Do you know where your data is? Maybe not — but this time it's not because you checked "agree" without reading a privacy statement. Reports of Facebook's data-sharing partnerships with phone manufacturers, including Apple, Samsung, and Microsoft, have brought the social network's privacy policies under further scrutiny.
In March, reports that political consulting firm Cambridge Analytica gained access to millions of Facebook users' data in 2014 threw a spotlight on Facebook's privacy policies and its potential breach of a 2011 "consent decree" agreement with the Federal Trade Commission (FTC). At the time, Facebook assured users that it had already fixed the issue in 2015, when it prevented developers from acquiring the data of users' friends.
In a statement to Congress in March, Facebook CEO Mark Zuckerberg also said that users have “complete control over who sees [their data] and how [they] share it.”
However, this latest development in the story of Facebook's data privacy policies might seem to suggest otherwise.
Former Facebook privacy compliance official Sandy Parakilas told The New York Times that the device partnerships had been seen as a potential problem since 2012. "This was flagged internally as a privacy issue," he said. "It is shocking that this practice may still continue six years later, and it appears to contradict Facebook’s testimony to Congress that all friend permissions were disabled."
According to a Facebook blog post written by Vice President of Product Partnerships Ime Archibong, the partnerships were initially forged to help Facebook expand onto mobile phones. Before app stores, he says, "companies like Facebook, Google, Twitter and YouTube had to work directly with operating system and device manufacturers to get their products into people’s hands." According to Archibong, "These partners signed agreements that prevented people's Facebook information from being used for any other purpose than to recreate Facebook-like experiences."
According to an investigation by The New York Times, however, the device partners have access to a wide range of user's personal information, including relationship status, political leanings, and upcoming events. Apparently, third-party device companies are not viewed as outside parties within Facebook, which allows them access to a user's Facebook friends, and even those who have set their privacy settings to prevent third parties from viewing their personal information. Bustle has reached out to Facebook for comment on the claims that users' personal data may have been at risk.
In response to the New York Times investigation, the device partners spoke out to reassure customers. A statement from BlackBerry given to The Times said the company only used Facebook data to give users access to their own Facebook networks and messages. An Apple spokesperson said Facebook data had been used in a feature that allowed users to post photos to Facebook without opening the app, but added that Apple phones no longer have such access as of September 2017. Samsung and Amazon declined to comment.
While Archibong said in his statement that Facebook is not aware of any privacy breaches by the device partners, privacy advocates are not so sure.
"It's worrying that so many companies had access to this data, particularly in light of security and privacy concerns," Michael Veale, a technology policy expert at University College London, told CNN Tech. He added that it is "hugely possible that other apps on some devices could have been mining this data if the privacy and security controls were lax."
Especially in light of the European Union's passage of the General Data Protection Regulation (GDPR) last week, which enforces stricter guidelines for user consent around data sharing, this revelation could prove difficult for Facebook. Whether or not third-party device companies were data-scraping for more nefarious reasons, the fact that they had such unfettered access at all is what seems to be worrying experts.
Henning Schulzrinne, a computer science professor at Columbia University, told The New York Times, “I am dumbfounded by the attitude that anybody in Facebook’s corporate office would think allowing third parties access to data would be a good idea."