Facebook protests NYT’s privacy breach claim
Facebook has rejected claims by the New York Times that its sharing of personal data with smartphone firms represented a breach of privacy pledges that it had made to its members and a US regulator.
The newspaper reported the social network had given at least 60 device-makers access to users’ friends’ data without obtaining explicit consent.
It added that in some cases the details were stored on the firms’ own servers.
But Facebook said that this was only done to help offer a mobile service.
And it has said the circumstances were “very different” from those involved in the Cambridge Analytica scandal, in which user data was used for different purposes.
Even so, the NYT raised concern that people’s information – including users’ relationship status, religion, political leaning and planned events – had been shared with other businesses.
It suggested the practice meant the Silicon Valley firm might have breached an agreement it struck with the Federal Trade Commission in 2011 to get consumers’ “express consent” before sharing personal data with third parties in new ways.
Furthermore, it quoted an ex-FTC official saying that Facebook’s behaviour was at odds with privacy commitments it had made to the public in 2014.
Signed agreements
The NYT carried out its own test with an old Blackberry phone to illustrate the issue.
The handset ran an app called Hub, which was designed to collate information from a variety of social media platforms into one place.
The newspaper said the information collected by the software included the IDs, birthday dates, work details and educational histories of many of the journalists’ friends, as well as identifying information about many more friends-of-friends.
It said Apple, Microsoft, Samsung and Amazon were among others to have struck data-sharing agreements.
Facebook has responded with a blog headlined “Why we disagree with the New York Times”.
It defended its use of software tools called application programming interfaces (APIs), which it said had been developed to create “Facebook-like experiences” on smartphones at a time before use of its own mobile apps became commonplace.
“Given that these APIs enabled other companies to recreate the Facebook experience, we controlled them tightly from the get-go,” it states.
“These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences.
“Partners could not integrate the user’s Facebook features with their devices without the user’s permission. And our partnership and engineering teams approved the Facebook experiences these companies built.
“Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends.”
The social network added that it was not aware of there being any abuse of the shared data.
Facebook began shutting down use of the APIs in April as part of its response to the Cambridge Analytica row. It said 22 of the partnerships had since ended.
Apple has confirmed it is among those to have stopped using the APIs, and said that it had mainly employed them to let users post pictures and other information without first having to open the Facebook app.
Microsoft told the NYT that all shared data involved was held locally on users’ phones and not copied to its servers.
Blackberry said it did not “collect or mine” Facebook data for its own use. It added that newer Blackberry-branded Android handsets do not use the APIs.
Amazon and Samsung have yet to comment.
‘Unworthy of trust’
Despite Facebook’s defence of its behaviour, one British digital rights campaign group has expressed concern.
“This is yet another concerning example of companies collecting, sharing, and exploiting users’ data in completely unexpected ways,” commented Privacy International’s legal officer Ailidh Callander.
“Over and over Facebook has proven itself unworthy of user’s trust.
“Companies must protect users’ data by default. This includes limiting the way in which people’s data is shared and respecting legal requirements.”