Facebook Inc. FB -7.25% struck customized data-sharing deals that gave select companies special access to user records well after the point in 2015 that the social network has said it walled off that information, according to court documents, company officials and people familiar with the matter.
Some of those and other agreements, collectively known internally as “whitelists,” also allowed certain companies to access additional information about a user’s Facebook friends, the people familiar with the matter said. That included information like phone numbers and a metric called “friend link” that measured the degree of closeness between users and others in their network, the people said.
The whitelist deals were struck with companies including Royal Bank of Canada and Nissan Motor Co. , who advertised on Facebook or were valuable for other reasons, according to some of the people familiar with the matter. They show that Facebook gave special data access to a broader universe of companies than was previously disclosed. They also raise further questions about who has access to the data of billions of Facebook users and why they had access, at a time when Congress is demanding the company be held accountable for the flow of that data.
Many of these customized deals were separate from Facebook’s data-sharing partnerships with at least 60 device makers, which it disclosed this week. Several lawmakers and regulators have said those device-maker arrangements merit further investigation.
Data-Security Concerns Threaten Trust in Tech Companies
Tech-company executives at The Wall Street Journal's D.Live conference in Hong Kong responded to concerns over data security in the wake of Facebook's privacy scandal.
Facebook officials said the company struck a small number of deals with developers largely to improve the user experience, test new features and allow certain partners to wind down previously existing data-sharing projects. The company said it allowed a “small number” of partners to access data about a user’s friends after the data was shut off to developers in 2015. Many of the extensions lasted weeks and months, Facebook said. It isn’t clear when all of the deals ultimately expired or how many companies got extensions.
Most developers who plugged into Facebook’s platform weren’t aware that the company offered this preferred access or extensions to certain partners, according to the people familiar with the matter.
Ime Archibong, Facebook’s vice president of product partnerships, said in an interview Friday that the company maintained a “consistent and principled approach to how we work with developers over the course of the past 11 years.”
Mr. Archibong said there were some cases where the company worked “more closely” with individual developers to test new features or when winding down products. “But we have been extremely, I would say, persistent and objective around how we worked with developers,” he said.
Privacy experts said Facebook users likely didn’t know how their data was being shared. “I don’t think anyone would have a reasonable understanding of how widespread this was,” said David Vladeck, director of the Federal Trade Commission’s Consumer Protection Bureau from 2009 until 2013 and now a professor at Georgetown Law.
Mr. Vladeck said any deals made after 2012 could draw scrutiny about whether Facebook was in violation of its settlement that year with the FTC, under which the company is required to give the social network’s users clear and prominent notice and obtain their express consent before sharing their information beyond their privacy settings. Facebook said Friday it hasn’t violated the settlement.
The revelations come as Facebook is dealing with the fallout in March related to the use of personal data by Cambridge Analytica, a political analytics firm that aided President Donald Trump’s 2016 presidential campaign and purchased data on 87 million users from another developer. The crisis sparked questions about Facebook’s lax oversight of its platform, an FTC probe into whether the company violated the 2012 settlement and two congressional appearances by Facebook Chief Executive Mark Zuckerberg in April.
In his testimony before Congress, Mr. Zuckerberg said Facebook moved to eliminate broad access to information about users’ friends in 2014. Developers had until May 2015 to comply with the rules. The move was a harsh blow to developers, forcing a number of apps to shut down without access to the data. Others had to find workaround solutions to continue operating.
One developer, Six4Three LLC, sued Facebook in 2015, alleging that Facebook’s data policies were anticompetitive and favored certain companies over others. One court document that was originally redacted alleges that Facebook employees discussed whitelist agreements with various companies. Facebook says the Six4Three lawsuit is without merit.
On Friday, Facebook acknowledged that a subset of companies were given extensions beyond May 2015.
“As we were winding down over the year, there was a small number of companies that asked for short-term extensions, and that, we worked through with them,” Facebook’s Mr. Archibong said. “But other than that, things were shut down.”
Facebook’s relationships to outside developers have shifted over time as it made key adjustments to how it shares data.
In 2007, Facebook started allowing developers to tap its so-called social graph, including crucial information about a user’s friends. Unlike advertisers, developers didn’t have to pay for this information, giving rise to a new generation of startups built on social connections.
This arrangement also made Facebook increasingly central to its users’ daily lives, despite objections from privacy groups and some users about potential abuses of that data. By 2014, developers could access about 30 different data points about users’ friends, including places they checked into, education history and religious and political affiliation.