The Facebook files: “Whitelisted” apps got access to your data and activities — with or without consent
Mark Zuckerberg might have even more explaining to before Congress — and possibly in court. Exposed by an investigation conducted by the British parliament, a flood of internal documents strongly suggests that Facebook ignored a 2011 consent decree in which the social-media giant committed to allowing users to meaningfully restrict access to their data by third-party companies:
The more than 250 pages of documents, which a British parliamentary committee recently obtained as part of a wide-ranging investigation into Facebook, revolve around a decision Facebook made in 2014 and 2015 to cut off developers’ access to posts, photos and other profile information from Facebook users. The internal communications, some of them from Facebook CEO Mark Zuckerberg, appear to show Facebook trading access to user data in exchange for advertising buys and other concessions, which would contradict Facebook’s long-standing claim that it doesn’t sell people’s information. …
The discussions also centered around a controversial practice known as whitelisting, in which Facebook gave select companies preferential access to data after the 2015 restrictions went into effect. Zuckerberg did not tell Congress about the company’s whitelisting when he testified in April, but subsequent reports have exposed privileged relationships brokered by Facebook. The company has since conceded that over 100 apps received special privileges, in part to maintain their functionality as the transition to less data went into effect.
“It is not clear that there was any user consent for this,” Collins said of the whitelisting, in a statement. “Nor how Facebook decided which companies should be whitelisted or not.”
He said major changes to Facebook’s underlying policies and technology were driven by a desire to obtain “increasing revenues from major app developers.”
Justin Brookman, the director of consumer privacy and technology policy for Consumers Union, said the whitelisting amounts to a “prima facie violation” of a 2011 consent decree that Facebook brokered with the U.S. government over a previous privacy mishap. That agreement stipulated that Facebook could not give away people’s data to developers without their permission, and it could carry fines for violations.
So who got the data? Companies like Netflix, Lyft, AirBNB and others, and it wasn’t just limited to specific users. The apps also got access to the data of friends of users, people who not only didn’t consent but also didn’t use those apps. This continued for whitelisted apps even after Facebook publicly declared it had stopped. “If people don’t feel comfortable using Facebook and specifically logging in Facebook and using Facebook in apps, we don’t have a platform, we don’t have developers,” a Facebook spokesperson said of the policy change at the time.
The documents came from a former app developer that sued Facebook after getting shut out in a series of Facebook policy changes, documents that Facebook tried mightily to keep under wraps. Six4Three lost its ability to do business on the Facebook platform after the 2014-15 rule changes went into effect, only to find out later that competitors were allowed to continue getting the same access to data. They sued Facebook in the US and got the documents through the discovery process, but the court sealed the record.
The Daily Beast’s review of the documents notes that Facebook deliberately created an API to allow favored app developers to continue access to the data despite their supposed policy changes:
‘We have been compelled to write to you to explain the hugely detrimental effect that removing friend permissions will cause to our hugely popular (and profitable) applications Badoo and Hot or Not,” Badoo wrote to Facebook in September 2014. “The friends data we receive from users is integral to our product (and indeed a key reason for building Facebook verification into our apps).”
In January 2015, Facebook’s director of platform partnerships, Konstantinos Papamiltidas, wrote back describing a new “application programing interface,” known as an API, that would let selected apps see data about users’ Facebook friends—in apparent violation of Facebook’s new policies. In February, Papamiltidas sent another email announcing that Badoo, as well as the other dating apps Hot Or Not and Bumble had been “whitelisted” to use the new API.
Other popular apps also allegedly received special permission to view the data. The documents cite emails from Papamiltidas to Lyft, AirBnB, and Netflix. The email to AirBnB appears to outline an agreement to use the secret API.
‘As promised, please find attached the docs for Hashed Friends API that can be used for social ranking,” Papamiltidas wrote. “Let us know if this would be of interest to you, as we will need to sign an agreement that would allow you access to this API.”
The internal documents also show discussion among Facebook execs about selling access to the data. The company insists that it hasn’t ever sold access and has repeatedly assured users that it never will. Yet CEO Mark Zuckerberg seemed at least open to the concept in internal discussions:
“We also need to figure out how we’re going to charge for it. I want to make sure this is explicitly tied to pulling non-app friends out of [friends information],” Facebook CEO Mark Zuckerberg wrote in a November 2012 email. “What I’m assuming we’ll do here is have a few basic thresholds of API usage and once you pass a threshold you either need to pay us some fixed amount to get to the next threshold or you get rate limited at the lower threshold.”
The email appears to suggest charging app companies for access to different tiers of access to user data.
Facebook insists that the documents have been taken out of context or framed by Six4Three in “a way that is very misleading without additional context.” The documents don’t show that Facebook ever did sell the user data, although they may well have discussed it.
What’s clear from the British investigation, however, is that Facebook and Zuckerberg have left a lot of “additional context” out of their own public explanations. That includes Zuckerberg’s testimony before Congress, which now seems ripe for some serious revisiting. What kind of “whitelisting” activities are going on now, and just how far do third parties get to go in accessing user data?