An investigation into Facebook’s data-sharing practices has revealed that for years the social network has handed over access to sensitive user data to business partners through previously undisclosed special arrangements.

This is according to a wide-ranging investigation by the New York Times, based on documents obtained from the company’s internal system for tracking partnerships. There is a popular misconception that Facebook was “selling” users’ data – it did not sell the data, but instead gave it to companies looking to integrate their services more closely with Facebook.

The exchange worked by allowing partner companies to create features that would make their products more attractive, more personalised; in turn, Facebook would bring in more users and, therefore, the prize of a large user base, and the offer of both reach and personalisation to advertisers. However, the criticisms of the company centre on the lack of transparency to consumers and external oversight.

“In all, the deals described in the documents benefited more than 150 companies — most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organizations.

“Their applications sought the data of hundreds of millions of people a month, the records show. The deals, the oldest of which date to 2010, were all active in 2017. Some were still in effect this year”, the Times reporters wrote.

These deals included giving Apple access to users’ Facebook contacts and calendars in a partnership that still exists, though Apple says it was unaware of such access. This was part of a process of integrations made specifically for device manufacturers (OEMs) to develop their products with Facebook integrated into device operating systems. Among these integration partners, one of the most worrying was the Russian search company Yandex, which was accused of maintaining close ties to the Kremlin. Records show that Yandex had unique user IDs up until 2017, after Facebook had stopped sharing them with other apps.

Amazon, meanwhile, was given access to users’ names and contact information. Commenting on the partnership, which is in the process of being wound down, Amazon told the Times that it had used the data “appropriately”.

Additionally, the NYT reported that it too could still access Facebook users’ personal information in 2017.

Spotify, Netflix, and the Bank of Canada, meanwhile, had the ability to read, write and delete users’ private messages on the platform and to see all the participants on a thread, according to the NYT. These capabilities were designed to help integrate these companies products into the Facebook Messenger interface. Spotify still has an option to share songs through Messenger, said the Times; Netflix and RBoC have since deactivated the features that incorporated this information. Both Netflix and Spotify say they were unaware of such access. The Royal Bank of Canada disputes the access.

Some of the partnerships gave access to users’ networks. For Bing, Microsoft’s search engine, Facebook gave access to the names and other profile information of users’ friends – data that Microsoft says it has deleted – though Facebook says only data set to “public” was visible. This particular agreement was part of a since-cancelled “instant personalization” program. Launched in 2010, it allowed partners to personalise their services according to what Facebook knew about users. Closed in 2014, the meat of this revelation is the fact that Bing and a handful of other companies still had access to that data in 2017.

In a blog post by Konstantinos Papamiltiadis, Director of Developer Platforms and Programs, Facebook responded to some of the elements of the report in detail. “To be clear: none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC”, he wrote. In the case of sharing some of the most intrusive information, Papamiltiadis makes clear that in order to use any of these features, users had to sign in to Facebook first. 

Externally, one of the story’s most worrying facets is the Federal Trade Commission’s failure to stop this happening, despite an agreement with the social network that would have consultants PwC formally assess Facebook’s privacy procedures every two years. Former FTC employees that spoke to the Times contend that Facebook may have broken a consent decree put in place in 2011 to address concerns over how it tracked and shared user data.

Responding to the report, Steve Satterfield, the company’s head of privacy and public policy, said “Facebook’s partners don’t get to ignore people’s privacy”. In an email to The Verge, he continued: “Over the years, we’ve partnered with other companies so people can use Facebook on devices and platforms that we don’t support ourselves. Unlike a game, streaming music service, or other third-party app, which offer experiences that are independent of Facebook, these partners can only offer specific Facebook features and are unable to use information for independent purposes.”

Still, the practice does not play well in a context of Facebook’s annus horribilis, in which it has had to defend practices and oversights that have severely damaged its reputation among consumers and faith in its business model among investors and clients. “I don’t believe it is legitimate to enter into data-sharing partnerships where there is not prior informed consent from the user,” Roger McNamee, one of Facebook’s early investors told the Times. “No one should trust Facebook until they change their business model.”

Sourced from the New York Times, Facebook, CNet, The Verge; additional content by WARC staff