Facebook denies it let more than 150 companies misuse personal data

But the social network didn't directly address a report that it gave "partners" far more access to private data than it has publicly disclosed.
Facebook CEO photo illustration on portable devices
Facebook Chief Executive Mark Zuckerberg.Jaap Arriens / NurPhoto via Getty Images

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Alex Johnson

Facebook denied Tuesday night that its dozens of "partners" — companies like Microsoft, Amazon, Netflix, Spotify and Yahoo — were able to misuse Facebook users' personal data, but it didn't address explosive new allegations that it gave those companies far broader access to private data than it has previously acknowledged.

The New York Times reported Tuesday that Facebook for many years gave more than 150 companies extensive access to personal data — including private messages and contact information for users' friends — than was previously known and without users' explicit consent.

The Times said it based its reporting on more than 270 pages of internal Facebook documents and interviews with more than 50 former employees of Facebook and its so-called integration partners, as well as other former government officials and privacy advocates.

Facebook has said it is ending the "integration partnerships," some of which The Times reported extend as far back as 2010 and some of which were still in effect this year.

Steve Satterfield, Facebook's director of privacy and public policy, said in a statement Tuesday night that the partnerships were created "so people can use Facebook on devices and platforms that we don't support ourselves."

"Facebook's partners don't get to ignore people's privacy settings, and it's wrong to suggest that they do," according to the statement.

Byers Market Newsletter

Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.

The statement didn't, however, address the crux of the Times article, which was that Facebook had made the data available without disclosing the breadth of information it provided and, in many cases, without users' knowledge or agreement.

Facebook further explained its relationships with other tech companies in a blog post from Konstantinos Papamiltiadis, director of developer platforms and programs.

According to The Times, Facebook allowed Microsoft's Bing search engine to see the names of virtually all of Facebook users' friends without consent, and it gave Netflix, Spotify and the Royal Bank of Canada access to read, write and delete users' private messages. It said such access "appeared to go beyond what the companies needed to integrate Facebook into their systems."

The Times said the Royal Bank of Canada disputed that it had access, while Spotify and Netflix told it that they were unaware that they even had such broad access.

The newspaper reported that the documents showed that "while Facebook users can control what data they share with most of the thousands of apps on Facebook's platform, some companies had access to users' data even if they had disabled all sharing."

Facebook disputed that it needed users' permission to share the information under its interpretation of a consent agreement it reached with the Federal Trade Commission, or FTC, in November 2011. Facebook said at the time that it signed the agreement without admitting wrongdoing to avoid further legal action.

The agreement settled an FTC complaint accusing the company of having misled its users about how it used their personal information, alleging that Facebook revised its privacy controls in 2009 to automatically share users' information and pictures even if they had previously programmed their privacy settings to keep the content private.

According to the FTC, information that suddenly became public without consent included users' profile pictures, political views and lists of online friends. In some cases, the revision publicly revived personal photos even after users had deleted them, according to the complaint.

Facebook told The Times that it had found no evidence of abuse by its partners, and it contended that none of the practices detailed in the internal documents violated users' privacy or the 2011 agreement.

It said the agreement didn't require it to notify users or get their permission to share personal data with most of its third-party partners because it classified those companies as "integration partners" — extensions of Facebook, in other words, that helped Facebook users to interact with their friends.

"Unlike a game, streaming music service, or other third-party app, which offer experiences that are independent of Facebook, these partners can only offer specific Facebook features and are unable to use information for independent purposes," Satterfield said Tuesday night.

Facebook's statement Tuesday night didn't explain why more than 150 companies would enter into such agreements if they weren't able to use the information they were provided for their own purposes.

Satterfield repeated Facebook's often-stated acknowledgment that "we know we've got work to do to regain people's trust."

"Protecting people's information requires stronger teams, better technology, and clearer policies, and that's where we've been focused for most of 2018," he said.