3rd Party Risk Management , Data Loss Prevention (DLP) , Fraud Management & Cybercrime

Emails Expose Sensitive Internal Facebook Discussions

Material Gives Insight Into Company's Views on Data Security
Emails Expose Sensitive Internal Facebook Discussions
Facebook's headquarters in Menlo Park, California (Photo: Facebook)

A batch of documents meant to be kept under court seal lays bare Facebook's strategic brokering of access to user data to reward partners and punish potential rivals.

See Also: How Enterprise Browsers Enhance Security and Efficiency

The documents also show that Facebook considered charging developers for access to user data and reveal plans to collect call logs on Android without asking users for permission.

U.K. lawmaker Damien Collins, a conservative member of Pariament, on Wednesday released the tranche of emails and documents, which involve discussions of top Facebook executives between 2012 and 2015. The documents were filed under court seal in the U.S. as part of lawsuit filed against Facebook by Six4Three LLC, a now-defunct app developer (see: UK Parliament Seizes Internal Facebook Privacy Documents).

Collins, who is chair of the Digital, Culture, Media and Sport select committee in the House of Commons, obtained the material from Six4Three's founder through a rarely invoked parliamentary privilege.

"We need a more public debate about the rights of social media users and the smaller businesses who are required to work with the tech giants," Collins tweeted on Wednesday. "I hope that our committee investigation can stand up for them."

The materials show internal deliberations within Facebook as it sought to adapt to greater use of Facebook on mobile devices rather than on desktop computers, which threatened the company's revenue model. Many of those deliberations have privacy implications, but that aspect appears to have largely stayed in the shadows versus Facebook's drive for revenue.

In response to the release of the documents, CEO Mark Zuckerberg writes in a post that the documents were only part of the company's discussions on how to evolve its platform and that coverage shouldn't "misrepresent our actions or motives."

But the material doesn't paint a favorable picture for a company that's still reeling from the Cambridge Analytica scandal, a recent data breach and a slow reaction to Russian manipulation preceding the 2016 U.S. presidential election.

Favorite Developers

Prior to 2015, Facebook allowed app developers to collect not only information for direct users of their app, but also data for those users' friends. That policy is what allowed a modest personality quiz to collect data on up to 87 million people that was later passed to Cambridge Analytica.

Facebook material released by U.K. lawmaker Damien Collins

After it detected this kind of abuse by other app developers, Facebook changed its rules for access to other friends' data. But it continued to allow some companies' access to that information, including the dating app Badoo, Netflix, Lyft and Airbnb. That's the crux of the lawsuit filed against Facebook by Six4Three LLC, which alleges Facebook hurt its business because it was excluded.

In a summary describing the key issues within the documents, Collins writes: "It is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted or not."

User Data: Ten Cents a Year

One of Facebook's consistent talking points has been that it doesn't sell users' data. Instead, Facebook gives it away. But in late 2012, Facebook was kicking around the idea of charging developers for user data.

In October that year, Zuckerberg wrote in an email of an idea to charge developers for access to user data or nudge them toward using Facebook's payments or ad products. Zuckerberg wrote that the cost for a user's data could be "perhaps on the order of $0.10/user each year."

After concerns were raised, Zuckerberg wrote in an email later that month to Facebook executive Sam Lessin: "I'm generally sceptical [sic] that there is as much data leak strategic risk as you think. I agree there is clear risk on the advertiser side, but I haven't figured out how that connects to the rest of the platform. I think we leak info to developers, but I just can't think of any instances where that data has leaked from developer to developer and caused a real issue for us. Do you have examples of this?"

Just a few years later, there would be an example: Cambridge Analytica. The developer of a personality quiz app, Cambridge psychology professor Aleksandr Kogan, later passed data collected by his app to that research firm with political connections.

The personality quiz collected data from not only direct users of the app, but also those users' friends. Cambridge Analytica, which no longer exists, worked for clients on the Brexit campaign as well as for the campaign of President Donald Trump (see: Facebook and Cambridge Analytica: Data Scandal Intensifies).

Android Trickery

Other emails within the tranche show that Facebook, in a desire to collect more user data, discussed how to gain access to call logs on Android phones without alerting users.

In early 2015, an email exchange shows that Facebook's product team figured out during testing that its app could read call logs without triggering an alert. Android displays an alert when an app is asking for new permissions, such as access to certain kinds of data.

Excerpts of emails describing Facebooks plans to collect call logs on Android

Facebook's testing showed that users would have to click to upgrade their app, but there would be no alert that shows the company was now reading call logs.

Michael LeBeau, a Facebook product manager, wrote: "This is a pretty high-risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it."

In his analysis, Collins writes: "Facebook knew that the changes to its policies on the Android mobile phone system, which enabled the Facebook app to collect a record of calls and texts sent by the user would be controversial. To mitigate any bad PR, Facebook planned to make it as hard of possible for users to know that this was one of the underlying features of the upgrade of their app."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.