Facebookâs Data Sharing: 5 Takeaways From Our Investigati…
You are the product: That is the deal many Silicon Valley companies offer to consumers. The users get free search engines, social media accounts and smartphone apps, and the companies use the personal data they collect â your searches, âlikes,â phone numbers and friends â to target and sell advertising.
But an investigation by The New York Times, based on hundreds of pages of internal Facebook documents and interviews with about 50 former employees of Facebook and its partners,reveals that the marketplace for that data is even bigger than many consumers suspected. And Facebook, which collects more information on more people than almost any other private corporation in history, is a central player.
Here are five takeaways from our investigation.
Facebook deals in data
âWe donât sell data to anyone,â Mark Zuckerberg, Facebookâs founder, told Congress during a hearing in April. His pledge â that the torrent of data Facebook collects from its 2.2 billion users will always remain safely in Facebookâs hands â has been a cornerstone of the companyâs defensive strategy this year, as lawmakers, regulators and activists have pummeled the social network over a series of privacy breaches and public relations blunders.
While it is true that Facebook hasn’t sold usersâ data, for years it has struck deals to share the information with dozens of Silicon Valley companies. These partners were given more intrusive access to user data than Facebook has ever disclosed. In turn, the deals helped Facebook bring in new users, encourage them to use the social network more often, and drive up advertising revenue.
Facebookâs largest partners got far more access than Cambridge Analytica did
But The Timesâs investigation reveals that Facebook continued to give huge tech companies, including Microsoft and Amazon, access to much more: the data of hundreds of millions of people a month, including email addresses and phone numbers â without usersâ knowledge or consent.
Facebook never directly told users that it was sharing this data
Internal documents obtained by The Times show that Facebook shared data with more than 150 companies â most of them tech businesses, but also automakers, media organizations (including The Times) and others.
While Facebook users can control what data they share with most of the thousands of apps on Facebookâs platform, some companies had access to usersâ data even if they had disabled all sharing. Many of the partnersâ applications never even appeared in Facebookâs user application settings. According to Facebook, each of the outside companies acted as an extension of the social network. Any information a user shared with friends on Facebook, the company argues, could be shared with these partner companies without additional consent.
Facebook was sloppy
The data partnerships date to 2010, at the start of a period of headlong growth and expansion for Facebook. Within a few years, the social network had struck so many of these deals that Facebook employees built a tool to track the different types of access the partners had.
Despite this, Facebook appears not to have kept close tabs on how its usersâ data flowed out into the world. A Russian social media company, Yandex, that has been accused of having overly close ties to the Kremlin, still had access to Facebookâs unique user IDs for years after Facebook had cut off other applications from the data, citing security concerns.
Likewise, Facebook gave Yahoo the ability to display a Facebook userâs news feed â including friendsâ posts â on the search companyâs home page. Yahoo got rid of the feature in 2012. But as of last year, it still had access to data for close to 100,000 people a month.
Regulators let it happen
Under the terms of a 2011 consent agreement with the Federal Trade Commission, Facebook was required to strengthen privacy safeguards and disclose data practices more thoroughly. The company hired an independent firm, PricewaterhouseCoopers, to formally assess its privacy procedures and report back to the F.T.C. every two years.
Four former officials and employees of the F.T.C., briefed on The Timesâs findings, said the data-sharing deals likely violated the consent agreement, since users had no way of knowing which companies Facebook had shared their data with, and no clear means of granting or withholding permission. At least one assessment by PricewaterhouseCoopers, in 2013, found that Facebook had done little to ensure that the shared data was appropriately safeguarded.
Facebook maintains that the partnerships are covered by an exemption to the consent decree. A spokeswoman for the F.T.C., which last spring opened a new investigation into Facebook, declined to say whether the commission agreed.