- Facebook is battling with more questions about how it uses and shares people’s data after a jaw-dropping New York Times story.
- The Times said firms like Netflix and Spotify had the ability to read, write, and delete people’s private Messenger messages. Facebook later acknowledged this was the case.
- But Facebook said this was because of a legitimate integration and was no longer live and that people knew about it at the time.
- Facebook’s new headache is that people are conflating serious, genuine data breaches with what could have been the legitimate opening of its platform.
- That’s a big problem for a company trying to lift itself out of a cycle of terrible PR.
The New York Times broke a story this week that, without giving much technical detail, indicated Facebook had allowed companies including Netflix, Spotify, and the Royal Bank of Canada the ability to read, write, and delete your private messages.
There’s evidence to suggest that Facebook users don’t really care that the social network slurps up huge amounts of their information to inform targeted ads. But a lot of people care that their private messages stay private and, naturally, the Times story created an uproar.
Brian Schatz, a Democratic senator, called for a new federal privacy law in the US, saying: “The silence from Facebook is deafening. The New York Times has a story that says that PRIVATE MESSAGES were accessible to a bank in Canada and Netflix? I’m trying to be measured and precise with my words here. But I’m a customer as well as a Senator and I’m angry in both roles.”
The silence from Facebook is deafening. The New York Times has a story that says that PRIVATE MESSAGES were accessible to a bank in Canada and Netflix? I’m trying to be measured and precise with my words here. But I’m a customer as well as a Senator and I’m angry in both roles.
— Brian Schatz (@brianschatz) December 19, 2018
There are myriad reasons to mistrust Facebook, but is this a breach of trust on the scale of the Cambridge Analytica scandal? (A quick reminder: That fiasco essentially highlighted how sloppy Facebook was in policing how sketchy third-party apps sucked up and misused millions of people’s personal data, and it was extremely bad.)
The information we now have suggests it’s not a scandal on the same level. It isn’t even any kind of breach. At worst, it’s a kind of dawning of hindsight that maybe we should have paid closer to attention to the permissions we granted Facebook and partners like Netflix years ago.
Facebook’s defence against The Times is that it did have some messaging API integrations with Netflix, Spotify, the RBC, and, it disclosed, Dropbox. This was designed so people could send song and film recommendations and files to each other, and it was available only if people used Facebook to log in to these external services. As for Netflix and Spotify actually reading your messages, it isn’t quite so terrifying, at least as Facebook couches it:
“In order for you to write a message to a Facebook friend from within Spotify, for instance, we needed to give Spotify “write access.” For you to be able to read messages back, we needed Spotify to have ‘read access.’ ‘Delete access’ meant that if you deleted a message from within Spotify, it would also delete from Facebook. No third party was reading your private messages, or writing messages to your friends without your permission. Many news stories imply we were shipping over private messages to partners, which is not correct.”
The word “access,” meant in a technical sense, is important here. Alex Stamos, Facebook’s former privacy chief, told Ars Technica that this didn’t mean unfettered access. We are not talking about engineers at Spotify nosing into people’s Facebook Messenger messages exposed via the music platform.
“I think The Times’ section on Messenger will come to be seen as intentionally misleading,” he told Ars Technica. He added that users “explicitly activated” Messenger integration with Spotify, suggesting that people mostly knew what they were doing.
Stamos did say Facebook ought to give more detail about how these different types of integrations worked and, specifically, how it asked for users’ permission. It is clear that people’s attitudes are changing toward how much information they’re willing to share, but it’s a major problem that they also can’t seem to tell the difference between serious data breaches and what looks like legitimate sharing of information with partners.
That’s not a good outcome for a company trying to lift itself out of a cycle of terrible PR.
Ultimately, Facebook has only itself to blame. People no longer trust the firm’s public explanations of how and why it uses data, thanks to its poor record on transparency, its hunger for people’s personal information, and bad early decisions not to police its platform properly.
This won’t be the last explanatory blog Facebook will have to write.
Business Insider Emails & Alerts
Site highlights each day to your inbox.