Skip to content
Naked Security Naked Security

Facebook denies sharing private messages without user knowledge

Facebook hit back at press reports this week that highlighted a deep network of privileged data-sharing partnerships between the social media company and other large organisations.

Facebook hit back at press reports this week that highlighted a deep network of privileged data-sharing partnerships between the social media company and other large organisations.
The bi-lateral relationships saw companies including Amazon, Netflix, Microsoft and Spotify exchange user data that helped both them and Facebook extend their reach by learning more about their users, often without those users being aware. They also extended to businesses in other sectors ranging from finance to the auto industry.
The New York Times explained that there were over 150 of these partnerships, so many that the social network giant needed a technology tool to keep track. Some of the deals raised privacy concerns due to the private information that they exchanged, the paper said.
Information flowed both ways. Not only could partners see data including the contact details of peoples’ friends and some private messages, but Facebook also received data about individuals from those companies:

Among the revelations was that Facebook obtained data from multiple partners for a controversial friend-suggestion tool called “People You May Know.”

The story sheds new light on a pattern of relationships that Facebook had already announced in 2010 at its F8 conference. Called instant personalization, it shared Facebook user information with other websites to help them personalize a person’s experience when they visited. The company closed down the instant personalization feature, which shared public data, but the New York Times story is one of several that documented links between Facebook and some companies that existed beyond that point.
In some cases, those relationships persisted until this year. In June, Reuters revealed data sharing partnerships between Facebook and four companies including Huawei, which the US government has labelled a security risk.
In its blog post responding to the news report, Facebook argued that it wasn’t giving away any information that it wasn’t entitled to share:

To be clear: none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC.


The consent decree stemmed from a 2011 FTC case against Facebook that accused it of sharing information that people had thought was private. The settlement required Facebook’s provision of…

…clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established.

According to the Times, Facebook executives deem these partnerships exempt from the settlement. It views those companies as service providers and therefore an extension of the social network, it said. However, the Times also quoted former FTC officials that disputed that notion and believed that the company may have violated the agreement.
Instant personalization was reportedly switched on by default in 2010, meaning that users had to explicitly opt out by navigating the company’s privacy settings. Facebook also explained what it was doing in relatively vague terms in its data policy. In January 2013, after it had reached its consent decree with the FTC, the policy said:

We use the information we receive about you in connection with the services and features we provide to you and other users like your friends, our partners, the advertisers that purchase ads on the site, and the developers that build the games, applications, and websites you use.

It updated its policy in April, coinciding with a decision to restrict developer access to its APIs. The policy now clarifies the definitions of companies that it shares data with, along with the data that it shares. It also says that it is taking further steps to tighten up third-party access to user data.
In another blog post yesterday, Facebook took issue with another assertion, that companies had been able to read users’ private messages without their knowledge. Not so, it said. It gave four partners – Spotify, Netflix, Dropbox and the Royal Bank of Canada – read/write access to peoples’ messages, sure, but only so they could use Facebook Messenger to tell people what Spotify tracks they were listening to, what they were watching on Netflix, send links to Dropbox folders, or acknowledge money transfers.
It said:

These experiences were publicly discussed. And they were clear to users and only available when people logged into these services with Facebook.

In spite of its assertions that it didn’t violate any legal agreements or user rights, Facebook did offer a mea culpa in its first blog post:

Still, we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs. We’re already in the process of reviewing all our APIs and the partners who can access them.

It added:

We shouldn’t have left the APIs in place after we shut down instant personalization.

All of which is to say that Facebook has a long journey ahead if it hopes to win back the trust of many users.

3 Comments

This part is very troubling:
“It gave four partners – Spotify, Netflix, Dropbox and the Royal Bank of Canada – read/write access to peoples’ messages, sure, but only so they could use Facebook Messenger to tell people what Spotify tracks they were listening to, what they were watching on Netflix, send links to Dropbox folders, or acknowledge money transfers.”
If I understand the intended functionality correctly, if a user chooses to link NetFlix and Facebook together in this way, a NetFlix service could automatically post a Facebook message on behalf of that user when some event triggered it — such as watching a specific show. That’s fine, for people who for some reason might want that and understand it. And that may require a “write” access of some sort, or better, some kind of specific delegated “post on behalf of” function. But none of that explains why these 3rd party companies ever required READ access to Facebook users’ messages.
This is security 101 — only grant the minimum privileges required to perform the job at hand. Nothing in this description by Facebook seems to warrant Read/Write unless I fail to grasp the functionality being provided.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?