A recent article New York Times article puts Facebook’s privacy practices back in the spotlight. The article contains new revelations about data-sharing agreements between Facebook and other tech companies. These agreements gave those companies access to data about Facebook users and their friends – a fact Mark Zuckerberg conveniently forgot to mention when he recently testified before Congress.

Many privacy policies state that the company shares user data with third parties. With large companies, that often includes their “affiliates” and trusted “partners”. But the policies disclose the identity of the “affiliates” and “partners.”  Facebook’s privacy policy is no exception. It doesn’t identify a single one of its “third-party partners” by name. Even the few people who actually read the policy wouldn’t have a clue as to what companies Facebook shares their data with.

In fact, Facebook has lots of data-sharing partnerships – at least 60 of them , according to Facebook itself. Those “partners” include other large tech companies, like Apple, Amazon, BlackBerry, Microsoft and Samsung. That fact alone should be disturbing to any Facebook user concerned about their privacy. Smartphones collect lots of personal information about their users. Two of Faceboook’s partners – Apple and Samsung – are the world’s largest smartphone makers. You can now add Facebook data to the data they collect when you use your smartphone. Apple at least had the decency to tell the Times how it used the data it got from Facebook. Amazon and Samsung declined comment.

Facebook’s data-sharing agreements with its “partners” wasn’t limited to data posted by individual users. The “partners” could also obtain data about those users’ “friends”, even if they denied Facebook permission to share their data with third parties. Ashkan Sotani , the Federal Trade Commission’s former chief technologist, likened this to, “having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission.”

In 2011, Facebook entered into a consent decree with the FTC to settle a complaint filed against it by the FTC. The terms of the decree prohibit Facebook from overriding the privacy choices of its users without their express consent. Notably, Facebook may have violated the consent decree when it entered into the data-sharing agreements with its “partners”.

Predictably, Facebook disclaims non-compliance. But Sandy Parilakas, a former Facebook executive who was in charge of third-party advertising and privacy compliance, told the Times that the company was discussing its data-sharing agreements internally as early as 2012. “It is shocking that this practice may still continue six years later, and it appears to contradict Facebook’s testimony to Congress that all friend permissions were disabled,” said Parilakas. Jessica Rich, a former Director of the FTC’s Bureau of Consumer Protection, agrees with Parilakas. Facebook can “argue that any sharing of data with third parties is part of the Facebook experience. And this is not at all how the public interpreted their 2014 announcement that they would limit third-party app access to friend data,”, said Rich.

Facebook told the Times that the data-sharing agreements it has with its “partners” limit how they can use the data they get access to. But does the company monitor how its “partners” use the data? If the Cambridge Analytica scandal teaches us anything, the answer would be “very loosely”. And since the third party “partners” store data on their own servers, is it even possible for Facebook to effectively monitor how they use it? Perhaps more importantly, what would Facebook actually do if it discovered that one of its “partners” was using data in a way that violated its data-sharing agreements? Send them a strongly-worded letter?

Facebook’s privacy practices have been under a lot of scrutiny and criticism lately. Every bit of it’s well-earned and long overdue.

The post Facebook Gave its Third-Party Partners Access to User Data appeared first on Law Office of Robert Scarino.