We regret to inform you that we may have published our article titled "Facebook's terrible 2018" just a few hours too early. Tonight the New York Times has once again dug into the social network and assembled -- based on internal documents and interviews with employees, former employees and business partners --an unflattering picture of the data it has been sharing for years with the likes of Bing and Rotten Tomatoes. Taken as a whole, these revelations make the Cambridge Analytica data leak revelations seem almost insignificant.
Even with the last few months and years of revelations, the behavior described is surprising -- and not just for users. According to the article, companies like Apple and Russian search giant Yandex claimed to not know how much access Facebook had given them to user information. In the case of Yandex, the NYT said Facebook initially claimed the company wasn't an "integration partner" in October just months before telling Congress it actually is, and had access to Facebook's unique user IDs longer than others apps.
It claims that Spotify, Netflix and the Royal Bank of Canada had access to read, write and delete private messages as well as see who was on a message thread. Apple had special access to phone numbers and calendar entries that the company said it was not aware of, while also leaving no trace that its devices were pulling in the data. According to a Netflix spokesperson, "At no time did we access people's private messages on Facebook, or ask for the ability to do so." Spotify has said it was unaware of this access, and Royal Bank of Canada disputed that it had such access.
Microsoft had access to the names of Facebook's users friends and was apparently building profiles of Facebook users on its own servers, while Sony and Amazon could snag email addresses of a user's friends. Even the New York Times itself makes an appearance, with an app that was discontinued in 2011 still retaining access to users' friends list.
The reporting confirms other things you may have heard before, like how Facebook pulls together information from outside sources to fill out its "People you may know" feature using so-called "shadow profiles" for people who don't have accounts.
In response to the article, Steve Satterfield said "Facebook's partners don't get to ignore people's privacy settings, and it's wrong to suggest that they do...Protecting people's information requires stronger teams, better technology, and clearer policies, and that's where we've been focused for most of 2018. Partnerships are one area of focus and, as we've said, we're winding down the integration partnerships that were built to help people access Facebook."
While we prepare for the inevitable apology tour, it seems unlikely that these revelations will go over well in the face of government scrutiny and increasingly-likely regulation. Mark Zuckerberg said in 2011 that the company's FTC settlement covered a period including "a small number of high profile mistakes." If those were mistakes, then what do we call the way it's continued to share data widely since then even as the FTC was supposed to be monitoring its compliance?
Update (2:50 AM ET 12/19): Facebook has published a blog post responding to the article in more detail. In it the company said "To be clear: none of these partnerships or features gave companies access to information without people's permission, nor did they violate our 2012 settlement with the FTC...We've shut down nearly all of these partnerships over the past several months, except with Amazon and Apple, which people continue to find useful and which are covered by active contracts; Tobii, an integration that enables people with ALS to access Facebook; and browser notifications for people who use Alibaba, Mozilla and Opera."
Steve Satterfield, Director of Privacy and Public Policy at Facebook:
Facebook's partners don't get to ignore people's privacy settings, and it's wrong to suggest that they do. Over the years, we've partnered with other companies so people can use Facebook on devices and platforms that we don't support ourselves. Unlike a game, streaming music service, or other third-party app, which offer experiences that are independent of Facebook, these partners can only offer specific Facebook features and are unable to use information for independent purposes.
We know we've got work to do to regain people's trust. Protecting people's information requires stronger teams, better technology, and clearer policies, and that's where we've been focused for most of 2018. Partnerships are one area of focus and, as we've said, we're winding down the integration partnerships that were built to help people access Facebook.