Breaking News Emails
Facebook Inc. took a second stab at convincing its 2.3 billion users that it didn't allow more than 150 other companies to misuse their personal data on Wednesday night after its valuation fell by more than $28 billion on the stock market.
"In the past day, we've been accused of disclosing people's private messages to partners without their knowledge," Ime Archibong, Facebook's vice president of product partnerships, said in a post on the company's blog. "That's not true — and we wanted to provide more facts about our messaging partnerships."
The blog post — the second since The New York Times reported Tuesday that Facebook for many years gave more than 150 companies extensive access to personal data — focused narrowly on the contention in the Times report that emerged as the most controversial: that Facebook gave four companies access to read, write and delete users' messages.
Facebook stock fell by more than 7 percent Wednesday in the wake of the Times article and a federal lawsuit that was separately filed against the company over its handling of users' data, wiping more than $28 billion off of its market cap valuation.
"Many news stories imply we were shipping over private messages to partners, which is not correct," Archibong said Wednesday night.
Instead, he said, the companies — Spotify Ltd., Netflix Inc., Dropbox Inc. and the Royal Bank of Scotland — were granted automated access to users' messages so Facebook users could send Facebook messages to other Facebook users without leaving the Spotify, Netflix, Dropbox or Royal Bank apps.
The Times reported that the Royal Bank disputed that it had access, while Spotify and Netflix said they were unaware that they even had such broad access. "At no time did we access people's private messages on Facebook, or ask for the ability to do so," Netflix said in a statement, while Spotify said, "We have no evidence that Spotify ever accessed users' private Facebook messages."
Far from being a nefarious leaking of private data, the read/write/delete access "was the point of this feature," Archibong said.
"We worked with them to build messaging integrations into their apps so people could send messages to their Facebook friends," he said.
"In order for you to write a message to a Facebook friend from within Spotify, for instance, we needed to give Spotify 'write access.' For you to be able to read messages back, we needed Spotify to have 'read access.' 'Delete access' meant that if you deleted a message from within Spotify, it would also delete from Facebook," he said.
Your permission was granted when you signed in to the Spotify, Netflix, Dropbox or Royal Bank apps using your Facebook credentials, according to Archibong, who said those "experiences" were publicly discussed and "clear to users."
As an example of how the permission grants were discussed publicly, Archibong linked to a press release that the Royal Bank of Scotland issued in 2013 announcing its integration of Facebook into the bank's money-transfer services.
"The receiver will receive a message in their Messenger inbox, and will be directed to log in to the Financial Institution of their choice to deposit the funds," the press release says.
However — even though Facebook cited it as an example of the transparency of the data-sharing partnerships — the Royal Bank's press release doesn't say anything about its need to read and delete Facebook messages. In fact, the words "private" and "privacy" appear nowhere in the bank's statement, which emphasizes how "seamlessly integrated" Facebook and the bank's services were.
Archibong didn't address The Times' other disclosure about Facebook's agreements with the four companies — that they could also see the identities of all of the participants in a Facebook user's messaging threads, which it described as "privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems."
Archibong said that "these partnerships were agreed via extensive negotiations and documentation, detailing how the third party would use the API, and what data they could and couldn't access." ("API" is short for "application program interface" — the set of tools and rules that companies use to regulate how different kinds of software interact with each other.)
"No third party was reading your private messages, or writing messages to your friends without your permission," Archibong stressed Wednesday night.
Facebook has said that permission is granted when users sign in to the third-party service using their Facebook credentials. Neither Archibong nor, in a separate statement late Tuesday, Konstantinos Papamiltiadis, Facebook's director of developer platforms and programs, suggested that Facebook had any data indicating how many Facebook users actually knew that.
In a statement Wednesday, the Electronic Frontier Foundation, a nonprofit online privacy advocacy group, expressed alarm at the practices. It urged lawmakers "to consider using many of the legislative tools available to give people the control they crave over the data they provide to Facebook and other companies that trade in data."
Specifically, it called for legislation that would require users to explicitly opt in to sharing of their personal data and that would classify Facebook and similar companies as information fiduciaries — entities with an affirmative legal responsibility to protect private data.
"This newest Facebook scandal shows that laws like these are long overdue," it said.