Facebook allowed Netflix and Spotify to access users’ private messages

19 Dec 2018

Netflix tab. Image: chrisdorney/Depositphotos

An explosive new story unveils just how much access to user data Facebook offered other tech firms.

The New York Times yesterday (18 December) revealed that Facebook shared larger amounts of user data than previously thought with major firms that it categorised as data partners, such as Netflix, Microsoft and Spotify.

The newspaper obtained internal documents that demonstrated how Facebook arranged to share data with more than 150 companies. According to the report, many of the partnerships go back as far as 2010, while some were still in effect this year.

Access to user messages

The report alleges that some of the so-called ‘data partners’ were able to access the private messages of users, including the ability to read, compose or delete messages. Both Spotify and Netflix stated they had not been aware such access had been granted in separate statements to the newspaper.

The New York Times said: “Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread – privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show.” Other companies, such as Amazon, were able to see user names and contact data through their Facebook friends.

The piece outlined three types of data partnerships. The first are ‘integrations’, which refer to custom-built apps for original equipment manufacturers (OEMs). These require data exchange as they are integrated with phone operating systems.

The second type of partnership is the now-dead programme dubbed ‘instant personalisation’. This defunct feature opted every user of Facebook in by default and was eventually killed off in 2014. The newspaper reported that Microsoft search engine Bing still had access to the data through 2017. It is worth noting that the data here was anything the Facebook user had marked as ‘public’.

A final form of partnership comes in the shape of one-off deals with firms such as Netflix that granted partners read-and-write access to user messages.

A company response

While Facebook’s privacy policy has disclosed shared partnerships since 2010, it has not explicitly outlined who it is sharing with and what it is sharing. Steve Satterfield, the company’s director of privacy and public policy, said that partners at Facebook “don’t get to ignore people’s privacy settings, and it’s wrong to suggest that they do”.

He explained: “Over the years, we’ve partnered with other companies so people can use Facebook on devices and platforms that we don’t support ourselves.

“Unlike a game, streaming music service or other third-party app, which offer experiences that are independent of Facebook, these partners can only offer specific Facebook features and are unable to use information for independent purposes.” The company also highlighted the benefits of data sharing, including increased personalisation of a user’s internet experience.

Satterfield said the company knows it has work to do to regain the trust of its users and added that this has been the main focus in 2018. He noted that the integration partnerships at the company are being wound down.

The firm also stated it has found no evidence of abuse by its partners, but did admit to some partnership mismanagement. The company denied it had violated a 2011 consent agreement with the Federal Trade Commission that barred it from sharing user data without permission. Satterfield said that the agreement “did not require the social network to secure users’ consent before sharing data because Facebook considered the partners extensions of itself – service providers that allowed users to interact with their Facebook friends”.

Netflix tab. Image: chrisdorney/Depositphotos

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects