Netflix had technical access to read — and even delete — personal messages of Facebook users who opted in to its now-defunct social-sharing integration with Facebook. But Netflix says it never exploited that ability.
According to a New York Times report based on internal Facebook documents, the social giant granted more than 150 partners special access to data on millions of users, with privileges beyond what Facebook has previously disclosed. That included giving three companies — Netflix, Spotify and the Royal Bank of Canada — the ability to read, write and delete users’ messages and view all participants on a message thread, per the report.
Facebook said that by necessity, it had enabled read/write/delete access for those partners to Messenger accounts of users who had opted-in to the features in order to make those integrations possible. Facebook also said that those features have been discontinued.
In 2014 Netflix introduced a feature that let members recommend TV shows and movies to their Facebook friends via Facebook Messenger or Netflix. According to Netflix, it had access to the friends’ lists of members who chose to use the feature, but it never accessed (or requested access to) anyone’s actual messages.
“At no time did we access people’s private messages on Facebook, or ask for the ability to do so,” a Netflix spokesman said in a statement. “Over the years we have tried various ways to make Netflix more social. [The Facebook integration] was never that popular so we shut the feature down in 2015.”
Spotify claimed it was unaware that it had the ability to access Facebook messages; RBC denied it had any access to private Facebook messages.
Facebook asserted that none of the partnerships or features that were detailed in the Times report gave companies access to information without users’ permission. “Our integration partners had to get authorization from people. You would have had to sign in with your Facebook account to use the integration offered by Apple, Amazon or another integration partner,” Konstantinos Papamiltiadis, Facebook’s director of developer platforms and programs, wrote in a blog post Wednesday in response to the NYT report.
Regarding access to its messaging functions, Facebook said users had to explicitly sign in to Facebook to use a partner’s messaging feature. That let them send and receive messages without leaving the partner’s app. “Our API provided partners with access to the person’s messages in order to power this type of feature,” Papamiltiadis wrote.
Facebook has “no evidence that data was used or misused,” Papamiltiadis wrote, but he acknowledged the company left access to APIs in place even after it ended some of its integration partnerships. Those included agreements with Yahoo, the New York Times and Yandex, a Russian search engine, according to the Times report. Facebook has needed “tighter management over how partners and developers can access information using our APIs,” the exec wrote. “We’re already in the process of reviewing all our APIs and the partners who can access them.”
The exceptional level of access Facebook granted certain business partners — even if those partners didn’t actually abuse those privileges in a way that violated users’ privacy — led critics to suggest that the deals ran afoul of Facebook’s FTC agreement approved in 2012. Under the settlement, Facebook is required to give consumers “clear and prominent notice” and must obtain “their express consent before sharing their information beyond their privacy settings.”
Facebook insisted the partnerships in question did not violate the FTC settlement, claiming partner companies like Netflix and Spotify were “service providers” that used data only for the purposes of providing feature extensions to Facebook.
Critics charged that the latest revelations about Facebook’s business practices with respect to user data demonstrate that it operates in a monopoly-like fashion and can’t be trusted to safeguard consumer information.
“We have to seriously challenge the claim by Facebook that they are not selling user data,” British lawmaker Damian Collins, chairman of the U.K. Parliament’s Digital, Culture, Media and Sport Committee, said in a statement Wednesday. “They may not be letting people take it away by the bucket load, but they do reward companies with access to data that others are denied, if they place a high value on the business they do together. This is just another form of selling.”
According to Facebook, in 2014 it shut down its “instant personalization” features, which had powered search results in Microsoft’s Bing and elsewhere based on info that Facebook users’ friends had shared. Over the last few months, Facebook said, it has terminated almost all of its remaining data-integration partnerships, with a few exceptions: It maintains agreements with Amazon and Apple, “which people continue to find useful and which are covered by active contracts,” Papamiltiadis wrote, as well as Swedish firm Tobii, which sells a product that lets people with ALS access Facebook, and with Alibaba, Mozilla and Opera for browser notifications.
Scrutiny over Facebook’s data-management practices kicked into high gear after the news earlier this year that info on up to 87 million Facebook users was misappropriated by Cambridge Analytica, a data consultancy that was used by Donald Trump’s 2016 election campaign. The Cambridge Analytica scandal, along with evidence of Russian misuse of Facebook’s platform to attempt to influence the 2016 election, led to CEO Mark Zuckerberg’s testifying before congressional committees.
In early December, Collins’ U.K. parliamentary committee released a 250-page report, which included numerous internal company emails, detailing how Facebook granted favored partners including Netflix “whitelist” access to user info while it blocked rivals from accessing its data. Facebook said the documents, obtained through an app developer’s 2015 lawsuit against the company, were “cherry-picked” and lacked context.
And Facebook has disclosed several security breaches and vulnerabilities that exposed user data in recent months. In September, Facebook announced the biggest hack in its history after it discovered a security hole had compromised up to 50 million user accounts. The company later said hackers had successfully accessed data from 29 million Facebook members.