By Nicholas Confessore, Michael Laforgia and Gabriel J.x. Dance
You are the product: That is the deal many Silicon Valley companies offer to consumers. The users get free search engines, social media accounts and smartphone apps, and the companies use the personal data they collect — your searches, “likes,” phone numbers and friends — to target and sell advertising.
But an investigation by The New York Times, based on hundreds of pages of internal Facebook documents and interviews with about 50 former employees of Facebook and its partners, reveals that the marketplace for that data is even bigger than many consumers suspected. And Facebook, which collects more information on more people than almost any other private corporation in history, is a central player.
Here are five takeaways from our investigation.
Facebook deals in data
“We don’t sell data to anyone,” Mark Zuckerberg, Facebook’s founder, told Congress during a hearing in April. His pledge — that the torrent of data Facebook collects from its 2.2 billion users will always remain safely in Facebook’s hands — has been a cornerstone of the company’s defensive strategy this year, as lawmakers, regulators and activists have pummeled the social network over a series of privacy breaches and public relations blunders.
While it is true that Facebook hasn’t sold users’ data, for years, it has struck deals to share the information with dozens of Silicon Valley companies. These partners were given more intrusive access to user data than Facebook has ever disclosed. In turn, the deals helped Facebook bring in new users, encourage them to use the social network more often, and drive up advertising revenue.
Facebook’s largest partners got far more access than Cambridge Analytica did
But The Times’ investigation reveals that Facebook continued to give huge tech companies, including Microsoft and Amazon, access to much more: the data of hundreds of millions of people a month, including email addresses and phone numbers — without users’ knowledge or consent.
Facebook never directly told users that it was sharing this data
Internal documents obtained by The Times show that Facebook shared data with more than 150 companies — most of them tech businesses, but also automakers, media organizations (including The Times) and others.
While Facebook users can control what data they share with most of the thousands of apps on Facebook’s platform, some companies had access to users’ data even if they had disabled all sharing.
Many of the partners’ applications never even appeared in Facebook’s user application settings. According to Facebook, each of the outside companies acted as an extension of the social network. Any information a user shared with friends on Facebook, the company argues, could be shared with these partner companies without additional consent.
Facebook was sloppy
The data partnerships date to 2010, at the start of a period of headlong growth and expansion for Facebook. Within a few years, the social network had struck so many of these deals that Facebook employees built a tool to track the different types of access the partners had.
Despite this, Facebook appears not to have kept close tabs on how its users’ data flowed out into the world. A Russian social media company, Yandex, that has been accused of having overly close ties to the Kremlin, still had access to Facebook’s unique user IDs for years after Facebook had cut off other applications from the data, citing security concerns.
Likewise, Facebook gave Yahoo the ability to display a Facebook user’s news feed — including friends’ posts — on the search company’s home page. Yahoo got rid of the feature in 2012. But as of last year, it still had access to data for close to 100,000 people a month.
Regulators let it happen
Under the terms of a 2011 consent agreement with the Federal Trade Commission, Facebook was required to strengthen privacy safeguards and disclose data practices more thoroughly. The company hired an independent firm, PricewaterhouseCoopers, to formally assess its privacy procedures and report back to the FTC every two years.
Four former officials and employees of the FTC, briefed on The Times’ findings, said the data-sharing deals likely violated the consent agreement, since users had no way of knowing which companies Facebook had shared their data with, and no clear means of granting or withholding permission. At least one assessment by PricewaterhouseCoopers, in 2013, found that Facebook had done little to ensure that the shared data was appropriately safeguarded.
Facebook maintains that the partnerships are covered by an exemption to the consent decree. A spokeswoman for the FTC, which last spring opened a new investigation into Facebook, declined to say whether the commission agreed.