Facebook has found itself the subject of yet more shouty headlines as details of deals that gave more than 150 companies special access to user data were spilled.
The latest in the list of problematic reports into the embattled firm's business model comes from the New York Times.
It claims that some businesses, including giants like Amazon and Netflix, were given preferential – and what the paper describes as "intrusive" – access to user data, and allowed to circumvent usual privacy rules. In return, Facebook got to spread its net wider, bring in new users and exploit this to boost ad revenues.
Citing numerous interviews and hundreds of pages of internal reports, the newspaper said there were more than 150 companies with souped-up access, including tech firms, retailers and media groups.
Examples given include Bing, which could see the names of "virtually all" Facebook users' friends; Netflix and Spotify, which the paper claimed could "read" users' private messages; and Amazon, which gained users' names and contact details through their friends.
The news may not be a revelation to everyone. Given the well-documented spread of Facebook's tentacles throughout its meteoric rise, it was expected that numerous firms had access to user data.
We're pretty sure readers will be aware that the Zuckerborg snaffled data from partners like Yahoo! to feed its often creepy friend-recommendation tool. And in the case of Spotify, the feature allowed users to send songs via private messages, and thus required access to Messenger.
But the latest report promises to be particularly damaging to user trust for a few reasons.
For a start, it looks bad. Companies are reported to have been able to read and delete messages, and it isn't clear if users were explicitly told what access and permissions they had. Facebook has said there is no evidence that data was used or misused, but such assurances aren't worth much in the current climate.
On top of that, Facebook appears to have failed to keep track of the hundreds of deals it had, and didn't turn off this special access when the partner no longer provided the feature it was given the access for in the first place.
That included Yahoo!, which reportedly still had the ability to view real-time feeds of friends' posts for a feature the company had ended in 2011.
Another problem is the timeline – many of the deals referred to were still active in 2017, and some continued into this year. Until now, reports have focused on the period from 2012 to 2014, when the Facebook was discussing how to turn off the Graph API pipe to developers, which it completed in 2015. This has allowed Facebook to use the line that it realised its flaws, and changed.
Although Zuck's biz has countered that all of the deals were above board, and that any information passed to companies had been publicly shared by users, its "nothing to see here" response fails to clearly distinguish between different partnerships that had different levels of access.
Facebook's tone has drawn criticism, even from its former chief security bod, Alex Stamos.
This isn't a good response from Facebook to the NY Times story, because it makes the same mistake of blending all kinds of different integrations and models into a bunch of prose and it is very hard to match up the responses to the Times' claims.https://t.co/rrnWylOBMp— Alex Stamos (@alexstamos) December 19, 2018
However, he also criticised the Times' report for blurring the lines between access by third-party clients or OS integrations with what could be legitimate concerns about data being sent out to other companies.
But integrations that are sneaky or send secret data to servers controlled by others really is wrong. Since the Times is apparently sitting on a huge list of historical integrations, it would be better for FB to document them than to allow the Times' to add their framing.— Alex Stamos (@alexstamos) December 19, 2018
In particular, Facebook has been keen to emphasise that none of the agreements actually break a 2011 consent decree handed to it by the Federal Trade Commission, on the grounds that the partners were "service providers".
This was an exemption issued to Facebook by the FTC to allow it to do things such as process card transactions – whether the company's assessment will stand up to scrutiny remains to be seen. Former FTC staffers quoted in the New York Times were certainly sceptical.
"This is just giving third parties permission to harvest data without you being informed of it or giving consent to it," said David Vladeck, who formerly ran the FTC's consumer protection bureau, adding that Facebook's interpretation was too broad.
"I don't understand how this unconsented to data harvesting can at all be justified under the consent decree."
The only real mea culpa in Facebook's latest apology is that it didn't keep good enough tabs on the agreements, admitting that some deals were poorly handled.
According to the report, the number of different agreements became unwieldy by 2013, so staff built a tracking tool that kept records on the special access companies had and could turn it on and off.
However, the report said it was unclear how closely the partners were monitored or what audits they were subjected to, with BlackBerry and Yandex officials quoted as saying they had never been audited for deals struck in 2010.
A number of firms still had this special access to data even when they no longer needed it; some, including Apple, told the paper they didn't even know they had been granted special access.
Facebook admitted that some of the deals were "mismanaged", with the PR pointing to work it has already launched to review and restrict data access.
"We recognize that we've needed tighter management over how partners and developers can access information using our APIs. We're already in the process of reviewing all our APIs and the partners who can access them."
The problem for Facebook is that these stock quotes don't cut through the damage that reports like these do to public trust, because the main takeaway is that the firm says the bare minimum it can get away with and tries to wiggle out on the technicalities.
Facebook's well-worn line that it doesn't sell user data is technically true – but when details emerge on the deals Facebook struck to hand over data in exchange for boosting business, your average Joe would be forgiven for feeling deceived. ®
Sponsored: Webcast: Ransomware has gone nuclear