SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 94: Facebook & Friends: More Privacy Concerns

Posted on June 21, 2018

Every week, we try to bring you the biggest news in the security world — or at least the most interesting developments that could affect us all. That’s why this week we’re diving into a brand-new subject we’ve never covered before… just kidding – Facebook has done it again. If it seems lately as though every week we have something new and usually concerning to discuss about the social media juggernaut, that’s because it’s the reality. Thanks to a new report in the New York Times, this week is no different – our attention is back on the troubling implications behind Facebook’s behavior.

Facebook makes a big deal about its privacy settings, encouraging users to take control over what they share with their friends. But what about giving you control over sharing your information with Facebook’s friends? As we’ve seen in recent weeks after the initial fallout of the Cambridge Analytica scandal, Facebook wasn’t quite so strict when it came to letting quiz apps access your data. Now, as it turns out, Zuckerberg and company weren’t just allowing apps on their platform to access your information. In fact, they were actively sharing user data with some major business partners, including Apple. And that’s where our discussion today begins—on our list for this week:

  • How Facebook gave your data away
  • What, and whose, data was involved?
  • Who got the data? How did they use it?
  • What does Facebook have to say?
  • The implications, legal and otherwise

Let’s start by getting a “big picture” look at how Facebook has been giving some of your data away to other companies for nearly ten years.

How Facebook gave your data away

According to a bombshell report put out by the New York Times on June 3rd, Facebook has held private “data sharing” agreements for approximately a decade with dozens of companies, from smartphone makers to TV manufacturers. Included in these agreements was privileged access to all kinds of information about millions of Facebook users, which the company handed over en masse. As of the time of the report, there were no clear indications as to the level of oversight involved despite Facebook’s vague assurances otherwise.

These pipelines of user information to major businesses existed long before Facebook apps came onto the scene. Only years after these agreements came into force would apps such as This Is Your Digital Life, designed to harvest tens of millions of data points from public profiles, begin their gathering efforts. Facebook has always insisted that apps abusing their privileges in this way were the exception and not the norm. Now, though, it appears the company has consistently played fast and loose with user data. While decrying the illicit gathering by third-party players, other third parties were receiving the same sort of information simultaneously. As yet there’s no indication any businesses paid for this information, allowing Facebook to remain truthful in claims about not selling your information.

Although some vague information about these agreements has floated around on the Internet and in tech circles for some time, the New York Times report is the first time we’ve had a glimpse at their scope. So far, we know of at least 60 companies involved, each of whom received a treasure trove of profile data direct from Facebook. Naturally, this raises fresh privacy worries — though if you’ve followed some of our recent conversations in this area, you’ll know there’s already been plenty of cause for concern. Those worries all stem from what happened with Cambridge Analytica, as well as some recent and egregious mis-steps. If you’d like to revisit those subjects, you can find out more about CA in Episode 81 of the Checklist and the recent mistakes Episode 85, Facebook Follies.

Despite Facebook’s public statements about a commitment to privacy, the scope of these agreements indicates otherwise. So, what was actually happening here? After questioning by the Times reporters, Facebook says that they began these data-sharing partnerships to empower device makers to provide a tailored “Facebook experience” to users. In other words, they were aiming to provide some method of streamlining integration on everything from iPhones to Xboxes.

To share this information, Facebook created a series of private APIs that allowed these manufacturers to request and receive the information involved. It was different from the API that Cambridge Analytica and other data-harvesting app makers have used to ensnare your public information. Those used publicly available APIs, which Facebook shares with developers so they can exercise control over the access and prevent abuse. At least, that’s the basic idea. However, these other APIs were essentially a private back channel from the developers that transmitted information away from the Facebook platform.

It wasn’t just your information these companies got, either — as we’ve seen before, it was all too easy for friends of friends to get roped in, too. What manufacturers received wasn’t limited to the user who logged in on one of their devices. Even if you made an effort to lock down your privacy settings as much as possible, these third-party companies were still able to find out some of the info available on your profile. Facebook now says they’re terminating these arrangements. Some have already ended. However, many more are still ongoing, spreading around user information on many different devices.

What, and whose, data was involved?

Before we take a deeper look at who was using this information and how they were doing it, we should answer probably the biggest question you might have: what was shared? How common was this? From what we know, there’s a good chance many people have been affected by these practices. If you’ve ever used Facebook or any Facebook-linked service on a mobile device, then at some point the manufacturer probably had access to handle some data from your Facebook account.

The New York Times conducted tests to determine what was going to these companies and how often. By using a Blackberry device, they were able to uncover more than 50 different types of personal information that Facebook sent to the device. It occurred primarily when using non-Facebook apps, in this case Blackberry Hub, which rely on some form of integration with the site to work. Some of the profile data that we know was sent to devices include:

  • Relationship status
  • Political leanings
  • Religion
  • Personal email
  • Phone number
  • Geographic location
  • Upcoming events on a user’s calendar
  • Private messages (for displaying notifications)

Testing determined that this info was all passed to devices using pretty much the same methods that Facebook apps such as Cambridge Analytica’s used to gather data. In other words, though Facebook may have differentiated between the two by way of different APIs, in reality, there was no real difference in the way the information was handled between the two applications. Remember, too, that all this occurred during and after very public pushes by Facebook to limit app access to information — more on that later.

Much in the same way that CA was able to harvest tens of millions of public profiles by leaping from user to user, device manufacturers were able to do the same thing with their private API. For whatever reason, your data isn’t safe from harvesting through a friend’s access to an app even if you’ve denied permission to share your data with third parties. If your friend uses a Facebook-integrated app, for example, and it grabs his or her friends list, it could end up grabbing some of your data, too.

BlackBerry Hub, the app used by the New York Times for testing, acts as an aggregator for all your device communications. It gathers all your emails, texts, and notifications into one place to streamline your communications management and to enable faster responses. When the Times reporter logged into the app using his Facebook account, he did so while using special software tools to analyze and investigate the data traffic. The results they uncovered were a shock.

After the initial connection, Hub grabbed detailed data, like that listed above, on 556 people — that’s the entire friends list on the reporter’s account. From these people, the app continued harvesting information from friends of friends, including the unique ID numbers for those accounts. By the time it finished, Hub had scraped data for nearly 300,000 people — 294,258 to be exact! How could any app possibly need that much data to provide something as basic as message integration? From one login, people several degrees removed ended up caught up in this sharing bonanza. So which device makers got to enjoy the privilege of snaking such long tendrils into the social network?

Who got the data? How did they use it?

As mentioned above, there were at least 60 companies the New York Times identified that had access to these private APIs for varying lengths of time. While the report did not list all the companies, there were some big names mixed in among those who did get a mention: Apple, Samsung, Microsoft, BlackBerry, and Amazon all took advantage of these data streams to offer a customized “experience” on their apps. Later, Facebook admitted that it was also sharing information with some Chinese companies, including Huawei, a company under suspicion of maintaining close ties with the Chinese government.

Apple was quick to release a statement about their usage of this data. The company said they used it to enable basic iPhone features, such as the ability to post photos without opening the Facebook app. Other integration features, like displaying messages, also relied on this data stream. However, Apple added that their access ended in September of 2017 and they no longer receive any of the data. Of the companies involved, so far Apple has been one of the few to make any public statements.

Neither Samsung nor Amazon had a comment for the NYT, and Microsoft didn’t opt to share much about how they used this information either. Facebook itself says it was to enable viewing messages, including “Like” buttons on content outside of Facebook, and other low-level functions. That still doesn’t explain the need to fetch data for 300,00 users, though. More troubling: some of these companies were even allowed to store this information on their own servers.

Facebook says that any such arrangement that allowed the temporary storage of this info would have been subject to a strict set of rules. How much of a guarantee that was against misuse, of course, we can’t know for certain. As we’ve seen from other recent stories, Facebook hasn’t enforced many of their prior agreements very vigorously — at least until after they’ve been caught sleeping on the job. Either way, it means users had their Facebook information leave their control without any real permission.

What does Facebook have to say?

As you can imagine, the Times story caused an immediate furor not only in tech circles but in the mainstream media, too. So, what did Facebook have to say in response to all these new developments? Did they have a good explanation for sharing so much without clearly telling users? If you’ve started to develop a sense of the pattern at play with Facebook, you can probably make a good guess at the answer.

Facebook sees nothing wrong with the practice, and in their initial response to the story, they’ve been vigorously defending themselves by claiming the entire process was above board. However, it’s obvious that is not exactly the case, especially when viewed in the context of previous actions the company took. Consider that after the Cambridge Analytica scandal erupted, Facebook pointed out that they had already solved the problem. They said they curtailed access to data through the methods used by CA in 2015, the year after data harvesting efforts began. However, though apps might have their access restricted, Facebook never changed the rules for device manufacturers. Sharing continues even today.

How could Facebook justify continuing to share info after cutting off access to “outsiders” and pledging that your information wouldn’t end up in their hands? Simple: Facebook says that companies like Apple and Samsung aren’t outsiders at all. Instead, they view them as a part of the Facebook “family” and essential to delivering the “experience” of using the social network. In other words, they treated multi-billion-dollar multinational companies as an extension of their own service. By simply arguing semantics, they claim it’s OK to share the information since it never leaves Facebook’s world. Sharing your friends list with Microsoft is totally the same thing as sharing the same info internally, right?

Facebook says they always maintained strict controls over the data given to third-party businesses. How could they encourage grabbing so much information, then? Why would they violate the privacy settings of users who have no clear connection to the initial app users? These are questions Facebook has yet to answer satisfactorily. In fact, up until the publication of the story, they had been very tight-lipped on the existence of such arrangements at all. The only clear mention was in recent documents submitted to German regulators. However, they named only BlackBerry as a partner and did not disclose details on the way the system worked in any form.

Even some people inside FB saw a problem with the practice. Former engineers said that when the arrangements began, many raised the red flag of concern. Seeing it as a violation of the privacy pact made with users, these engineers believed it was both an abuse of privacy and of the widely held expectation that Facebook would not share your information if you said “no.” When told that the practice had never ended, many expressed surprised that nothing had changed in the intervening years.

The implications, legal and otherwise

Will there be consequences? It’s hard to say. With scandal after scandal, the long-term impact on the company is hard to gauge, though its image has taken a beating in recent months. Even as some report that younger users have left the platform for other apps, Facebook’s user numbers continue to be extremely strong. However, though it remains to be seen whether the market decides to punish Facebook for its missteps, the government might not opt to wait and see what happens.

In his testimony to Congress, Zuckerberg said: “Every piece of content that you share on Facebook you own. You have complete control over who sees it and how you share it.” How true is that statement now that we know that you couldn’t control which device makers pulled data from your friends list? Some politicians have already begun calling for fresh investigations into Facebook based on the NYT story. Could we see more testimony or even subpoenas? We don’t know yet, but we do know that when Congress is finished with Facebook, the Federal Trade Commission wants to have a word with them, too.

Since 2011, Facebook has been working under what’s known as a “consent decree” from the FTC governing the way it can handle user data. In the 2011 decision, the FTC announced that Facebook could not override a user’s privacy settings to share information with outside parties without obtaining the explicit permission of the user. The situation back then was much the same: the decision came after complaints were brought that FB allowed apps to access the information of a user’s friends even when they’d said no in settings.

This decision is the reason why Facebook has bent reality to claim that “service providers” like Amazon, Apple, and others aren’t actually “outsiders” according to the FTC’s decision. Former investigators with the FTC interviewed about the issue disagree and believe that Facebook has violated the consent decree to do an end-run around the new rules.

Despite their insistence that this was a legal practice, Facebook says that they already began to shut down these agreements in April, after the news about Cambridge Analytica, and that they have since shut down 22 separate data-sharing arrangements. Others continue to operate in secret, though, and questions continue about the ethical implications — plus concerns about whether any of this data was accessed improperly.

What can you, as a user, do about this situation? Unfortunately, the answer is “not a lot” in this scenario, especially if you choose to continue using Facebook. You can try to avoid apps that integrate with Facebook on mobile devices and hope that the company speedily ends the remainder of its agreements, but it increasingly seems like there’s little way to avoid sharing your info if you use the service at all. The constant missteps that lead to user info ending up in all kinds of places is beyond concerning today. Want to say, “enough is enough” and walk away from the platform? Be sure to check out Checklist 81 where we talked about how to do that.

As this story continues to develop, it seems a certainty that we’ll return to it eventually. More information is coming out all the time, and further details to these arrangements may yet come out. For now, it remains to be seen how the company could begin to make amends considering the waning faith in their privacy tools and practices. For now, that’s everything we have for you on the subject in this week’s discussion.

Join our mailing list for the latest security news and deals