Around 60 device manufacturers, including Samsung, Apple and Amazon, were allegedly given privileged access to data on Facebook users and their friends, according to a report in the New York Times.
According the report, device manufacturers were able to access data on users’ friends without their friends’ explicit consent. It also alleges that some device manufacturers could retrieve data on users’ friends even when those friends had placed restrictions on how their data could be accessed.
According to a follow-up statement from Facebook titled “why we disagree with The New York Times,” friends’ information “was only accessible on devices when people made a decision to share their information with those friends.”
The New York Times claims the data sharing agreements helped device manufacturers identify their users’ political and religious affiliations, relationship statuses and other data.
Facebook has been criticized by lawmakers and privacy advocates over the access afforded to developers through its public APIs, which are entirely distinct from its “device-integrated” APIs. The latter are only available to device manufacturers, while the former are open to third-party developers.
Facebook placed a swathe of new restrictions on its public APIs in 2014 which it claims will stop apps like those developed by Aleksandr Kogan, which retrieved data on 87 million users and their friends, from accessing as much data today.
According to the New York Times, device-integrated APIs have been available since 2007. The APIs were initially offered to assist hardware manufacturers in creating “Facebook-like” experiences on their devices and at a time when there were no app stores. According to Facebook, the data sharing agreements with device manufacturers were “controlled…tightly from the get-go.”
Some commentators have raised concerns that the access allegedly afforded to device manufactures contravenes Facebook’s consent decree with the Federal Trade Commission (FTC).
The decree requires Facebook to obtain “consumers’ express consent before their information is shared beyond the privacy settings they have established.” The consent decree emerged in the wake of the FTC’s contention that the social network had made some of its users’ information public without their explicit consent.
Consequently, Facebook was to be subject to regular privacy audits for the next 20 years. According to Wired, one such audit conducted by PricewaterhouseCoopers (PwC) for the period February 2015 to February 2017 gave Facebook the all-clear, despite the discovery over Cambridge Analytica’s misuse of data in late 2015.
Following reports on the misuse of data by Cambridge Analytica, the FTC announced another investigation into the social network’s activities earlier this year.
Meanwhile, Facebook claims its sharing of data with device manufacturers is entirely consistent with the consent decree as it considers device manufacturers as extensions of Facebook. It also claims the data sharing agreements restrict device manufacturers to providing “Facebook-like” experiences.
“Unlike developers that provide games and services to Facebook users, the device partners can use Facebook data only to provide versions of ‘the Facebook experience,’” said an official Facebook spokesperson.