Facebook gave device makers access to users' personal data: officials

New York

AS Facebook sought to become the world's dominant social media service, it struck agreements allowing phone and other device makers access to vast amounts of its users' personal information.

Facebook had reached data-sharing partnerships with at least 60 device makers - including Apple, Amazon, BlackBerry, Microsoft and Samsung - during the last decade, starting before Facebook apps were widely available on smartphones, company officials said.

The deals, most of which remain in effect, allowed Facebook to expand its reach and let device makers offer customers popular features of the social network, such as messaging, "like" buttons and address books.

But the partnerships, whose scope has not previously been reported, raise concerns about the company's privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission (FTC).

Facebook allowed the device companies access to the data of users' friends without their explicit consent, even after declaring that it would no longer share such information with outsiders. Some device makers could retrieve personal information even from users' friends who believed they had barred any sharing, The New York Times found.

Facebook came under intensifying scrutiny by lawmakers and regulators after news reports in March that a political consulting firm, Cambridge Analytica, misused the private information of tens of millions of Facebook users.

In the furore that followed, Facebook's leaders said that the kind of access exploited by Cambridge in 2014 was cut off by the next year, when Facebook prohibited developers from collecting information from users' friends. But the company officials did not disclose that Facebook had exempted the makers of mobile phones, tablets and other hardware from such restrictions.

"You might think that Facebook or the device manufacturer is trustworthy," said Serge Egelman, a privacy researcher at the University of California, Berkeley, who studies the security of mobile apps. "But the problem is that as more and more data is collected on the device - and if it can be accessed by apps on the device - it creates serious privacy and security risks."

In interviews, Facebook officials defended the data sharing as consistent with its privacy policies, the FTC agreement and pledges to users. They said its partnerships were governed by contracts that strictly limited use of the data, including any stored on partners' servers. The officials added that they knew of no cases where the information had been misused.

The company views its device partners as extensions of Facebook, serving its more than two billion users, the officials said.

"These partnerships work very differently from the way in which app developers use our platform," said Ime Archibong, a Facebook vice-president. Unlike developers that provide games and services to Facebook users, the device partners can use Facebook data only to provide versions of "the Facebook experience", the officials said.

Some device partners can retrieve Facebook users' relationship status, religion, political leaning and upcoming events, among other data. Tests by The Times showed that the partners requested and received data in the same way other third parties did.

Facebook's view that the device makers are not outsiders lets the partners go even further, The Times found. They can obtain data about a user's Facebook friends, even those who have denied Facebook permission to share information with any third parties.

In interviews, several former Facebook software engineers and security experts said they were surprised at the ability to override sharing restrictions.

"It's like having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission," said Ashkan Soltani, a research and privacy consultant who formerly served as the FTC's chief technologist.

Details of Facebook's partnerships have emerged amid a reckoning in Silicon Valley over the volume of personal information collected on the Internet and monetised by the tech industry. The pervasive collection of data, while largely unregulated in the United States, has come under growing criticism from elected officials at home and overseas and provoked concern among consumers about how freely their information is shared.

In a tense appearance before Congress in March, Facebook's chief executive, Mark Zuckerberg, emphasised what he said was a company priority for Facebook users.

"Every piece of content that you share on Facebook you own," he testified. "You have complete control over who sees it and how you share it."

But the device partnerships provoked discussion even within Facebook as early as 2012, according to Sandy Parakilas, who led Facebook's third-party advertising and privacy compliance department at the time.

"This was flagged internally as a privacy issue," said Ms Parakilas, who left Facebook that year and has recently emerged as a harsh critic of the company. "It is shocking that this practice may still continue six years later, and it appears to contradict Facebook's testimony to Congress that all friend permissions were disabled."

The partnerships were briefly mentioned in documents submitted to German lawmakers investigating the social media giant's privacy practices and released by Facebook in mid-May. But Facebook provided the lawmakers with the name of only one partner - BlackBerry, maker of the once-ubiquitous mobile device - and little information about how the agreements worked. NYTIMES