Published Facebook documents expose data sharing agreements, Android firmware exploits

A further 250 pages of seized documents reveal a culture of viewing user data as a commodity

Facebook web page

The UK Parliament has published 250-pages of leaked documents taken from the Six4Three seizure which show Facebook's directors using user data as a commodity with which it could build business and knowingly exploit firmware to access sensitive data outside of Facebook.

A summary of the documents revealed that the platform had adopted a series of exploitative practices, including in the strategic whitelisting of apps, use of friends data in commerce, Android firmware exploitation and systematic targeting of rival apps.

Whitelisting was prevalent for the friends' data API, allowing companies such as Baddoo, Bumble, Netflix and Airbnb to all receive special APIs for hashed friends access. The report contends this was done because only those apps were capable of generating revenue, traffic and overall growth for the Facebook platform. Badoo specifically used its profitability as a way of convincing Facebook to whitelist them on the friends data API.

"We have been compelled to write to you to explain the hugely detrimental effect that removing friend permissions will cause to our hugely popular (and profitable) applications Badoo and Hot or Not," an email from Baddoo to Facebook reads. "The friends data we receive from users is integral to our product (and indeed a key reason for building Facebook verification into our apps)."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Facebook developed a new, personalised API within a week.

However, apps Facebook deemed to be rivals were revoked access to its platform in a clear attempt to kill them off. For example, the report revealed that the incredibly popular Vine platform, which shuttered in late 2016, had its access to the friends data API revoked. An email from Justin Osofsky, Facebook's vice president, alerted Mark Zuckerberg to the launch of Vine in January 2103, a Twitter-owned app, proposing that the company revoke access to it because it allowed Vine to find friends using Facebook's API. Zuckerberg replied succinctly with 'Yup, go for it."

What's more, the documents support the long-held belief that Facebook was operated from the top down to treat customer data as a commodity, something that the company has been criticised for in the past.

In further email communications between Zuckerberg and an engineer, a new model of revenue generation is discussed built on the sale of user data to developers.

"The basic idea is that any other revenue you generate for us earns you a credit towards whatever fees you own us for using platform," said Zuckerberg. "For most developers, this would probably cover cost completely. So instead of every paying us directly, they'd just use our payments or ads products. A basic model could be: Login with Facebook is always free, Pushing content to Facebook is always free, Reading anything, including friends, costs a lot of money. Perhaps on the order of $0.10/user each year."

Although Facebook has said in a fiery rebuttal via its blog that the 'cherrypicked' quotes from the seized documents showed an initial plan, the actual model is not as set out above and the developer platform remains free.

Advertisement - Article continues below

However, published emails also show that Facebook actively exploited Android firmware to gain access to users' calls and texts and actively made it as difficult a possible for users to realise that it was happening.

"[The growth team] are going to include the 'read call log' permission, which will trigger the Android permissions dialog on update, requiring users to accept the update," said Michael Lebeau, Facebook's product manager, in an email discussion. "They will then provide an in-app opt in NUX for a feature that lets you continuously upload your SMS and call log history to Facebook to be used for improving things like PYMK (people you may know), coefficient calculation, feed ranking etc. This is a pretty high-risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it."

In Facebook's blog post response, the company said: "As we've said many times, Six4Three creators of the Pikinis app cherrypicked these documents from years ago as part of a lawsuit to force Facebook to share information on friends of the app's users. The set of documents, by design, tells only one side of the story and omits important context.

"The documents were selectively leaked to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we've never sold people's data."

Advertisement
Advertisement - Article continues below

When discussing the reasoning behind the publication of the documents, Damian Collins, MP and head of the committee which released the documents, took to Twitter to express why the publication went ahead.

The landmark publication of the documents follows weeks of uncertainty surrounding what potentially damaging information they contained. They were initially seized by Parliament's Serjeant-at-Arms at a London hotel from the founder of Six4Three, an American app developer which is in the middle of a lawsuit with Facebook in California. The documents were originally obtained by the developer through legal discovery for its own case.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/policy-legislation/32857/irish-data-protection-commission-facebook-whatsapp-instagram-merge
Policy & legislation

Irish Data Protection Commission has questions for Facebook

29 Jan 2019
Visit/security/internet-security/354484/facebook-exec-calls-cambridge-analytica-scandal-a-non-event
internet security

Facebook exec calls Cambridge Analytica scandal a "non event"

8 Jan 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/hardware/mobile/354392/facebook-apps-dominated-this-decades-mobile-market
Mobile

Facebook apps dominated this decade's mobile market

18 Dec 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020