Facebook has been hit with another data-sharing scandal, again over the access that it gives or gave third parties to the data not only of its users, but also of their friends.
According to a New York Times report, the social network has been sharing way too much data with mobile device manufacturers such as Apple, Samsung, BlackBerry and Amazon—to an extent that could constitute a violation of Facebook’s 2011 privacy deal with the Federal Trade Commission (FTC.)
Here’s what you need to know.
Is this like the Cambridge Analytica thing?
It’s certainly connected. Cambridge Analytica was able to get its hands on the data of so many Facebook users—up to 87 million—because Facebook used to make it easy for third parties to get data on Facebook users and everyone with whom those users were connected.
Privacy advocates always thought this was a bad idea, and in 2015 Facebook (fb) changed its policies to cut off this access—the Cambridge Analytica data-scraping took place in 2014.
However, it now seems Facebook did not cut off this access for everyone, so millions of people’s data was—and indeed is—still being shared without their knowledge.
Who still has access and why?
Many makers of phones and tablets allow people to use Facebook without actually opening the Facebook app, by integrating some of its functionality into their own software. This means that the software of companies including Apple, Amazon, Samsung, Microsoft and BlackBerry gets to plug into Facebook’s systems and access data that does not belong to the specific person who’s using that software.
The Times piece uses the example of BlackBerry’s Hub app, which aims to consolidate a user’s messages from various platforms—from Facebook notifications to Gmail emails—into one interface. A Times reporter logged into his Facebook account on that app, gaining access not only to detailed information about 556 friends, including sensitive stuff about religious and political leanings, but also to identifying information on 294,258 friends-of-friends.
The issue here is not that a Facebook user can access data about friends and friends-of-friends—it’s that they’re giving a non-Facebook company’s software access to that information.
What does that software do with the data?
The aforementioned reporter used an older BlackBerry device to access all that information—apparently BlackBerry’s more recent, Android-based phones “do not use the same private channels,” per the Times article. A BlackBerry (bb) spokesperson told the paper that the Canadian firm “did not collect or mine the Facebook data of [its] customers.”
Apple (aapl) said it stopped giving iPhones this sort of access to Facebook last September. Microsoft (msft) said any data its software got from Facebook stayed on users’ devices and was not uploaded to its own servers. Samsung and Amazon did not respond to the Times’ questions.
Facebook admitted that some of these “service provider” partners did store the data of users and their friends on their own servers.
Is this a problem?
It’s potentially a very big problem for Facebook.
Firstly, it may violate the “consent decree” deal that Facebook struck with the FTC in 2011. That settlement followed complaints from users that Facebook wasn’t allowing them to keep their information on the social network private—Facebook promised to get consent from users before sharing their data with third parties, and to avoid making deceptive claims about its privacy practices.
The Cambridge Analytica scandal already led the FTC to investigate whether Facebook broke this settlement. Now this new scandal could add fuel to the fire, as the data being shared with device manufacturers includes information that people set to private.
Facebook’s take on this is that the device manufacturers are “service providers” rather than third parties of the sort where consent would be needed to share information. It doesn’t think it’s violated the FTC deal, but former FTC official Jessica Rich told the Times that “under Facebook’s interpretation, the exception swallows the rule.”
Then there’s the fact that CEO Mark Zuckerberg told Congress in March that Facebook’s users have “complete control over who sees [their data] and how [they] share it.”
Former Facebook privacy compliance official Sandy Parakilas, now a bigtime Facebook critic, told the paper that the device partnerships had been “flagged internally as a privacy issue,” and it was “shocking” that the data-sharing is still going on.
Meanwhile, Facebook said it started winding down the partnerships in April, as they were no longer needed to serve users.
“These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences. And we approved the Facebook experiences they built,” said Facebook’s product partnerships chief, Ime Archibong, in a blog post. “Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies.”
There’s one extra issue to worry about here: the European Union’s General Data Protection Regulation (GDPR). It only came into force around 10 days ago, but if Facebook is still sharing people’s data without their consent—especially sensitive personal data about things like religious beliefs—then it could be in big trouble in the EU. The company has already been been the subject of GDPR privacy complaints, despite the new legal regime’s tender age.