Facebook Defends Against Device-Integrated APIs Policy, But Concerns Remain

Facebook is again in hot water after an article alleged it struck deals with device-makers to access users’ data.

Facebook is hitting back against a New York Times article alleging that it struck deals enabling phone-makers to access users’ personal information. The incident is yet another blow to the social media giant as it continues to deal with questions and outrage over its data privacy policies.

The article, posted Sunday, said Facebook reached data-sharing partnerships with at least 60 device-makers — including Apple, Amazon, Microsoft and Samsung — over the last decade. While these deals enabled the vendors to offer customers integrated features with Facebook, like messaging and address books, the New York Times said that it found that they could also access the data of users’ friends without their consent.

The article alleges that these partnerships “raise concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission,” which requires the social network to receive explicit permission from users in regards to sharing their data with third parties.

Facebook on Sunday published a blog defending its device-integrated API policies: “While we agreed with many of their past concerns about the controls over Facebook information shared with third-party app developers, we disagree with the issues they’ve raised about these APIs,” Ime Archibong, vice president of product partnerships at Facebook, said in the post.

Facebook is under heightened scrutiny after an acknowledgement earlier this year that since 2015 a third-party application had handed over the data of up to 50 million platform users through developer Aleksandr Kogan to Cambridge Analytica – a consulting group that has worked on several high-profile political campaigns, including that of President Donald Trump’s.

However,  Archibong stressed that Facebook’s device API policy is very different from the public APIs used by developers like Kogan: “These third-party developers were not allowed to offer versions of Facebook to people and, instead, used the Facebook information people shared with them to build completely new experiences,” he said.

Archibong said in the post that Facebook’s device partnerships “were built on a common interest — the desire for people to be able to use Facebook whatever their device or operating system” — not necessarily the intent of collecting data.

Partners signed agreements preventing personal information “from being used for any other purpose than to recreate Facebook-like experiences,” he said. In addition, Archibong said that fewer partners now rely on APIs – and the company announced in April it was winding down access to them, already ending 22 of the partnerships.

However, Archibong did not specify in his post what data was collected, or what the agreements entailed. Facebook did not respond to a request for comment from Threatpost.

Michelle De Mooy, director of the Center for Democracy and Technology’s Privacy and Data Project, told Threatpost that the incident once again undermines trust in the data ecosystem and highlights the misalignment between Facebook’s understanding of reasonable data-sharing and its users’ understanding.

“It also points to the problem of using notice and consent to protect privacy and consent decrees as an enforcement tool,” she said. “Individuals cannot be expected to be able to weigh the risks and benefits of sharing their personal information, when the transaction is mostly completely opaque by design and they can’t trust what companies are telling them.”

Meanwhile, the FTC told Threatpost it didn’t have any comment in regards to the New York Times article, but pointed to a statement it released in March confirming an investigation of Facebook’s privacy practices:

“The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers… Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.”

Amazon, Apple and Samsung also did not respond to a request for comment.

 

Suggested articles