Facebook users unknowingly gave companies permission to see private messages
Facebook’s integration tools allow for shortcuts like recommending a Netflix hit on the social network, or sharing a Spotify song on Messenger — but those same tools are continuing to raise questions about Facebook’s privacy policies. An investigative report by The New York Times states Netflix and Spotify had access to private messages while Microsoft’s Bing could view the names of friends. In a response to the report, Facebook says that those privacy settings, many of which have been discontinued, were only granted with user permission.
The report, however, suggests that Facebook’s data-sharing with third parties went beyond what users understood they were agreeing to. According to the report, the API allowed major tech companies to see users friends list and even access private messages with vague user consent. The API allowed the tech platforms to enable features like sharing inside a Messenger note.
Responding to the report, Facebook says that none of the features allowed access without users permission. The network also said that the features did not violate the company’s 2012 settlement with the Federal Trade Commission. Facebook says that the tools enabled features like accessing account information from a Windows phone, consolidating feeds from multiple networks, Messenger integration and personalized search results in Bing.
The latest isn’t the only time reports have suggested that Facebook’s permissions options are too vague. Android users that integrated their contacts list with Facebook later found a record of their phone calls inside their Facebook data. Allowing access to an app previously allowed that app to see friends data (who didn’t click that allow button). After the Cambridge Analytica scandal earlier this year, Facebook made several changes to API access and says most of the features in the report have already been discontinued, starting with partnership changes in 2014.
The report, however, suggests that some major tech companies continued to gain access to some data (for users that clicked that “allow” button) after the features were discontinued in 2014. The Times reports that Amazon could see usernames and contact information if a friend granted access, while Yahoo could see friends’ posts, both access that was still happening this summer.
The third-party data in question was governed by business contracts, the report said, which had more than 150 technology companies on the list through 2017 and several still accessing data this year.
Facebook says that it hasn’t found signs of abuse for the data granted to the companies using those business contracts. The company has confirmed that some platforms had access to messages, but says again that was only for users that granted the app permission to access data.
Another type of Facebook data feature coming under fire is the instant personalization feature, which was shut down in 2014. The tool allowed users to personalize search results on places like Yelp and Rotten Tomatoes with information that friends shared. Some still had access to the feature as late as 2017 and Facebook says that was a mistake and the company is continuing to work to limit access.
Facebook says it is already in the process of reviewing API guidelines and how third-party apps access data.