considered the device makers “service providers,” which were treated differently than other outsiders in the consent decree. Under the decree, Facebook was permitted to share data more liberally with service providers than with other outsiders, such as app makers.
The spokesperson told WIRED that the device integration started in 2007 when Facebook couldn’t build a version of its app for each device and operating system. In a blog post, Ime Archibong, Facebook’s vice president of of product partnerships, wrote that Facebook imposed tight restrictions on how the device makers used Facebook data and knew of no abuses.
One of the Times reporters said on Twitter that he had entered his Facebook login and password into a Blackberry device and it started transmitting data Facebook held about him and his Facebook friends, even though he deleted the Facebook app. In a statement, Blackberry said it did not “collect or mine the Facebook data of our customers” and built its devices in a way that would have prevented others from accessing the data.
Vladeck questioned Facebook’s assurances. “I just don’t understand how any of the companies, and there were a lot, with whom Facebook shared data had no use for the data at all,” he says. “Is there no quid pro quo? That’s the question, and the Times piece suggests there was a quid pro.”
The 2011 consent decree required Facebook to hire an outside firm to conduct audits of its privacy practices every two years. Redacted versions of three audits by PricewaterhouseCoopers do not appear to mention the arrangement with device makers. Facebook declined to comment on the audits. Vladeck says he’s not certain whether the information would have to be included in the audits. But he said it should have been reported to the FTC. “Had [the agency] been aware, there would have been some investigation,” he says. Vladeck said Facebook’s arguments are “implausible” because they imply that it gave the data to device makers even though the device makers had no plans to use it.
The FTC said in March it is investigating whether Facebook violated the consent decree by not monitoring Cambridge Analytica’s use of its data. Vladeck and Jessica Rich, his successor at the FTC’s Bureau of Consumer Protection, expect the new revelations about device makers to be included in that investigation.
“How the FTC addresses this issue in its investigation and potential enforcement of the consent decree will be a test of the ability of the consent decree to anticipate these issues,” Rich says. She says the revelations about the agreements with device makers also cast doubt on Facebook statements suggesting Cambridge Analytica had essentially duped the social media company. “If in fact dozens of companies were able to access detailed data about not only users but their friends, it suggests that Facebook’s statements about Cambridge Analytica aren’t accurate either,” she said.