Dec 06, 2018 12:08 PM IST
Last week, UK parliamentary body reprimanded Facebook for not doing anything despite knowing for a fact about the Russian involvement from 2014. British parliamentarian Damian Collins (who is also the chair of the DCMS committee) had said that he would go through the secret email cache which the UK had obtained from a US app maker (which is fighting a case against Facebook) before publishing it.
The UK parliament has finally released the cache which has over 200 pages of internal emails.
The released cache gives us an insight into the kind of internal discussions that took place in Facebook when it came to the policies concerning user data, privacy, the company’s handling of its rivals, permissions feature and much more. These documents, obtained from the app maker Six4Three, are under seal in US courts and Facebook had tried hard to dismiss these documents as a one-sided biased representation of facts.
Facebook maintained in its blog post that the set of documents only told one side of the story and that Facebook stood by the platform changes that were made in 2014/15 which prevented people from sharing friends’ data with developers. Facebook reiterated that it has never sold user data.
“The extensions we granted at that time were short-term and only used to prevent people from losing access to specific functions as developers update their apps. Pikinis (the app made by Six4Three) didn’t receive an extension, and they went to court,” said the Facebook blog post trying to show Six4Three’s email cache as a biased and untrue account of things.
Now that the documents are out, here are some of the important findings that were shone a light on.
Whitelisting agreements with companies
Facebook had disabled full access to data of your friends back in 2014/15, but it was observed that some companies were whitelisted and still had access to friends data. There is no clarity on which companies Facebook had drawn these whitelisting agreements with or if any user consent was sought before sharing their data.
To highlight the point, an email interaction between a dating app Badoo and Facebook’s director of developer platforms and programs, Konstantinos Papamiltiadis was presented in the report by Collins. The gist of the interaction which took place between September 2014 and January 2015 was thus: Badoo wrote to Facebook on how removing friends permissions would be detrimental to the success of its app and why friends data was important. Facebook responded that Badoo would get access to a ‘Hashed Anon All Friends API’ which would give Badoo complete access to friends data. By February 2015, Badoo was whitelisted.
Similarly, cab-hailing app Lyft, hospitality app Airbnb, video-streaming app Netflix, were also whitelisted for ‘All Mutual Friends’ access.
This meant that users using Facebook logins for these apps were in effect handing over not just their data, but that of their Facebook friends as well to these companies.
Facebook Response: According to Facebook, friends’ list was different from friends’ data. Facebook said that in 2014/15 it changed its platform to prevent app developers from accessing your friends’ data. In some cases, apps could not even request your friend list unless your friend was also using that same app.
“In some situations, when necessary, we allowed developers to access a list of the users’ friends. This was not friends’ private information but a list of your friends (name and profile pic). Whitelists are also common practice when testing new features and functionality with a limited set of partners before rolling out the feature more broadly,” said Facebook.
Value of friends data was directly linked to the ad spend of the developer on Facebook
If an app developer was earning Facebook a boatload of cash, then there was a high chance of that company having access to valued friends data.
Elaborating on this aspect, the document mentions an email interaction between Facebook execs on letting the Royal Bank of Canada access to friends data provided it got into an extended API agreement with Facebook. One section of the email interaction clearly stated that apps which did not spend would have their permissions revoked.
From email about slides prepared for talk to DevOps at 11 am on 19 September 2013 “Key points: 1/ Find out what other apps like Refresh are out that we don’t want to share data with and figure out if they spend on NEKO. Communicate in one-go to all apps that don’t spend that those permission will be revoked. Communicate to the rest that they need to spend on NEKO $250k a year to maintain access to the data.
Data access was subject to advertising spend on Facebook.
Facebook Response: Facebook said that its developer platform was free to use, so there was no question of charging devs. Facebook claims that the email cache cherrypicks the part about developers having to buy advertising. “We ultimately settled on a model where developers did not need to purchase advertising to access APIs and we continued to provide the developer platform for free,” said Facebook.
Facebook against competitor apps such as Vine
Facebook wasn’t very courteous to any app that was regarded as a rival and took an aggressive stance against them, in some cases denying them any access to user data which led to the failure of that app’s business.
Facebook CEO Mark Zuckerberg personally have a green signal of going ahead with shutting down friends API access to Vine, which was owned by rival Twitter.
Here’s an email interaction between the vice president of Global Operations and Media Partnerships, Justin Osofsky and Zuckerberg pertaining to Vine.
Justin Osofsky – ‘Twitter launched Vine today which lets you shoot multiple short video segments to make one single, 6-second video. As part of their NUX, you can find friends via FB. Unless anyone raises objections, we will shut down their friends API access today. We’ve prepared reactive PR, and I will let Jana know our decision.”
MZ (Mark Zuckerberg) — “Yup, go for it”
We all know that Vine was eventually shut down by Twitter.
Facebook Response: Facebook said that it had decided early on that it would restrict apps that were built on top of Facebook and that replicated its core functionality. Facebook went on to say that this feature is an industry practice seen with YouTube, Twitter, Snap and Apple. But it looks like Facebook wants to change this policy.
“As part of our ongoing review, we have decided that we will remove this out-of-date policy so that our platform remains as open as possible. We think this is the right thing to do as platforms and technology develop and grow,” said Facebook.
This seemed strange as Facebook did not have anything remotely close to Vine, when it was out. Unless it copied that feature and then decided to block Vine for having a similar feature.
Facebook used Onavo VPN app for spying on mobile apps usage data
Facebook-owned Onavo which was advertised as a VPN app was in fact used to spy on and conduct global surveys of mobile app usage by customers and that too without their knowledge. According to Collins, this data was used by Facebook to see who had downloaded how many apps and how often were they used. This knowledge was used to acquire apps which would be a threat to Facebook.
Guess which app acquisition was a result of this global survey?
It was none other than the $19 bn worth WhatsApp.
Facebook relied so heavily on data gleaned from Onavo, that it used it to compile industry updates presentations showing the reach and probably trajectory of different social media apps. There are graphs showing user growth and data related to Vine, Path, messaging apps in the US and more. One graph even shows how many messages per day were sent on WhatsApp as opposed to Facebook.
Facebook Response: Facebook maintained that users were sufficiently informed before-hand on the kind of information the app collects and how it is used by Facebook. People have the option to opt-out from the Settings menu, after which their data wouldn’t be used for anything other than to improve and develop Onavo products and services.
“Websites and apps have used tools like Onavo for market research services for years. We use Onavo, App Annie, comScore, and publicly available tools to help us understand the market and improve all our services,” said Facebook.
Facebook app collected call and message logs on Android devices
Facebook app on Android collected data on record of calls and text sent by a user. Facebook even went to the extent of making it difficult for the users to know that this was a part of the underlying feature of the app update on Android.
In an email interaction on 4 February 2015, a Facebook executive Michael LeBeau spoke about the Facebook Growth Team going ahead with a ‘read call log’ permission on an Android update which would trigger a dialog box prompting users to accept the new update.
“This is a pretty high-risk thing to do from a PR perspective but it appears that the Growth Team will charge ahead and do it,” said LeBeau to which he got a response that the growth team would explore options which would let app upgrade without users getting the permissions dialog box enlisting the changelog.
In simple terms, this means that if I had the Facebook app on my Android device in 2015, the app update would effectively give Facebook a log of all the calls I made and SMSes I sent. And I would not be told about these app permissions changes as the permissions dialog wouldn’t show up when I was updating the app.
Facebook response: Facebook maintains that this was an opt-in feature on its Android app where user permission was explicitly sought. It justified that this data was used to make better suggestions for people to call in Messenger and rank contact lists in Messenger and Facebook Lite.
“With this feature, we asked for permission inside the Facebook Messenger app, and this was a discussion about how our decision to launch this opt-in feature would interact with the Android operating system’s own permission screens. This was not a discussion about avoiding asking people for permission,” said Facebook.
Mark Zuckerberg’s response to email leaks
Facebook CEO Mark Zuckerberg also put out his response to the UK parliamentary committee’s release of the email stash.
“I understand there is a lot of scrutiny on how we run our systems. That’s healthy given the vast number of people who use our services around the world, and it is right that we are constantly asked to explain what we do. But it’s also important that the coverage of what we do — including the explanation of these internal documents — doesn’t misrepresent our actions or motives. This was an important change to protect our community, and it achieved its goal,” said Zuckerberg.
Collins said the emails raise important issues, particularly around the use of the data of Facebook users. “The idea of linking access to friends’ data to the financial value of the developers’ relationship with Facebook is a recurring feature of the documents,” Collins said.
Facebook’s arguments and Zuckerberg’s response seems quite weak, even with their claims of the email cache being one-sided. When you have Facebook executives and Zuckerberg himself giving a go-ahead on shutting down access to rival apps, discussions within the Facebook team about charging app developers in exchange for access to user data, Facebook cheekily trying to evade Android app update permissions, and much more, things don’t really add up. And it does not help matters when Facebook gives reactions like “we will remove this out-of-date policy so that our platform remains as open as possible,” after being called out.
In Facebook’s PR disaster notebook, this email cache published by the UK Parliamentary committee is yet another addition.