Dec 18, 2018 - Technology

Report: Facebook gave Netflix and Spotify access to private messages

A Facebook protester in London. Photo: Jack Taylor/Getty Images

Facebook gave technology companies more access to personal user data than was previously made public, according to "hundreds of pages of Facebook documents" obtained by the New York Times.

Why it matters: Facebook's privacy practices are the subject of an ongoing investigation by the Federal Trade Commission. Per the Times, the new records portray the "most complete picture yet" of Facebook's practices of sharing its users' data. Facebook has been under intense scrutiny in recent months after it disclosed a major security breach that could have left as many as 50 million users' accounts vulnerable.

Details: Almost all Facebook users' friends could be accessible in Microsoft Bing searches without permission, the NYT reports. Netflix and Spotify had access to users' Facebook messages (Netflix says it never asked for or used the access). Amazon had user contact information and names through their Facebook friends, and even though Facebook said earlier this year that it had stopped sharing friends' posts, Yahoo could see them "as recently as this summer."

Our thought bubble: This undercuts Facebook's claims that it's gotten better at policing privacy over time. Facebook has acknowledged before that it let outside companies access user data for longer than it had previously made clear.

  • Where this story goes further, however, is in showing that data-sharing partnerships allowed for user information to flow out of the social network very recently — implicating some of the biggest players in tech.
  • Facebook is sloppy in some ways (like leaving data access available even after a partner has shut down a feature) but beyond that, these revelations expose how Facebook views user data and privacy: The company thinks it knows better than the users themselves.

The big picture: This will eventually present a business problem for Facebook.

  • The company's PR mantra since the whole Cambridge Analytica scandal erupted in March has been "we don't sell user data." But we're seeing as these scandals unfold that the problem isn't necessarily that the company sells user data, it's that it's sloppy about how it protects and shares data with select partners, which points to a values problem.
  • For now, advertisers (its business lifeline) have largely ignored this issue because Facebook's marketing platform is so effective. But as Facebook tries to expand its ads business and stories like this unfold, the risk associated with having weak user privacy values could compound business interests. Case in point: Netflix and Spotify likely aren't thrilled they are caught up in this story about bad user data privacy practices.

Statement from Facebook:

"Facebook’s partners don't get to ignore people’s privacy settings, and it’s wrong to suggest that they do. Over the years, we’ve partnered with other companies so people can use Facebook on devices and platforms that we don’t support ourselves. Unlike a game, streaming music service, or other third-party app, which offer experiences that are independent of Facebook, these partners can only offer specific Facebook features and are unable to use information for independent purposes.
We know we've got work to do to regain people's trust. Protecting people's information requires stronger teams, better technology, and clearer policies, and that's where we've been focused for most of 2018. Partnerships are one area of focus and, as we've said, we're winding down the integration partnerships that were built to help people access Facebook.”
— Steve Satterfield, director of privacy and public policy at Facebook

The bottom line: This large tech company has gone [0] days without a damaging New York Times story.

Go deeper