Skip to content
Naked Security Naked Security

Facebook user data used as bargaining chip, according to leaked docs

Leaked internal docs used to claim "privacy was an afterthought" at Facebook

User privacy is super-duper important, Facebook has said publicly for years out of one side of its mouth, while on the other side it’s been whispering to third-party app developers to come on in and feast – this user data is tasty.

Well, that’s confusing, its own employees have said, according to yet more newly revealed internal discussions.

NBC News, one of a handful of media outlets that got its hands on the documents, said that the cache contains about 4000 pages of leaked company documents that largely span Facebook communications from 2011 to 2015.

(Computer Weekly reported on Monday that it was 7000. At any rate, it was a lot of documents.)

Photos visible to “Only me?” Says YOU

As NBC reports, the documents show that in April 2015, Facebook product designer Connie Yang told colleagues that she’d discovered apps collecting profile data she’d marked as visible only to herself. Yang wrote that apps were displaying her “only [visible to] me” data as being visible to…

…both you and *other people* using that app.

The documents show that regardless of users locking down their accounts so that their photos and other data were visible to “only me,” they could still be transferred to third parties, according to the documents.

That’s only one of an ocean’s worth of revelations in the cache of internal documents, which include emails, chats, presentations, spreadsheets, and meeting summaries that show that top Facebook execs – including CEO Mark Zuckerberg and chief operating officer Sheryl Sandberg – mulled the idea of selling access to user data for years.

The internal documents were reportedly leaked anonymously to the British investigative journalist Duncan Campbell. Besides NBC, Campbell – a computer forensics expert – shared them with Computer Weekly and Süddeutsche Zeitung.

NBC reports that Facebook isn’t contesting the documents’ authenticity. It is, however, taking what Computer Weekly dubbed “extraordinary” legal steps to contain the leak, including lodging urgent legal applications on 11 April 2019, asking that two suspected leakers from Six4Three be questioned in court.

The leak that turned into a flood

If this all sounds familiar, it’s because we’ve already heard about a subset of this new cache.

A few months ago, Facebook staff’s private emails – NBC says it was about 400 documents – were published in connection with the British Parliament’s inquiry into fake news, after the CEO of former “wanna see your gal pals in bikinis?” app developer Six4Three handed the goodies to MP Damian Collins.

Six4Three has been battling Facebook in court for years over the shutdown of user data, which in effect killed its “Pikinis” app.

The new documents reportedly show that other apps that starved to death after the 2015 cut-off of broad access to user data include Lulu, an app that let women rate the men they dated; an identity fraud-detecting app called Beehive ID; and Swedish breast cancer awareness app Rosa Bandet (Pink Ribbon).

Six4Three has alleged that the internal emails show that in spite of what Facebook claimed after the Cambridge Analytica situation exploded, the company was not only aware of the implications of its privacy policy but also exploited them actively.

“Sort of unethical”

The newly leaked documents show that internally, employees compared Facebook’s uneven playing field for app developers to villains from Game of Thrones. One employee, senior engineer David Poll, called the treatment of outside app developers “sort of unethical,” the documents reportedly show.

Yes, Facebook has said, it did explore ways to build a sustainable business by selling user data access to developers. What company doesn’t explore ways to make money, after all? But ultimately, as the company told NBC, it decided against pursuing the plans.

NBC highlighted one email from Zuckerberg in which he shrugs off the risks of having any user data leak were the company to share it with developers. The outlet quoted from an email Zuck sent to a close friend, the entrepreneur Sam Lessin:

I’m generally skeptical that there is as much data leak strategic risk as you think. I think we leak info to developers but I just can’t think of any instances where that data has leaked from developer to developer and caused a real issue for us.

That “real issue” became really real within a year, when Facebook had what director of engineering Michael Vernal called a “near-fatal” brush with a data privacy breach when a third-party app came close to disclosing Facebook’s financial results ahead of schedule.

The response from Avichal Garg, then director of product management:

Holy crap.


DO NOT REPEAT THIS STORY OFF OF THIS THREAD. I can’t tell you how terrible this would have been for all of us had this not been caught quickly.

What do you think – are we looking at cherry-picked communications, as Facebook understandably suggests, taken out of context and designed to bolster Six4Three’s argument in its acriomonious and long-running lawsuit, or at a genuine smoking gun?

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!