Facebook allowed several large tech companies to access your data
posted Saturday Dec 22, 2018 by Scott Ertz
In what is becoming a year that Facebook executives would certainly like to forget, we have seen a number of examples of Facebook giving data access to third parties, often without the knowledge and permission of the people affected. Sometimes it has been on accident, as was the case with Cambridge Analytica and their data breaches. In other cases, it was with full knowledge on their part, if not on the part of those receiving it.
It was revealed this week in another New York Times expose that Facebook granted exceedingly complex data access to some of the largest companies in the tech world, like Yahoo, Netflix, and Spotify. While all of the companies had more access than advertised, not all of them had access to the same information. Their access also extended well beyond the death of their overambitious product features.
For example, in 2014, Netflix implemented the ability for users to send messages to other users through Facebook Messenger. They would usually be prompted after finishing a movie to share the film with their friends. Because of the way Messenger worked at the time, they had to get access to the API to allow the messages to be sent (fortunately this is no longer the case). What the company believed they could do was initiate a message with a friend including a link. What they were given was access to every authorized users' messenger accounts, including the ability to read, write, and delete all messages in the account. The company claims they had no knowledge of these elevated privileges and never used any of the extra abilities. The feature was discarded in 2015.
Yahoo also received elevated privileges when they launched their "facebar" feature in 2011. The idea was to be able to present you with articles and information that had been seen by your friends on Facebook, making the experience of Yahoo more social. As expected, the feature was never popular, partially because Yahoo hadn't had the Marissa Mayer makeover and subsequent user bump, and partially because it was just too early for such a feature. However, Yahoo retained access to the registered users' news feeds.
Facebook tried to clarify the capabilities, but didn't do a great job of it,
Specifically, we made it possible for people to message their friends what music they were listening to in Spotify or watching on Netflix directly from the Spotify or Netflix apps (see screen shots below), to message links to Dropbox folders (like a collection of photographs) from the Dropbox app, and to message receipts from money transfers through the Royal Bank of Canada app.
In order for you to write a message to a Facebook friend from within Spotify, for instance, we needed to give Spotify "write access." For you to be able to read messages back, we needed Spotify to have "read access." "Delete access" meant that if you deleted a message from within Spotify, it would also delete from Facebook. No third party was reading your private messages, or writing messages to your friends without your permission. Many news stories imply we were shipping over private messages to partners, which is not correct.
In the screenshots mentioned in the quote, you can see that delete the capability was not available within Spotify. In fact, by the look of it, you couldn't even read those messages within the app (though perhaps you could). Netflix had a similar capability, where messages were not integrated deeply into the app, just the ability to send. The most interesting aspect of the post was the mentioning of the program being shut down 3 years ago. However, Netflix still apparently had access (though they claim they didn't know) in 2017. For those of you keeping track, that is less than 3 years ago.
The stock market has responded, with the price of the stock dropping over $20 per share. There has also been another round of users closing their accounts. All of this could signify the beginning of the end of Facebook's dominance in the social media world. If this isn't the nail in their coffin, they'll certainly find a way to do it themselves.