Tech giants deny they ever looked at the private messages Facebook let them access

Facebook illicitly gave companies access to users' private messages; companies claim they never peeked

By Nicole Karlis

Senior Writer

Published December 19, 2018 7:21PM (EST)

Mark Zuckerberg (AP/Marcio Jose Sanchez)
Mark Zuckerberg (AP/Marcio Jose Sanchez)

For anyone who ever sent so-called private messages over Facebook Messenger, this week’s second bombshell report about the tech behemoth's privacy infractions might make you second-guess whether your Facebook messages were ever really private to begin with.

On late Tuesday night, the New York Times reported that it obtained internal Facebook documents detailing how the social media company arranged to share data with more than 150 companies. The deals were meant to benefit both parties, Facebook and each partner, as part of an all-encompassing growth strategy. Specifically, Facebook could acquire more users from its partners through third-party integrations adding new features to its product, and in return partners could access private Facebook data, eschewing Facebook's privacy rules and what it had promised users.

Specifically, the report claims companies like Netflix, Spotify, and the Royal Bank of Canada had the "ability to read Facebook users' private messages.”

As the Times explains:

Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread — privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show. Facebook acknowledged that it did not consider any of those three companies to be service providers. Spokespeople for Spotify and Netflix said those companies were unaware of the broad powers Facebook had granted them. A spokesman for Netflix said Wednesday that it had used the access only to enable customers to recommend TV shows and movies to their friends.

The internal documents obtained by the Times have not been made public. In addition to reviewing the documents, The Times interviewed over 60 former employees of Facebook and its partners, former government officials and privacy advocates, according to the report.

It is unclear what these companies would need such invasive data for, and they still have it and what their plans are to do with it. A Spotify spokesperson further explained to Salon in an email that it currently cannot read users’ private Facebook inbox messages.

“Spotify’s integration with Facebook has always been about sharing and discovering music and podcasts,” the spokesperson said. “Spotify cannot read users’ private Facebook inbox messages across any of our current integrations. Previously, when users shared music from Spotify, they could add on text that was visible to Spotify. This has since been discontinued. We have no evidence that Spotify ever accessed users’ private Facebook messages.”

Spokespeople for Spotify and Netflix told the New York Times they were unaware of the authority Facebook had granted them.

A spokesperson for Netflix told Salon that Facebook’s integration partnership with the company was part of the its effort to make Netflix “more social.”

“One example of this was a feature we launched in 2014 that enabled members to recommend TV shows and movies to their Facebook friends via Messenger or Netflix,” the spokesperson said. “It was never that popular so we shut the feature down in 2015. At no time did we access people’s private messages on Facebook, or ask for the ability to do so."

The report also surfaced an interesting partnership between Amazon and Facebook, claiming that Amazon can obtain users’ names and contact information through their friends.

As journalist Kashmir Hill at Gizmodo pointed out, that could explain why, for example, some users' book reviews would be suspiciously blocked without explanation.

When asked about this partnership, Amazon gave Salon that same boilerplate statement that was given to other publications.

“Amazon uses APIs provided by Facebook in order to enable Facebook experiences for our products,” the spokesperson said. “For example, giving customers the option to sync Facebook contacts on an Amazon Tablet. We use information only in accordance with our privacy policy.”

The spokesperson declined to answer additional questions.

Since the report was published, Konstantinos Papamiltiadis, Director of Developer Platforms and Programs at Facebook, corroborating that these integration partners had access to messages.

“But people had to explicitly sign in to Facebook first to use a partner’s messaging feature,” Papamiltiadis wrote. “Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature.”

The fact is, the details of each integration deal remain hazy; while overall, the privacy-violating horror show has brought to light the price of personalization online, and the haphazardness of tech companies when it comes to handling consumer data. The mess of different explanations provided by different companies and reporters also sheds light on the uncertainty over whether or not these companies still have access to the data — and if they do, what they will do with it. (Salon reached out to multiple companies to ask this exact question, and will update if or when we hear back.)

The whole debacle is comparable to the technical confusion that enabled Cambridge Analytica to collect data about  Facebook user’s friends without consent. Despite this feature being removed since the Cambridge Analytics scandal broke,  the New York Times reports these partnership integration deals were still all active in 2017. Some reportedly were in effect this year.

Papamiltiadis addressed this in his blog post, too, writing:

Instant personalization only involved public information, and we have no evidence that data was used or misused after the program was shut down. However, we shouldn’t have left the APIs in place after we shut down instant personalization. We’ve taken a number of steps this year to limit developers’ access to people’s Facebook information, and as part of that ongoing effort, we’re in the midst of reviewing all our APIs and the partners who can access them. This is important work that builds on our existing systems that track APIs and control who can access to them.

Facebook's said these kinds of things before; indeed, after every privacy breach, they seem to make a similar set of promises. Does anyone believe them anymore?


By Nicole Karlis

Nicole Karlis is a senior writer at Salon, specializing in health and science. Tweet her @nicolekarlis.

MORE FROM Nicole Karlis