IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Published Facebook documents expose data sharing agreements, Android firmware exploits

A further 250 pages of seized documents reveal a culture of viewing user data as a commodity

The UK Parliament has published 250-pages of leaked documents taken from the Six4Three seizure which show Facebook's directors using user data as a commodity with which it could build business and knowingly exploit firmware to access sensitive data outside of Facebook.

A summary of the documents revealed that the platform had adopted a series of exploitative practices, including in the strategic whitelisting of apps, use of friends data in commerce, Android firmware exploitation and systematic targeting of rival apps.

Whitelisting was prevalent for the friends' data API, allowing companies such as Baddoo, Bumble, Netflix and Airbnb to all receive special APIs for hashed friends access. The report contends this was done because only those apps were capable of generating revenue, traffic and overall growth for the Facebook platform. Badoo specifically used its profitability as a way of convincing Facebook to whitelist them on the friends data API.

"We have been compelled to write to you to explain the hugely detrimental effect that removing friend permissions will cause to our hugely popular (and profitable) applications Badoo and Hot or Not," an email from Baddoo to Facebook reads. "The friends data we receive from users is integral to our product (and indeed a key reason for building Facebook verification into our apps)."

Facebook developed a new, personalised API within a week.

However, apps Facebook deemed to be rivals were revoked access to its platform in a clear attempt to kill them off. For example, the report revealed that the incredibly popular Vine platform, which shuttered in late 2016, had its access to the friends data API revoked. An email from Justin Osofsky, Facebook's vice president, alerted Mark Zuckerberg to the launch of Vine in January 2103, a Twitter-owned app, proposing that the company revoke access to it because it allowed Vine to find friends using Facebook's API. Zuckerberg replied succinctly with 'Yup, go for it."

What's more, the documents support the long-held belief that Facebook was operated from the top down to treat customer data as a commodity, something that the company has been criticised for in the past.

In further email communications between Zuckerberg and an engineer, a new model of revenue generation is discussed built on the sale of user data to developers.

"The basic idea is that any other revenue you generate for us earns you a credit towards whatever fees you own us for using platform," said Zuckerberg. "For most developers, this would probably cover cost completely. So instead of every paying us directly, they'd just use our payments or ads products. A basic model could be: Login with Facebook is always free, Pushing content to Facebook is always free, Reading anything, including friends, costs a lot of money. Perhaps on the order of $0.10/user each year."

Although Facebook has said in a fiery rebuttal via its blog that the 'cherrypicked' quotes from the seized documents showed an initial plan, the actual model is not as set out above and the developer platform remains free.

However, published emails also show that Facebook actively exploited Android firmware to gain access to users' calls and texts and actively made it as difficult a possible for users to realise that it was happening.

"[The growth team] are going to include the 'read call log' permission, which will trigger the Android permissions dialog on update, requiring users to accept the update," said Michael Lebeau, Facebook's product manager, in an email discussion. "They will then provide an in-app opt in NUX for a feature that lets you continuously upload your SMS and call log history to Facebook to be used for improving things like PYMK (people you may know), coefficient calculation, feed ranking etc. This is a pretty high-risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it."

In Facebook's blog post response, the company said: "As we've said many times, Six4Three creators of the Pikinis app cherrypicked these documents from years ago as part of a lawsuit to force Facebook to share information on friends of the app's users. The set of documents, by design, tells only one side of the story and omits important context.

"The documents were selectively leaked to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we've never sold people's data."

When discussing the reasoning behind the publication of the documents, Damian Collins, MP and head of the committee which released the documents, took to Twitter to express why the publication went ahead.

The landmark publication of the documents follows weeks of uncertainty surrounding what potentially damaging information they contained. They were initially seized by Parliament's Serjeant-at-Arms at a London hotel from the founder of Six4Three, an American app developer which is in the middle of a lawsuit with Facebook in California. The documents were originally obtained by the developer through legal discovery for its own case.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Facebook business accounts hijacked by infostealer malware campaign
Security

Facebook business accounts hijacked by infostealer malware campaign

26 Jul 2022
Meta begins encrypting Facebook URLs, nullifying tracking countermeasures
privacy

Meta begins encrypting Facebook URLs, nullifying tracking countermeasures

19 Jul 2022
EU inches closer to blocking Meta from sending personal data to US
Policy & legislation

EU inches closer to blocking Meta from sending personal data to US

8 Jul 2022
Meta hit with €17 million fine over multiple GDPR breaches
data protection

Meta hit with €17 million fine over multiple GDPR breaches

16 Mar 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion
Hardware

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022