Facebook has admitted that it allowed external companies, namely Spotify and Netflix, to access millions of people’s private messages.
Responding to a bombshell New York Times report on how Facebook shares user data with partners, the company acknowledged it had given third-party companies extensive access to messages.
It said this was so people could log into services like Spotify with their Facebook account, and then send messages through the Spotify app.
The company wrote in a blog post:
“Did partners get access to messages? Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature.”
According to internal Facebook documents seen by the Times, Spotify could see the messages of more than 70 million Facebook users a month. The Times reported that Spotify, Netflix, and the Royal Bank of Canada could read, write, and even delete people’s messages.
Importantly, both Spotify and Netflix said they were unaware they had this kind of broad access. Facebook told the New York Times it found no evidence of abuse.
It isn’t necessarily surprising or even wrong that Facebook would have deep integrations with third-party partners, as the company’s former privacy chief Alex Stamos pointed out. That can signal a healthy, interoperable ecosystem.
“I’m sorry, but allowing for 3rd party clients is the kind of pro-competition move we want to see from dominant platforms. For [example], making Gmail only accessible to Android and the Gmail app would be horrible. For the NY Times to try to scandalize this kind of integration is wrong,” Stamos wrote on Wednesday.
What is more troubling is any sense that Facebook gave third parties deep access to user data without properly informing users and gaining permission. Most people tend to assume that their private messages on social media will stay private.
Former FTC officials told the New York Times that Facebook’s data-sharing agreements probably violated regulatory requirements.
For Facebook, this is the latest in a steady drip of privacy scandals. It is still struggling with the fallout from the Cambridge Analytica scandal in March, and currently fighting regulatory fines. It has disclosed multiple breaches over the past few months, including a significant hack affecting up to 50 million users disclosed in September.