Facebook neglected to properly monitor multiple device makers that were allowed to access Facebook users’ personal data, the company recently admitted to U.S. lawmakers.
The New York Times reports that a previously unreported disclosure Facebook sent to Congress last month revealed that in early 2013, the social-media behemoth engaged in partnerships with seven device manufacturers that allowed those companies to give their users Facebook access on their phones. Some of those agreements began in at least 2010. Facebook gave those companies access to user data under a 2011 FTC consent decree in which Facebook agreed to only give third parties access to user data necessary for the apps to work.
PricewaterhouseCoopers (PwC) oversaw the FTC-required privacy probe of Facebook’s partnerships with Microsoft and BlackBerry-maker Research in Motion in 2013 and observed “limited evidence” of Facebook making sure the partners had adhered to Facebook’s data-use guidelines.
After that oversight was revealed by PwC, Facebook did not alert its users, many of whom had not given Facebook explicit permission to share their data with these third parties.
This information was revealed in a letter Facebook sent last month to Oregon Senator Ron Wyden, who shared it with the Times. “Facebook claimed that its data-sharing partnerships with smartphone manufacturers were on the up and up,” Mr. Wyden said to the Times. “But Facebook’s own, handpicked auditors said the company wasn’t monitoring what smartphone manufacturers did with Americans’ personal information, or making sure these manufacturers were following Facebook’s own policies.”
The Times reports that, in the years following the PwC survey, Facebook engaged in dozens of similar data-sharing collaborations. But the company has since pulled away from them in the wake of the Cambridge Analytica scandal, which revolved around revelations that the data of roughly 87 million Facebook users was improperly shared with the political firm hired by the Donald Trump presidential campaign.
One of Wyden’s aides who was familiar with the disclosure told the Times that there was no evidence in the documents that Facebook had ever resolved the privacy issue that PwC found in 2013.
Responding to Gizmodo’s request for comment, a Facebook spokesperson said: “We take the FTC consent order incredibly seriously and have for years submitted to extensive assessments of our systems. PwC’s assessment process included an assessment of controls related to Facebook’s device integration partners. We remain strongly committed to the consent order and to protecting people’s information.”
Wyden also told the Times: “It’s not good enough to just take the word of Facebook—or any major corporation—that they’re safeguarding our personal information.”