Skip to main content

Facebook gave Spotify and Netflix access to users’ private messages

Facebook gave Spotify and Netflix access to users’ private messages


Partnerships with tech giants went way further than previously disclosed, says new report

Share this story

Illustration by Alex Castro / The Verge

What to make of the New York Times’ latest story about Facebook’s broad data-sharing agreements? The story, which draws on internal documents describing the company’s partnerships, reports on previously undisclosed aspects of business partnerships with companies including Apple, Amazon, Microsoft, Spotify, and Netflix. In some cases, companies had access to data years after it was supposed to have been cut off.

Here’s how the story is framed by reporters Gabriel J.X. Dance, Michael LaForgia, and Nicholas Confessore:

The documents, as well as interviews with about 50 former employees of Facebook and its corporate partners, reveal that Facebook allowed certain companies access to data despite those protections. They also raise questions about whether Facebook ran afoul of a 2011 consent agreement with the Federal Trade Commission that barred the social network from sharing user data without explicit permission.

In all, the deals described in the documents benefited more than 150 companies — most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organizations. Their applications sought the data of hundreds of millions of people a month, the records show. The deals, the oldest of which date to 2010, were all active in 2017. Some were still in effect this year.

The story, which builds on reporting earlier this year from both the Times and the Wall Street Journal, describes a variety of data-sharing partnerships, some of which users were likely unaware of. They include:

  • Giving Apple access to users’ Facebook contacts and calendar entries, even if they had disabled data sharing, as part of a partnership that still exists. Apple told the Times it was unaware that it had special access, and of the data described would never leave the user’s device.
  • Giving Amazon the names and contact information of users, in a partnership that is currently being wound down. Amazon wouldn’t discuss how it used the data other than to say it had used it “appropriately.” On Twitter, Gizmodo’s Kashmir Hill speculated that Amazon may have used the data to fight review fraud.
  • Giving Bing, the Microsoft search engine, access to see names and other profile information of a user’s friends. Microsoft said it has since deleted the data. Facebook says that only user data set to “public” was accessible to Microsoft.
  • Giving Spotify, Netflix, and the Royal Bank of Canada the ability to read users’ private Facebook messages.

The access described in the Times story falls into three types of Facebook partnerships. The first are what Facebook calls “integrations,” and they refer to custom-built apps that Facebook built for OEMs like BlackBerry. Because they were integrated with phone operating systems, they require a broad exchange of data with OEMs. They’ve gotten a lot of attention this year, but I think most users would reasonably assume that their personal data was being exchanged with the phone manufacturer in those cases.

The second type of partnerships, which is represented by the Bing deal, are part of a now-defunct program called “instant personalization.” This feature, which launched in 2010, opted every Facebook user in by default. It allowed all of its partners to personalize their own services using whatever Facebook knew about you and was willing to share. Yelp, for example, would show visitors which of their Facebook friends used the site when they visited.

The program drew significant criticism when it launched, and it was eventually killed off in 2014. But according to the Times, Bing continued to have access to the data through 2017, and two other companies still had access this summer. On one hand, this was all public data — friends’ names, hometowns, and anything else they marked public. On the other hand, Facebook’s failure to shut down data access here is reminiscent of the failure that sparked the Cambridge Analytica data privacy scandal: a company said it had deleted a bunch of user data turned out to have instead used it in an attempt to influence the 2016 presidential election.

The final type of partnerships are essentially one-off deals that Facebook made over the years. The scariest-sounding of them all was a deal Facebook made with companies including Spotify, Netflix, and the Royal Bank of Canada in which partners were granted read and write access to users’ Facebook messages. This was the result of a broadly written API, launched in 2010 as part of an early (pre-Messenger) effort to build a messaging platform. In Spotify’s case, for example, the company plugged into your chat window to send songs to your friends. It seems possible that a rogue employee made mischief in someone’s messages, but the Times story doesn’t include any examples.

There are other worrisome details in the Times story, including reports that Yahoo and the Russian search company Yandex both retained access to user data years after it was supposed to have been cut off. Collectively, they speak to an indifference toward data security that flies in the face of recent Facebook pronouncements on the subject — most notably, chief marketing officer Carolyn Everson’s statement last week that privacy “is the foundation of our company.” Everson made her comments on the same day that Facebook opened a pop-up kiosk in New York City’s Bryant Park where users could ask questions about how their data is used on the platform.

Presumably, they would have had more questions to ask if they had access to the list of 150 companies that had been making data partnerships with Facebook over the past decade.

In response to the Times’ report, the company acknowledged it had more work to do to regain user trust. It also highlighted some of the benefits of data sharing, including the ability to create more personalized experiences on other sites and services.

“Facebook’s partners don’t get to ignore people’s privacy settings, and it’s wrong to suggest that they do,” said Steve Satterfield, director of privacy and public policy at Facebook, in an email. “Over the years, we’ve partnered with other companies so people can use Facebook on devices and platforms that we don’t support ourselves. Unlike a game, streaming music service, or other third-party app, which offer experiences that are independent of Facebook, these partners can only offer specific Facebook features and are unable to use information for independent purposes.”

The company also published a blog post responding to the story in further detail.

Netflix told The Verge:

“Over the years we have tried various ways to make Netflix more social. One example of this was a feature we launched in 2014 that enabled members to recommend TV shows and movies to their Facebook friends via Messenger or Netflix. It was never that popular so we shut the feature down in 2015. At no time did we access people’s private messages on Facebook, or ask for the ability to do so.”

I find it helpful to read the allegations in the Times’ story chronologically, starting with the integration deals, continuing with the one-off agreements, and ending with instant personalization. Do so and you read a story of a company that, after some early success growing its user base by making broad data-sharing agreements with one set of companies — OEMs — it grew more confident, and proceeded to give away more and more, often with few disclosures to users. By the time “Instant personalization” arrived, it was widely panned, and never met Facebook’s hopes for it. Shortly after it was wound down, Facebook would take action against Cambridge Analytica, and once again began placing meaningful limitations on its API.

Then basically nothing happened for three years!

Whatever is happening, it’s happening ... now. It has been only two months since the largest data breach in Facebook’s history. It has been only five days since the last time Facebook announced a significant data leak. It has been only two days since I said I would be taking the rest of the year off of writing this newsletter.

It has only been a few hours since Cher announced she was quitting.

Here are two last things to chew over as we think about this story in the coming days. One, it’s now clear that a data partnership with Facebook can create reputational risks for the companies making the deals. Every company named in the report will be held account for the Times’ findings, and they better have good and thorough answers when shareholders, lawmakers, and reporters start asking.

Two, it’s amazing how much oxygen we all have given to the false notion that Facebook sells your data — when the real story was the data they were giving away.

Update December 19th, 2:52AM ET: This article has been updated to include comment from Netflix and a blog post from Facebook.