It’s becoming increasingly clear that Facebook’s casual treatment of private consumer data exposed during the Cambridge Analytica scandal was the norm, not the exception. Despite routine shock and indignation by Facebook executives at Cambridge Analytica’s misleading use of app-gleaned user data, it’s abundantly clear that the company’s protection of consumer data haven’t been up to snuff for the better part of the last decade, and that lax treatment of such data is most decidedly a Facebook feature, not a bug.
The latest case in point: earlier this week, the New York Times revealed that Facebook has been routinely striking deep data sharing partnerships with numerous hardware vendors since at least 2010. The report noted that Facebook had struck deals providing “vast amounts” of user data with at least 60 different hardware vendors including Apple and Samsung.
As it has countless times before, Facebook was quick to issue a blog post trying to deflate the width and breadth of the Times report. In its post, Facebook claimed that the lack of app stores in the early wireless ecosystem required that it offer “device-integrated APIs that allowed companies to recreate Facebook-like experiences for their individual devices or operating systems” using Facebook user data. “We are not aware of any abuse by these companies,” Facebook proclaimed. The problem is that Facebook provided these companies access to the data of users’ friends without their explicit consent. That likely violates a 2011 consent decree with the Federal Trade Commission promising that the company would no longer share such information with outside firms—without express end user approval. In the wake of the Cambridge scandal, Facebook said that the kind of access exploited by Cambridge Analytica in 2014 ended a year later, when Facebook began prohibiting developers from collecting information from users’ acquaintances. It apparently forgot to mention the company was still exempting dozens of hardware vendors from those restrictions. A subsequent report by the Washington Post notes that Chinese network equipment manufacturer Huawei was among the companies Facebook has been sharing data with. That’s of particular note given the Trump administration’s efforts to blacklist Chinese gearmakers for either violating sanctions (ZTE) or spying on American citizens.
To be clear, public evidence that Huawei spies on American citizens is arguably a bit shaky. After all, a year-long U.S. government investigation found no public evidence that the company routinely spies on American consumers, and more often than not the flames of such concerns are routinely fanned by companies like Cisco, eager to hamper overseas competitors.
But additional reporting by the New York Times notes that Facebook had similar deals with other Chinese hardware firms including Lenovo, Oppo and TCL, raising new concerns about how widely this data was shared, and just what measures Facebook had in place to prohibit abuse of it users’ information. Given all of the hysteria regarding Chinese network vendors at the moment, the revelations quickly resulted in raised eyebrows among DC lawmakers.
“I look forward to learning more about how Facebook ensured that information about their users was not sent to Chinese servers,” Virginia Senator Mark Warner said in a statement. While Facebook now says it will be winding down its partnership with Huawei by the end of this week, there’s still plenty of questions about just how secure this data actually was, whether these other relationships have been discontinued, and whether private Facebook user data ever found its way off of these devices and into the hands of additional parties.