Did Facebook Give Your Data to Apple and Samsung? Probably Not

Facebook gave makers of devices such as smartphones, feature phones and tablets access to users' personal data in partnerships dating back to 2007, the New York Times reported yesterday (June 3). The partnerships, which included Apple, Amazon, BlackBerry, Microsoft and Samsung, may have violated a 2011 consent decree that the Federal Trade Commission imposed on Facebook, the Times said.

Facebook running on a Nokia C6, a sophisticated feature phone from 2010. Credit: Nokia

(Image credit: Facebook running on a Nokia C6, a sophisticated feature phone from 2010. Credit: Nokia)

Facebook quickly rebutted the Times' story in an official blog posting yesterday, stating that such device-specific access was necessary a decade ago when feature phones dominated the market and smartphones had just become available.

The Times story promises a lot, but upon closer examination, it doesn't amount to much. Facebook's explanation that it had to work closely with device makers when feature phones were the norm makes sense, and the Times story doesn't do anything to counter it. And it's pretty clear that people who use the Facebook smartphone app don't need to worry -- about this, at least.

MORE: How to Stop Facebook from Sharing Your Data

Facebook admitted, however, that it had not begun to end the partnerships until after the Cambridge Analytica scandal was unearthed by the Guardian and the Times in March.

Each brand of device maker needed its own private API, or application-program interface, "to recreate Facebook-like experiences for their individual devices or operating systems," Facebook Vice President of Product Partnerships Ime Archibong wrote in the blog posting.

"Our partnership and engineering teams approved the Facebook experiences these companies built," Archibong wrote. "Contrary to claims by the New York Times, friends' information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies."

The partnerships with device makers were formed "over the last decade," and the device-application developers could "obtain data about a user's Facebook friends," the Times says. Read further, and it becomes clear that these partnership agreements were formed about 10 years ago in a very different mobile-phone industry.

There's a lot of background on Facebook's handling of the Cambridge Analytica scandal, and there are predictable comments from Facebook's most frequent critics. The story also says that Facebook admitted that "some partners did store users' data — including friends' data — on their own servers," but that the data "was governed by strict agreements between the companies."

The Facebook road sign at the company's main campus decorate for Gay Pride Week 2015. Credit: Facebook

(Image credit: The Facebook road sign at the company's main campus decorate for Gay Pride Week 2015. Credit: Facebook)

Apple told the Times that its own private access to Facebook's servers was to let iOS users post photos on Facebook without using the Facebook app, and that the function was deprecated in September 2017. Microsoft said that its partnership let users "add contacts and friends and receive notifications."

BlackBerry said its private API let Facebook users access their own friend networks and messages. Amazon and Samsung refused to comment. There's no evidence that anyone at any of these companies abused their access to Facebook user data.

The Times points out that the 2011 consent decree with the FTC barred Facebook from sharing data about users' friends with third parties. Facebook told the Times that the partnerships did not violate the consent decree.

What really may have happened here

To put this in plain English, what Facebook did, according to both the Times story and the Facebook blog posting, was to let mobile-phone and tablet makers build their own Facebook apps at a time when few people had smartphones, and even smartphones were dependent on what their makers included.

This, of course, did let device makers access Facebook data. It wouldn't have worked any other way. Facebook worked with these companies to make it possible for "dumb" feature phones with limited flexibility, and smartphones before app stores were available, to reach Facebook's databases and give users of those devices access to their Facebook accounts. Facebook couldn't develop its own mobile apps for these devices because there would have been no way to get them onto the phones.

Facebook on a Nokia C3, also from 2010. Credit: Nokia

(Image credit: Facebook on a Nokia C3, also from 2010. Credit: Nokia)

It may seem like a long time ago, but the iOS and Android app stores debuted in the second half of 2008, about a year after the iPhone hit the market. Before that, Apple dictated what was on iPhones. Feature phones continued to outsell smartphones in North America for several more years, and feature phones still dominate the markets in India and Africa, which have tens of millions of Facebook users.

"Over the last decade, around 60 companies have used" these "device-integrated APIs," Facebook's Archibong wrote in his blog posting. "These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences."

A tepid demonstration using old software

The Times did manage to demonstrate how a private API could grant a phone maker access to Facebook users, showing that a custom smartphone app could get the "relationship status, religious and political leanings" of more than 500 of a user's Facebook friends, and get "unique identifiers" on nearly 300,000 friends of those friends.

The device the newspaper used to demonstrate this was a 2013 BlackBerry Z10 running the BlackBerry 10 OS, which succeeded the "classic" BlackBerry OS and was used on 10 devices until BlackBerry switched over to Android in 2015. The implication is that the Times couldn't get the rogue API to work on any more recent device, whether a smartphone or a feature phone.

The Times said the Facebook messages and data were routed to a BlackBerry app called the Hub, which was designed to aggregate and centralize instant messages, emails, text messages and notifications from many sources, including social-networking services. (Palm's webOS had a similar feature in 2009.)

In other words, the Hub was doing exactly what it was meant to do, and Facebook gave BlackBerry a private API so that it could function as designed.

The Times huffs that the Hub's access to Facebook data contradicts a 2015 Facebook policy that third-party apps can get only the names of a user's Facebook friends. But that policy went into effect two years after the Hub was developed, around the same time BlackBerry said it would abandon development of its own OS and switch to Android.

So should you be worried that phone makers have access to your Facebook data? Not really. Again, there's no evidence that any of this data has ever been exploited or abused. And while some of the decade-old agreements may still be in effect, they're not as useful nowadays when Facebook directly creates and controls the apps that go onto your smartphone.

It's Facebook that you should be worried about abusing your personal data — not Amazon, Apple, Microsoft or Samsung. But no one's forcing you to use Facebook.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.