UPDATED: Spotify was one of many technology companies to which Facebook granted vast access to users’ personal data — far more than it had previously disclosed, according to a New York Times report published Tuesday night. Facebook “effectively exempted those business partners from its usual privacy rules,” the report says, citing internal records and interviews.
According to the report, Facebook allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a message thread, although in Spotify’s case the access was ostensibly provided to enable users to share music via Facebook’s Messenger service. The report says that Spotify could view messages of more than 70 million users a month, although it did not state whether the company had full access to that entire number of users.
Representatives for Spotify and Netflix told the Times that they were “unaware of the broad powers Facebook had granted them,” while a Royal Bank of Canada spokesperson disputed that the bank had such access. Contacted by Variety Tuesday night, a rep for Spotify provided the following statement:
“Spotify’s integration with Facebook has always been about sharing and discovering music and podcasts. Spotify cannot read users’ private Facebook inbox messages across any of our current integrations. Previously, when users shared music from Spotify, they could add on text that was visible to Spotify. This has since been discontinued. We have no evidence that Spotify ever accessed users’ private Facebook messages.”
Spotify continues to offer users the option to share music through Facebook Messenger; Netflix and the Canadian bank told the Times they no longer needed access to messages because they had deactivated features that incorporated it.
According to Facebook director of privacy and public policy Steve Satterfield, none of the partnerships violated users’ privacy or FTC regulations, and the companies were required to abide by Facebook policies. Per the agreements, Facebook considered the outside companies extensions of itself as methods for users to interact with their friends, and as a result did not have to seek additional permissions from users.
Another spokeswoman told the Times that Facebook did not find evidence of abuse by the companies. Facebook did admit it had not been vigilant about managing the partnerships, and that some companies were able to continue accessing data despite the features that required it falling out of use.