Last week, the New York Times and others reported that Facebook allowed hardware companies, including some in China, access to a broad range of Facebook users’ information, possibly without the users’ knowledge or consent. This included not only a given user’s personal information, but also that of their Facebook friends and friends-of-friends.
Right now, it's unclear precisely how much Facebook user data was shared through partnerships with third-party hardware manufacturers—but it is clear that Facebook has a consent problem. And the first step toward solving that problem is greater transparency about the full extent of Facebook’s data-sharing practices.
It might be tempting to think that the solution is for Facebook to cut off third-party hardware manufacturers and app developers entirely, but that would be a mistake. The solution to this latest issue is not to lock away user information. If we choose that as our aim, we risk enshrining Facebook as the sole guardian of its users’ data and leaving users with even less power to use third-party tools that they do trust to explore the data held by Facebook and hold the company accountable.
Instead, the problem is Facebook’s opacity about its data sharing practices. Facebook should have made available a list of all the third parties that might have had access to users’ data even after those users made clear they did not want their data shared. Facebook said that its agreements with device partners “strictly limited use of [user] data, including any stored on partners’ servers,” but more transparency is necessary if Facebook is to gain users’ informed consent and fulfill their right to know who has their personal data.
Understanding how this happened—and why the resolution should be transparency, not locking away data—requires a brief smartphone history lesson. About 10 years ago, app stores did not exist, and apps like Facebook were not widely available on most phones and mobile operating systems. To get Facebook on more phones, the company built “device-integrated” APIs that allowed device manufacturers to write and serve their own version of Facebook-like experiences for their users. Over the past decade, Facebook partnered with about 60 device manufacturers for this purpose—but the scope of these partnerships had not been fully reported until now.
The revelations of Facebook’s device partnerships seem to be inconsistent with reasonable interpretations of Facebook’s privacy settings and recent API changes, announcements, and even congressional testimony in the wake of Cambridge Analytica. The New York Times report also questions whether the sharing agreements violate a 2011 consent decree Facebook reached with the FTC, which required Facebook to get explicit consent before changing the way it shares users’ data.
Facebook changed its Graph API in 2015 to limit third-party developers’ access to users’ friends’ and friends-of-friends' data. But even after that change, device manufacturers—another type of third party—could still obtain data about a user’s Facebook friends and friends-of-friends, even those who had changed their settings to ostensibly prevent third-party sharing. In response to allegations that this violates the FTC consent decree, Facebook pointed out a difference in the legal consent requirements when sharing user friend data with third-party “developers” as opposed to with third-party “service providers.”
But to users, this is just a new twist on Cambridge Analytica: Facebook has shared our and our friends’ information with third parties without our knowledge or consent, and we only learn about it after the genie is already out of the bottle.
Protecting user privacy on a networked service poses a unique challenge—and Facebook has consistently failed to rise to that challenge. Much of the value of using Facebook comes from being able to see and engage with information from friends, raising the question of who must reasonably consent to what kind of sharing and to what degree. Until Facebook can navigate user expectations around meaningful, informed, ongoing consent and the transparency that requires, the company will continue to face these scandals and users’ trust in it will continue to diminish.