Published Facebook documents expose data sharing agreements, Android firmware exploits

A further 250 pages of seized documents reveal a culture of viewing user data as a commodity

Facebook web page

The UK Parliament has published 250-pages of leaked documents taken from the Six4Three seizure which show Facebook's directors using user data as a commodity with which it could build business and knowingly exploit firmware to access sensitive data outside of Facebook.

A summary of the documents revealed that the platform had adopted a series of exploitative practices, including in the strategic whitelisting of apps, use of friends data in commerce, Android firmware exploitation and systematic targeting of rival apps.

Whitelisting was prevalent for the friends' data API, allowing companies such as Baddoo, Bumble, Netflix and Airbnb to all receive special APIs for hashed friends access. The report contends this was done because only those apps were capable of generating revenue, traffic and overall growth for the Facebook platform. Badoo specifically used its profitability as a way of convincing Facebook to whitelist them on the friends data API.

"We have been compelled to write to you to explain the hugely detrimental effect that removing friend permissions will cause to our hugely popular (and profitable) applications Badoo and Hot or Not," an email from Baddoo to Facebook reads. "The friends data we receive from users is integral to our product (and indeed a key reason for building Facebook verification into our apps)."

Advertisement
Advertisement - Article continues below

Facebook developed a new, personalised API within a week.

However, apps Facebook deemed to be rivals were revoked access to its platform in a clear attempt to kill them off. For example, the report revealed that the incredibly popular Vine platform, which shuttered in late 2016, had its access to the friends data API revoked. An email from Justin Osofsky, Facebook's vice president, alerted Mark Zuckerberg to the launch of Vine in January 2103, a Twitter-owned app, proposing that the company revoke access to it because it allowed Vine to find friends using Facebook's API. Zuckerberg replied succinctly with 'Yup, go for it."

What's more, the documents support the long-held belief that Facebook was operated from the top down to treat customer data as a commodity, something that the company has been criticised for in the past.

In further email communications between Zuckerberg and an engineer, a new model of revenue generation is discussed built on the sale of user data to developers.

"The basic idea is that any other revenue you generate for us earns you a credit towards whatever fees you own us for using platform," said Zuckerberg. "For most developers, this would probably cover cost completely. So instead of every paying us directly, they'd just use our payments or ads products. A basic model could be: Login with Facebook is always free, Pushing content to Facebook is always free, Reading anything, including friends, costs a lot of money. Perhaps on the order of $0.10/user each year."

Although Facebook has said in a fiery rebuttal via its blog that the 'cherrypicked' quotes from the seized documents showed an initial plan, the actual model is not as set out above and the developer platform remains free.

However, published emails also show that Facebook actively exploited Android firmware to gain access to users' calls and texts and actively made it as difficult a possible for users to realise that it was happening.

"[The growth team] are going to include the 'read call log' permission, which will trigger the Android permissions dialog on update, requiring users to accept the update," said Michael Lebeau, Facebook's product manager, in an email discussion. "They will then provide an in-app opt in NUX for a feature that lets you continuously upload your SMS and call log history to Facebook to be used for improving things like PYMK (people you may know), coefficient calculation, feed ranking etc. This is a pretty high-risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it."

In Facebook's blog post response, the company said: "As we've said many times, Six4Three creators of the Pikinis app cherrypicked these documents from years ago as part of a lawsuit to force Facebook to share information on friends of the app's users. The set of documents, by design, tells only one side of the story and omits important context.

"The documents were selectively leaked to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we've never sold people's data."

Advertisement
Advertisement - Article continues below

When discussing the reasoning behind the publication of the documents, Damian Collins, MP and head of the committee which released the documents, took to Twitter to express why the publication went ahead.

The landmark publication of the documents follows weeks of uncertainty surrounding what potentially damaging information they contained. They were initially seized by Parliament's Serjeant-at-Arms at a London hotel from the founder of Six4Three, an American app developer which is in the middle of a lawsuit with Facebook in California. The documents were originally obtained by the developer through legal discovery for its own case.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/policy-legislation/32857/irish-data-protection-commission-facebook-whatsapp-instagram-merge
Policy & legislation

Irish Data Protection Commission has questions for Facebook

29 Jan 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/digital-currency/34762/china-prepares-to-launch-the-first-domestic-cryptocurrency
digital currency

China prepares to launch the first domestic cryptocurrency

6 Nov 2019
Visit/digital-currency/34578/mastercard-and-visa-abandon-support-of-facebooks-libra-cryptocurrency
digital currency

MasterCard and Visa abandon support of Facebook's Libra

14 Oct 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019