If you feel like there's been a new embarrassing revelation about Facebook's privacy practices every day this week, well, you're not entirely wrong. In the third bombshell report to drop since Monday, the Wall Street Journal is reporting that Facebook struck customized data-sharing deals with a select group of companies, granting several of them special access to user records well after the point in 2015 when Facebook said it had shifted its privacy policies in response to learning that a researcher had improperly taken Facebook user data and sold it to Cambridge Analytica. The unreported agreements were known internally as whitelists. They reportedly allowed certain companies to access sensitive information like phone numbers and a metric called "friend that measured the degree of closeness between users and others in their network," the people said.
The whitelist deals were struck with companies as diverse as Nissan and RBC Capital. The deals represented Facebook bending over backwards to allow special data access to a broader universe of companies, many of whom were valuable advertisers. Others needed the access to wind down unfinished projects after the new developer regulations. But some were granted the special access for "unspecified reasons" that WSJ apparently couldn't crack. WSJ also raises further questions about who had access to the data of billions of Facebook users and why they had access - and, what's more, why didn't Mark Zuckerberg mention any of this during the Congressional hearings?
Facebook said companies were granted this special access as something of a workaround after Facebook stopped granting unfettered access to developers in 2015. Many of the details published in the report appeared vague - for example, WSJ couldn't pin down how many Facebook clients had been granted this privilege. Perhaps that's why they published it after 4 pm Eastern on a June Friday.
Facebook officials said the company struck a small number of deals with developers largely to improve the user experience, test new features and allow certain partners to wind down previously existing data-sharing projects. The company said it allowed a “small number” of partners to access data about a user’s friends after the data was shut off to developers in 2015. Many of the extensions lasted weeks and months, Facebook said. It isn’t clear when all of the deals ultimately expired or how many companies got extensions.
The vast majority of developers who plugged into Facebook’s platform weren’t aware that the company offered this preferred access or extensions to certain partners, according to the people familiar with the matter.
Privacy experts interviewed by WSJ say it's unlikely users were aware that their data was being accessed in this way.
"I don’t think anyone would have a reasonable understanding of how widespread this was,"said David Vladeck, director of the Federal Trade Commission’s Consumer Protection Bureau from 2009 until 2013 and now a professor at Georgetown Law.
However, the report raises questions about whether Facebook violated the terms of a settlement agreement it struck that year with the FTC. According to the agreement, Facebook is required to give its users "clear" and "prominent" notice before sharing their data.
It also raises questions about whether Facebook CEO Mark Zuckerberg lied to Congress during his April testimony when he said users have "complete control" over their data.
Yesterday, Recode reported that Facebook had unwittingly caused 14 million users' posts to be shared publicly, even though their privacy settings stipulated that they wanted those posts to only be available to friends and family. We also learned early this week that Facebook allowed device makers like Apple carte blanche to access user data. It's been more than two months since the Cambridge Analytica whistleblower forced data privacy among Silicon Valley tech giants into the spotlight. We wonder: now that consumers have an inkling about how their data is being treated, will these issues ever recede?