This weekend, news broke in the New York Times that Facebook’s habit of giving extensive user data to third parties extended to “at least 60 device makers” who were granted access to private Facebook APIs over the past decade. The social media giant has been trying to quash the story by insisting developers were only allowed to use the data to provide “the Facebook experience” before the market dominance of Android and Apple made it less necessary for manufacturers to build in custom functionality, but a new development may have just made it a lot harder to sweep under the rug.
Now, the Times reported on Tuesday, it turns out the list of device makers included four Chinese companies: Lenovo, Oppo, TCL, and Huawei, the last of which has been flagged by US intelligence officials as a potential national security threat:
The deals gave Facebook an early foothold in the mobile market starting in 2007, before stand-alone Facebook apps worked well on phones, and allowed device makers to offer some Facebook features, such as address books, “like” buttons and status updates.
Facebook officials said the agreements with the Chinese companies allowed them access similar to what was offered to BlackBerry, which could retrieve detailed information on both device users and all of their friends—including work and education history, relationship status and likes.
Facebook officials said that the data shared with Huawei stayed on its phone, not the company’s servers.
Virginia Sen. Mark Warner, a Democrat, told the paper that congressional investigators had publicly floated concerns about the “close relationships between the Chinese Communist Party and equipment makers like Huawei” since 2012, so Facebook should have been aware of them. He added, “I look forward to learning more about how Facebook ensured that information about their users was not sent to Chinese servers.”
Facebook vice president Francisco Varela told the Times that “All Facebook’s integrations with Huawei, Lenovo, Oppo and TCL were controlled from the get-go—and Facebook approved everything that was built. Given the interest from Congress, we wanted to make clear that all the information from these integrations with Huawei was stored on the device, not on Huawei’s servers.”
Concern over Huawei has built in Congress as Chinese state banks funded its massive overseas expansion selling both phones and telecom equipment across the globe. As the Washington Post noted, though the company denies that it shares any user data with the Chinese government, the Pentagon took the fairly unusual move of banning the sale of devices from both Huawei and another Chinese manufacturer, ZTE, on military bases. Like Huawei, US intelligence officials suspect ZTE could be stealthily spying on its international customers (though they have yet to provide any specific evidence, so take that with a grain of salt).
For the record, ZTE is the same company that was facing a seven-year ban on buying or using components made by US firms after it allegedly violated sanctions on Iran and North Korea—until Chinese President Xi Jinping whispered a few sweet nothings into Donald Trump’s ear and the duo agreed to some kind of plan to lift the ban with undisclosed “security guarantees.”
ZTE is not believed to have had access to the Facebook API, a source told the Post.
Still, the Federal Communications Commission is mulling a ban on using federal subsidies to purchase telecom equipment from either firm.
According to the Wall Street Journal, while it would be easy for Huawei and ZTE to build backdoors capable into their networking equipment, it would be very difficult for them to build in anything more complicated than a kill switch—such as surveillance systems—without tipping off wireless carriers and internet service providers. However, it would be much simpler for the companies to spy on anyone using their smartphones.
“Could they have the capability that’s tapping into a call or recording a call?” Ribbon Communications Inc. chief technology officer Kevin Riley told the Journal. “Absolutely. They own that software.”
In the Times’ prior report, University of California, Berkeley privacy researcher Serge Egelman commented “You might think that Facebook or the device manufacturer is trustworthy. But the problem is that as more and more data is collected on the device—and if it can be accessed by apps on the device—it creates serious privacy and security risks.”
Whoops! There’s that Facebook experience for ya.
Facebook said it began “winding down” the manufacturer partnerships in April (conveniently right about the time the Cambridge Analytica scandal was reaching full steam). According to the Times, all four Chinese partnerships are currently active, but “Facebook officials said in an interview that the company would wind down the Huawei deal by the end of the week.”
Update, 9:30pm ET: Per a report in Reuters, that deal Trump struck with Xi to save ZTE may already be in motion. Sources told the news agency that ZTE has signed a “preliminary” deal with the Commerce Department, which would require the company to completely overhaul its board and executive team within a month, pay a $1 billion fine with an additional $400 million kept in escrow to “cover any future violations,” and sign off on a “non-public agreement” to allow US officials to visit its facilities without pre-clearance by the Chinese government. However, the deal is not yet finalized, Reuters reported.