ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Explosive New York Times report exposes more Facebook privacy fails

Facebook is once again facing criticism for its indifferent approach to user privacy. The New York Times revealed in an explosive report this week that Facebook had been allowing other internet giants including Netflix, Spotify, Amazon, and Yahoo unprecedented access to users’ private data for years. 

Facebook exposed by NYT report

The NYT's investigation relied on interviews with former Facebook employees, government officials, and privacy advocates to reveal the eye-opening reality of how the world’s largest social network shares its users’ personal data. In addition to the interviews, The Times obtained over 270 pages of leaked internal Facebook documents that confirmed Mark Zuckerberg and Co. allowed Netflix, Spotify, and the Royal Bank of Canada access to read, write, and delete users’ private messages, and how it had been sharing private data with third parties, possibly without proper user consent.

According to the report, Facebook created partnerships with more than 150 companies and shared private user data with them in their effort to spur massive amounts of growth and to spread the company’s influence as far and as wide as possible. These partnerships began in 2010, and some of them were still in effect this year even though many of the companies have since discontinued the features for which the data was originally shared. For instance, Yahoo still had broad access to Facebook user data in 2017 needed for a feature Yahoo had abandoned in 2012. Similarly, The New York Times still had access to Facebook user data in 2017 that the news organization no longer required after pulling the plug on a news-sharing feature in 2011.  

These are just a few of the many examples in which Facebook had been mismanaging its use of private user data through its partnership program. In addition to continuing to share user data with companies for years longer than required, Facebook also over shared user data that was simply not necessary for certain integrations. Giving Netflix, Spotify, and the Royal Bank of Canada extraordinary access to users’ private messages, including information regarding all participants in a specific thread, goes far beyond what was ever required.

What’s more, according to former employees who spoke with New York Times investigators, Facebook didn’t do much in the way of reviewing and auditing what its partners were doing with the masses of data being shared with them. The former employees also suggested that executives at the company gave little consideration to conducting privacy reviews and audits, arguing that such tasks would encumber innovation and growth initiatives.

All of this activity has privacy advocates crying foul, accusing Facebook of violating the 2011 settlement the company agreed with the Federal Trade Commission that requires, "Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established.”   

Electronic Privacy Information Center head and online privacy expert Marc Rotenberg said in a statement to The NYT, “There has been an endless barrage of how Facebook has ignored users’ privacy settings, and we truly believed that in 2011 we had solved this problem. We brought Facebook under the regulatory authority of the F.T.C. after a tremendous amount of work. The F.T.C. has failed to act.”

Facebook officials themselves contend that the company is not in violation of the F.T.C. agreement because of an exception in the settlement that classifies the partner companies as “service providers” that operate essentially as an extension of the social network. They argue that since the partner companies only use the data for the purposes of integrating with Facebook and under the direction of Facebook, there is no issue with sharing the data in these circumstances.

Most of the partner companies denied knowing anything about the scope of access to data they were granted by Facebook. The companies contacted by The NYT also maintained that they had in no way used the data for advertising purposes or for any purposes other than what was explicitly required for their Facebook integrations.

Despite these assurances from Facebook that it was acting within its rights, and from companies who insist they did not misuse the data, many are not quite convinced. The Washington DC Attorney General’s office filed a lawsuit against Facebook on Wednesday, claiming that the company overstepped its bounds and shared the data without users’ knowledge and without receiving the proper consent. Though the lawsuit centers around the Cambridge Analytica scandal, this week’s revelations surrounding data shared with partner companies plays a significant role in the lawsuit. All this adds up to what could be a massive fine for the tech giant that could potentially exceed $1billion.

"Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used. We conducted an investigation and found evidence that Facebook’s lax oversight of its privacy protocols and confusing privacy settings put the personal information of millions of Americans at risk. We also found that Facebook failed to inform consumers that it had granted certain favored companies special permissions that enabled those companies to access consumer data and override consumer privacy settings,” DC Attorney General Karl Racine said in a statement. 

Ime Archibong, Facebook’s VP of Product Partnerships emphatically refuted these claims in a blog post published on Wednesday. “In the past day, we’ve been accused of disclosing people’s private messages to partners without their knowledge. That’s not true – and we wanted to provide more facts about our messaging partnerships.”

Archibong goes on to explain that, "In order for you to write a message to a Facebook friend from within Spotify, for instance, we needed to give Spotify “write access.” For you to be able to read messages back, we needed Spotify to have “read access.” “Delete access” meant that if you deleted a message from within Spotify, it would also delete from Facebook. No third party was reading your private messages, or writing messages to your friends without your permission. Many news stories imply we were shipping over private messages to partners, which is not correct.” 

In a separate blog post, Konstantinos Papamiltiadis, Facebook’s Director of Developer Platforms and Programs clarified, “To be clear: none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC. We’ve been public about these features and partnerships over the years because we wanted people to actually use them – and many people did. They were discussed, reviewed, and scrutinized by a wide variety of journalists and privacy advocates.” 

The assertions that users gave Facebook explicit permission to use their data in this way, and that Facebook hadn’t violated its settlement with the FTC are, as we have seen, up for debate. Privacy advocates feel Facebook did not properly disclose what data was being shared and how it was being used, and as a result, users were not aware of the full scope of what they were agreeing to.

Regardless, the sloppiness Facebook exhibited by sharing user data far longer than necessary in certain cases, and executives’ alleged lax attitude concerning user privacy doesn’t paint the company in a favorable light. With these latest revelations coming to the surface, Facebook has even more work to do in order to regain the public’s trust. If the company doesn’t make a concerted and genuine effort to prove that it is indeed concerned about user privacy, more and more people will be joining the #DeleteFacebook bandwagon.

For those users who care about their online privacy, but still aren’t willing to give up on the social network, here are a few essential security measures to implement: Avoid using Facebook to log into third-party apps, don’t accept friend requests from people you don’t know, don’t over share personal information, activate the privacy settings in your profile. If you want to take your online security to the next level, sign on with a top-ranked VPN provider to encrypt your internet traffic and keep your data protected at all times.    

Written by: Attila Tomaschek

Attila is a Hungarian-American currently living in Budapest. Being in the VPN game for over 5 years, along with his acute understanding of the digital privacy space enables him to share his expertise with ProPrivacy readers. Attila has been featured as a privacy expert in press outlets such as Security Week, Silicon Angle, Fox News, Reader’s Digest, The Washington Examiner, Techopedia, Disruptor Daily, DZone, and more. He has also contributed bylines for several online publications like SC Magazine UK, Legal Reader, ITProPortal, BetaNews, and Verdict.


There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service