Updated at 7:35 p.m. ET
Facing new accusations about how it handles users’ data, Facebook says “we disagree” with reports that the company exposed a wealth of private information to other tech giants as part of its plan to become ubiquitous on mobile devices.
Facebook says it made deals with about 60 companies, from Apple, Amazon and Blackberry to HTC, Microsoft and Samsung, to “recreate Facebook-like experiences” on their devices.
The data-sharing partnerships, made a decade ago, were highlighted by The New York Times, which reports that in some cases, “device makers could retrieve personal information even from users’ friends who believed they had barred any sharing.”
Facebook denies that claim, issuing a statement saying that information from users’ contacts “was only accessible on devices when people made a decision to share their information with those friends.”
“We are not aware of any abuse by these companies,” Facebook adds.
In an interview with NPR Monday, Apple CEO Tim Cook, said his company has never received or requested personal data under deals with Facebook.
“The things mentioned in the Times article about relationship statuses and all these kinds of stuff, this is so foreign to us, and not data that we have ever received at all or requested — zero,” he said.
“What we did was we integrated the ability to share in the operating system, make it simple to share a photo and that sort of thing,” Cook added. “So it’s a convenience for the user. We weren’t in the data business. We’ve never been in the data business.”
The new accusations center on Facebook’s use of special APIs — application programming interfaces — that it created to allow users’ data and profile information to be integrated into devices.
Facebook says it also shared the data so that users of Apple, Samsung and other devices could get notifications, add friends and have the ability to like things online. But the Times says Facebook provided far-ranging access — and possibly broke rules in a 2011 consent decree with the Federal Trade Commission, in which Facebook agreed that its users’ data wouldn’t be shared with third parties without their consent.
The data-sharing arrangements date from as early as 2008; most of them continue through to today, although Facebook began dismantling some of the deals in April — the same month its founder and CEO Mark Zuckerberg testified about privacy protections and political propaganda in Congress.
To test how much access was granted to a device, the Times says that when it recently had a reporter log in to his Facebook account on a Blackberry from 2013 (when the company still used its proprietary operating system), the device retrieved personal information about the reporter’s 500 friends. It also gathered “identifying information for nearly 295,000 Facebook users” by retrieving data on second-degree contacts, the newspaper said.
That happened, the Times’ Michael LaForgia said via Twitter, despite having deleted the Facebook app from the phone. The data transfer was based on a connection the phone’s software was allowed to make, directly to Facebook’s information.
In response, Facebook said, “Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends.”
Many online companies use APIs — including NPR, which relies on them to distribute online stories to member stations. Here’s how we described it, back in 2013:
“Think of an API as a side door that allows you to retrieve data from a guarded room. Once you’ve gained access, you’re able to share data with the owner of the API and use their data to suit your needs.”
That data from NPR is meant to be public — unlike the majority of Facebook users, who don’t want their information broadly disseminated. In the case of the private APIs that Facebook supplied to the makers of phones, tablets, smart TVs, and other devices, the company’s VP of Product Partnerships, Ime Archibong, said in the company’s statement that it had “controlled them tightly.”
The agreements required the third-party companies to use the information only for the intended purpose of integrating features into users’ devices, Facebook says.
The first such data-sharing deal was struck more than 10 years ago, Facebook said in its statement, which describes the use of private APIs as part of its response to consumers’ migration to mobile devices. The deals were struck around the same time the first iPhone was introduced, and when Facebook launched its first mobile website.
“At the time there were no app stores and this was standard industry practice,” Facebook said via Twitter.
“This is very different from the public APIs used by third-party developers, like Aleksandr Kogan,” Archibong said on Monday, referring to the Cambridge University-affiliated researcher who is a key player in the Cambridge Analytica scandal.
Kogan developed an app that required people to sign in using their Facebook accounts — and that then harvested data about those users and their friends, that was then used by Cambridge Analytica to develop psychological profiles of U.S. voters ahead of the 2016 presidential election.
All of those things transpired despite Facebook’s stated privacy policies about how third-party developers could use and share users’ data.
“When we heard back from Cambridge Analytica that they had told us that they weren’t using the data and deleted it, we considered it a closed case,” Zuckerberg said on Capitol Hill in April. “In retrospect, that was clearly a mistake. We shouldn’t have taken their word for it.”
In March, the FTC confirmed that it is investigating the Cambridge Analytica case, with Tom Pahl, acting director of the FTC’s consumer protection bureau, citing substantial concerns about Facebook’s privacy practices.
The FTC declined an email request to comment for this story.
In its response to the Times article, Facebook says that with the current dominance of iOS and Android operating systems, it’s been “winding down” access of APIs. The company says it has already ended 22 of the partnerships.