Your Smartphone Was Probably Sharing Your Friends’ Facebook Data Behind Your Back

Facebook CEO Mark Zuckerberg makes the keynote speech at F8, Facebook's developer conference, Tuesday, May 1, 2018

Facebook CEO Mark Zuckerberg makes the keynote speech at F8, Facebook's developer conference, Tuesday, May 1, 2018 Marcio Jose Sanchez/AP

These new revelations could spell more trouble for Facebook.

Following the Cambridge Analytica scandal, Facebook promised its users they would have full control over their data, noting that it cut off third-party access to detailed friend information back in 2015. But according to a New York Times story, Facebook hasn’t been counting mobile devices as third parties, leaving companies like Blackberry, Samsung, and Apple an open door to take and store information without explicit user consent.

The Times found that because of this loophole, a 2013 Blackberry device using a Facebook account with 556 friends could access the data of hundreds of thousands of people without their permission. They report that some devices could get information such as religion, political preferences, or relationship status.

In a blog post on Sunday, Facebook’s VP of product partnerships, Ime Archibong, said the company disagreed with the implications of the Times’ reporting. He said that in the early days of mobile internet—before Facebook had a standalone app—the company partnered up with device-makers to make Facebook-like features (such as messages and like buttons) available to their users. They did this through what are known as application programming interfaces, or APIs. Writes Archibong:

Given that these APIs enabled other companies to recreate the Facebook experience, we controlled them tightly from the get-go. These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences. Partners could not integrate the user’s Facebook features with their devices without the user’s permission.

Archibong says that friends’ information was only accessible on devices where people explicitly decided to share their information. “We are not aware of any abuse by these companies,” he writes.

In a statement sent to Quartz, Blackberry downplayed concerns of impropriety as well:

BlackBerry has always been in the business of protecting, not monetizing, customer data. This is as true today in our growing enterprise and embedded software business as it was when our smartphones dominated the market more than a decade ago. Those same data protection principles were applied to the BlackBerry Facebook app which was developed using a Facebook device-integrated API for BlackBerry which enabled our handset customers to access Facebook functionality on their BlackBerry devices. At no time did BlackBerry collect or mine the Facebook data of our customers. Furthermore, the strong partition present on BlackBerry handsets along with the comprehensive permission model and app isolation techniques we employ would prevent any unauthorized access to our user’s private data.

Apple, whose CEO has criticized Facebook over its privacy holes, told the Times that it had used its access to allow users to post photos without opening the Facebook app. Quartz reached out to Apple, Blackberry, Amazon, and Samsung for comment, and will update this story with any response.

Archibong noted that Facebook’s APIs have been used less in recent years, presumably because people use the Facebook app directly on their iOS and Android phones (Quartz asked Facebook for clarification).That’s why in April, after the Cambridge Analytica scandal, the company announced that it was phasing out access to them.

But the new revelations could spell new trouble for Facebook, which is already facing an investigation from the Federal Trade Commission over potential violations of a consent decree the two organizations signed in 2011. A crucial part of the consent decree refers to sharing data without user consent.

On Monday, Facebook went on the offensive, echoing to politicians on Twitter Archibong’s point that data was never integrated onto devices without users’ permission.