Facebook Secretly Shared User Data After Saying It Stopped
Netflix, AirBnb, Lyft and other companies got special access to info on people’s friends without their knowledge, new documents published by Britain’s Parliament reveal.
Facebook secretly gave user data to companies including Netflix, Lyft, and AirBnb after claiming it had limited such data sharing, newly released documents show. Facebook CEO Mark Zuckerberg also discussed how to profit off sharing users’ data.
On Wednesday, Britain’s Parliament released 250 pages of documents that included internal Facebook discussions on data-sharing. The documents show Facebook gave apps broad access to data about users’ friends after 2014, when it publicly ended the practice. “If people don’t feel comfortable using Facebook and specifically logging in Facebook and using Facebook in apps, we don’t have a platform, we don’t have developers,” a Facebook spokesperson said of the policy change at the time.
Facebook’s initial data-sharing rule change in 2014 hurt some app developers like Six4Three, a California-based app company that mined user data from Facebook. Six4Three sued Facebook in U.S. court where the documents are under seal, but were obtained by British Parliament, which published them Wednesday morning.
Six4Three accuses Facebook of making secret data-sharing pacts with lucrative apps.
One app developer, the dating platform Badoo, reached out to Facebook after the changes, according to emails included in the Six4Three suit and published by Parliament.
‘We have been compelled to write to you to explain the hugely detrimental effect that removing friend permissions will cause to our hugely popular (and profitable) applications Badoo and Hot or Not,” Badoo wrote to Facebook in September 2014. “The friends data we receive from users is integral to our product (and indeed a key reason for building Facebook verification into our apps).”
In January 2015, Facebook’s director of platform partnerships, Konstantinos Papamiltidas, wrote back describing a new “application programing interface,” known as an API, that would let selected apps see data about users’ Facebook friends—in apparent violation of Facebook’s new policies. In February, Papamiltidas sent another email announcing that Badoo, as well as the other dating apps Hot Or Not and Bumble had been “whitelisted” to use the new API.
Other popular apps also allegedly received special permission to view the data. The documents cite emails from Papamiltidas to Lyft, AirBnB, and Netflix. The email to AirBnB appears to outline an agreement to use the secret API.
‘As promised, please find attached the docs for Hashed Friends API that can be used for social ranking,” Papamiltidas wrote. “Let us know if this would be of interest to you, as we will need to sign an agreement that would allow you access to this API.”
An email from Netflix to Papamiltidas clarified the information the API might share.
“We will be whitelisted for getting all friends, not just connected friends,” Netflix wrote, implying the API would give them access to information on users’ Facebook friends, even if those Facebook friends were not Netflix users.
Facebook also appears to have used the secret API as a bargaining chip. Papamiltidas emailed the dating app Tinder (owned by The Daily Beast’s parent company IAC) to offer access to the secret API in exchange for use of Tinder’s trademarked term “Moments.”
“We have been working with [redacted] and his team in true partnership spirit all this time, delivering value that we think is far greater than this trademark,” he wrote. The email was part of a smaller trove of documents that leaked last week. TechCrunch reported that Facebook did not strike the deal with Tinder.
Even before Facebook limited all apps’ access to data in 2014, it limited certain competitors’ access, the documents suggest. The documents cite a January 2013 email about Vine, a video app by Twitter.
“Twitter launched Vine today which lets you shoot multiple short video segments to make one single, 6-second video,” the internal Facebook email reads, adding that Vine lets users “find friends via FB. Unless anyone raises objections, we will shut down their friends API access today.”
As early as 2012, Facebook discussed charging apps for access to data, emails in the documents suggest. Facebook also said that year it didn’t “sell any of your data to anyone and never will.”
“We also need to figure out how we’re going to charge for it. I want to make sure this is explicitly tied to pulling non-app friends out of [friends information],” Facebook CEO Mark Zuckerberg wrote in a November 2012 email. “What I’m assuming we’ll do here is have a few basic thresholds of API usage and once you pass a threshold you either need to pay us some fixed amount to get to the next threshold or you get rate limited at the lower threshold.”
The email appears to suggest charging app companies for access to different tiers of access to user data.
In a statement, Facebook accused Six4Three of presenting misleading documents.
“As we've said many times, the documents Six4Three gathered for their baseless case are only part of the story and are presented in a way that is very misleading without additional context," a Facebook spokesperson told The Daily Beast. "We stand by the platform changes we made in 2015 to stop a person from sharing their friends' data with developers. Like any business, we had many of internal conversations about the various ways we could build a sustainable business model for our platform. But the facts are clear: we've never sold people’s data.”
British MP Damian Collins, who chairs the committee that released the documents, accused Facebook of entering into the whitelisting agreements without users’ knowledge or permission.
“Facebook have clearly entered into whitelisting agreements with certain companies, which meant that after the platform changes in 2014/15 they maintained full access to friends data,” Collins said in a statement. “It is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted or not.”