In response to the latest data sharing exposé from the New York Times, Facebook has sounded off about one particular aspect many people focused on: read/write access to private messages granted to partners like Netflix and Spotify. While those companies initially responded to say that they either did not use this access or were unaware of it, Facebook's blog post tries to untangle the question of why it was necessary at all.
In order for you to write a message to a Facebook friend from within Spotify, for instance, we needed to give Spotify "write access". For you to be able to read messages back, we needed Spotify to have "read access." "Delete access" meant that if you deleted a message from within Spotify, it would also delete from Facebook. No third party was reading your private messages, or writing messages to your friends without your permission.
The way Facebook lays it out (similar to a Twitter thread posted yesterday), this kind of integration was "experimental" and, contrary to the vague descriptions of the permissions in it, very specific in how it worked. The access Netflix and Spotify had was for messages that directly tied into how their apps worked, as VP of product partnerships Ime Archibong said: "These partnerships were agreed via extensive negotiations and documentation, detailing how the third party would use the API, and what data they could and couldn't access."
Facebook describes in some detail why this access wasn't used to do things like send messages to your friends without your input, or allow for partners to read more of your private information and says they've been shut down for three years. However, the initial lack of clarity on what they meant, whether users understood what they agreed to, and how it was all audited is part of the reason why the company is running dry on trust and benefit of the doubt when it needs that the most.