Facebook Admits Giving Partners Access to Messages | Threatpost | The first stop for security news

Facebook has admitted that it dealt several messaging partnerships with tech giants, giving them read, write and delete access for Facebook messages.

The confirmation comes on the heels of a bombshell New York Times article, Tuesday, which  leveraged internal documents to show that Facebook had partnerships in place with several companies since 2010. Part of the report detailed how Facebook enabled Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages; as well as see other participants on a message thread. The New York Times report quote sources that said those privileges go beyond what is necessary for messaging integration with a third party.

In a Wednesday post, Facebook VP of Product Partnerships Ime Archibong confirmed that the company did work closely with four partners to integrate messaging capabilities into their products. Those companies were Netflix, Dropbox, Spotify, and Royal Bank of Canada.

“We worked closely with four partners to integrate messaging capabilities into their products so people could message their Facebook friends — but only if they chose to use Facebook Login,” said Archibong. “These experiences are common in our industry — think of being able to have Alexa read your email aloud or to read your email on Apple’s Mail app.”

Archibong said that the messaging integration partnerships were “experimental and have now been shut down for nearly three years.”

The integrations essentially allowed users to integrate Facebook’s messaging functions into other platforms; so when they were once logged into Facebook via the third-party platforms, they could then perform functions such as messaging friends about what they were listening to on Spotify, or share folders on Dropbox.

What that meant from a data perspective was that these third-party platforms had access to the API allowing them “write access,” “read access,” and “delete access” for messages.

Facebook stressed that “no third party was reading your private messages, or writing messages to your friends without your permission.” However, it did not go into detail about how third parties actually used APIs, and whether there were any restrictions in place against the invasive privileges outlined in the New York Times report.

“Many news stories imply we were shipping over private messages to partners, which is not correct,” Archibong said. “These partnerships were agreed via extensive negotiations and documentation, detailing how the third party would use the API, and what data they could and couldn’t access.”

Dropbox and Royal Bank of Canada did not respond to a request for comment.

“Spotify’s integration with Facebook has always been about sharing and discovering music and podcasts,” a Spotify spokesperson told Threatpost. “Spotify cannot read users’ private Facebook inbox messages across any of our current integrations. Previously, when users shared music from Spotify, they could add on text that was visible to Spotify. This has since been discontinued. We have no evidence that Spotify ever accessed users’ private Facebook messages.”

Netflix, for its part, weighed in on the report with a witty Tweet: “Netflix never asked for, or accessed, anyone’s private messages. We’re not the type to slide into your DMs.”

Netflix never asked for, or accessed, anyone’s private messages. We’re not the type to slide into your DMs.

— Netflix US (@netflix) December 19, 2018

Almost a year after the Cambridge Analytica scandal, concerns around the social media platform’s data privacy policies seem to be at an all-time high.

On Wednesday, Washington, D.C., Attorney General Karl Racine filed a lawsuit against Facebook, accusing it of far-reaching privacy violations.

A Threatpost poll of over 350 respondents conducted Wednesday found that 85.05 percent of respondents don’t think the value they receive from Facebook outweighs privacy worries. Of those who are disillusioned with Facebook’s value of their privacy, respondents are split about the next steps. While 45.98 percent of Facebook respondents to our poll said they plan to drop the platform immediately, 41.07 percent said they are not sure what a good substitute would be.

And up to 81 percent of those polled said that they are “very concerned” about how Facebook treats their personal data, and that they don’t like companies using their data without consent.

This article was updated on Dec. 20 at 10 a.m. with a comment from Spotify.