Facebook Fights Back on Secret Data-Sharing Partnerships | Threatpost | The first stop for security news

Facebook is hitting back after a new report on Tuesday said that the company struck broad data-sharing partnerships with more than 150 companies, including Apple, Amazon and Netflix, exempting them from its normal data privacy terms and conditions.

An exhaustive investigation in the New York Times on Tuesday leveraged hundreds of pages of internal documents to show that Facebook has had such partnerships in place with several companies since 2010 – including Apple, Amazon, Microsoft, Spotify and Netflix.

The deals reportedly gave companies access to users’ data, including names, friends’ profile information and even private Facebook messages. For instance, Amazon was able to access user names and contact information via their Friends; Apple could view Facebook users’ contacts and calendars even if the users had disabled data-sharing features; and companies like Netflix and Spotify were able to read users’ private Facebook messages.

Does this change your attitude towards the social network? Take our quick four-question poll to weigh in on Facebook and privacy.

It’s not the first report by any means scrutinizing Facebook’s data-sharing partnerships with device-makers and other tech companies: However, the latest report claims that Facebook offered more of its users’ data to companies that it previously acknowledged.

Facebook, for its part, defended its policies in a Tuesday post, saying it did not give other large tech companies access to data without people’s permission; and, in fact, that the partnerships “helped” users seamlessly access Facebook’s benefits while using other big tech company’s platforms.

“To put it simply, this work was about helping people do two things,” said Konstantinos Papamiltiadis, director of Developer Platforms and Programs at Facebook. “First, people could access their Facebook accounts or specific Facebook features on devices and platforms built by other companies like Apple, Amazon, Blackberry and Yahoo. These are known as integration partners. Second, people could have more social experiences – like seeing recommendations from their Facebook friends – on other popular apps and websites, like Netflix, The New York Times, Pandora and Spotify.”

Facebook also stressed that most of these social features are now gone and that it has ended most partnerships. However, the New York Times article alleged that some of the deals are still ongoing – including Apple and Amazon; while other companies had access to data for years even after their deals were cut off.

“We recognize that we’ve needed tighter management over how partners and developers can access information using our APIs,”said Papamiltiadis. “We’re already in the process of reviewing all our APIs and the partners who can access them.”

The incident has also led users to wonder whether Facebook is in violation of a 2011 FTC consent decree, which requires the social network to receive explicit permission from users in regards to sharing their data with third parties. However, Facebook said in its post it did not violate the settlement with the FTC.

Apple did not respond to a request for comment from Threatpost.

“Amazon uses APIs provided by Facebook in order to enable Facebook experiences for our products,” an Amazon spokesperson told Threatpost. “For example, giving customers the option to sync Facebook contacts on an Amazon Tablet. We use information only in accordance with our privacy policy.”

Facebook has faced a barrage of critiques over the past week – and months – on the heels of its Cambridge Analytica scandal- and data privacy policies issues continue to plague the social media company.

The company in particular has come under harsh review for how it handles data in partnerships with other companies.

Earlier this month, internal documents showed the social media giant promoting – and trying to keep secret – the collection of call logs and texts for Android app users. Also earlier this month, the Italian Competition Authority (ICA) found that Facebook violated several articles of the statute by misleading consumers about how their data would be used.  The company was hit with two fines.

Data privacy concerns have caused consumers to question the values of the social media platform when it comes to protecting private data. The hashtag #DeleteFacebook has emerged on Twitter, and recently, Walt Mossberg, who posted that “my own values and the policies and actions of Facebook have diverged to the point where I’m no longer comfortable there.”

1/ Some personal news: I’ve decided to quit Facebook around the end of the year. I am doing this – after being on Facebook for nearly 12 years – because my own values and the policies and actions of Facebook have diverged to the point where I’m no longer comfortable there.

— Walt Mossberg (@waltmossberg) December 17, 2018

Alex Stamos, the former chief information security officer at Facebook, called out the company for its handling of the matter on Twitter, saying that “integrations that are sneaky or send secret data to servers controlled by others really is wrong.” Stamos also said on Twitter that  “putting your response in a wall of PR-text aimed at end consumers just isn’t effective.”

This isn’t a good response from Facebook to the NY Times story, because it makes the same mistake of blending all kinds of different integrations and models into a bunch of prose and it is very hard to match up the responses to the Times’ claims.https://t.co/rrnWylOBMp

— Alex Stamos (@alexstamos) December 19, 2018

Aleksandra Korolova, assistant professor of Computer Science at the University of Southern California, blasted Facebook in a post Tuesday detailing how Facebook can learn about users’ location even when settings are off – and why that doesn’t necessarily help users or advertisers.

“When it comes to one of the most privacy-sensitive types of data, location, Facebook does not provide meaningful controls and is misleading in its statements to users and advertisers,” said Korolova.

Korolova also said that Facebook needs to give users “meaningful controls over the location information it collects” and uses for advertising.

“This would include a dedicated Location section in Ad Preferences, and an ability to opt-out of location use entirely, or, at the very least, an ability to meaningfully specify the granularity of its use and exclude particular areas from being used,” she said.

Threatpost will continue to update this article as more information becomes available.

This story was updated on Dec. 19 at 9am ET to reflect a Twitter post by former CISO Alex Stamos. 

Does this change your attitude towards the social network? Take our quick four-question poll to weigh in on Facebook and privacy.