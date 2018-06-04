Now, the C.E.O. could have a new privacy scandal on his hands.

When Mark Zuckerberg appeared before Congress in April, he insisted that the kind of data sharing that sparked the Cambridge Analytica scandal was out of bounds for Facebook. “You should have complete control over your data,” he said during one Senate hearing. “If we’re not communicating this clearly, that’s a big thing we should work on.” In the weeks following Zuck’s hearings, Facebook said it has investigated “thousands” of apps suspected of misusing user data, and suspended hundreds. “Where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website,” promised the social-media giant. “It will show people if they or their friends installed an app that misused data before 2015—just as we did for Cambridge Analytica.” Yet according to a New York Times investigation, Facebook itself provided phone makers with blanket access to people’s private data without getting their consent‚ even after declaring it had stopped doing so. In some cases, companies could access data from users’ friends, even if those friends hadn’t given permission for their data to be shared—a fluke that could have major financial ramifications for the company.

Beginning a decade ago, Facebook struck data-sharing agreements with at least 60 device manufacturers, including Apple, Microsoft, BlackBerry, Amazon, and Samsung. Under the terms of the agreements, Facebook would help manufacturers build apps for their devices and incorporate Facebook functionality into their operating systems, giving users easy access to popular Facebook features like messaging and photo sharing. In order for this to work, Facebook had to give these companies access to vast amounts of user data through private A.P.I.s. One Times reporter, using a 2013 BlackBerry smartphone, logged into Facebook through BlackBerry’s Hub app—an app that combines messaging, e-mail, and social-media feeds. When he did, BlackBerry’s software was able to retrieve personal data like political and religious affiliations from 556 of his Facebook friends, as well as “identifying information” about nearly 295,000 friends of friends. This level of data sharing—which Facebook began winding down in April, though many of the partnerships remain in effect—is a violation of Facebook’s privacy policy, the Times asserts, which currently only allows third-party apps to request the names of users’ friends also using the app.

Facebook, however, denied that the deals are anything but above-board, and rejected comparisons between third-party device makers and Cambridge Analytica—there’s a difference, Facebook asserted, between a political firm surreptitiously mining data, and granting the same access to a big tech firm, which has the resources to protect the information and won’t profit directly from it. The deals Facebook struck with companies like BlackBerry and Apple, it argued, were necessary: “There were no app stores at the time and this was the only way to make our product work on their devices. We tightly controlled these A.P.I.s from the get-go,” Ime Archibong, Facebook’s vice president of product partnerships, told Bloomberg. “These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to re-create Facebook-like experiences.” Facebook said it’s now starting to shut down its partnerships; so far, 22 have been terminated.

Even so, the agreements raise new questions about whether Facebook violated a 2011 Federal Trade Commission consent decree, which prevented the company from misleading users about the privacy of their personal information. Sandy Parakilas, a former Facebook employee who led third-party advertising and privacy compliance, told the Times that the agreements set off red flags early on. “This was flagged internally as a privacy issue,” he said. “It is shocking that this practice may still continue six years later, and it appears to contradict Facebook’s testimony to Congress that all friend permissions were disabled.” Spurred by the Cambridge Analytica fiasco, the F.T.C. is already looking into whether Facebook violated the decree—a threat, according to a senior Federal Communications Commission source, that looms much larger than potential anti-trust regulation, or any other legislation that could kneecap the company. “That is the first test,” the official told me late last month. “Before any of these issues that this coalition demands, the first order of business is determining whether Facebook violated the consent decree.” If the company is found liable, it could be fined trillions—a sum that could sink even Zuckerberg’s billion-dollar ship.

