Published Facebook documents expose data sharing agreements, Android firmware exploits

A further 250 pages of seized documents reveal a culture of viewing user data as a commodity

Facebook web page

The UK Parliament has published 250-pages of leaked documents taken from the Six4Three seizure which show Facebook's directors using user data as a commodity with which it could build business and knowingly exploit firmware to access sensitive data outside of Facebook.

A summary of the documents revealed that the platform had adopted a series of exploitative practices, including in the strategic whitelisting of apps, use of friends data in commerce, Android firmware exploitation and systematic targeting of rival apps.

Advertisement - Article continues below

Whitelisting was prevalent for the friends' data API, allowing companies such as Baddoo, Bumble, Netflix and Airbnb to all receive special APIs for hashed friends access. The report contends this was done because only those apps were capable of generating revenue, traffic and overall growth for the Facebook platform. Badoo specifically used its profitability as a way of convincing Facebook to whitelist them on the friends data API.

"We have been compelled to write to you to explain the hugely detrimental effect that removing friend permissions will cause to our hugely popular (and profitable) applications Badoo and Hot or Not," an email from Baddoo to Facebook reads. "The friends data we receive from users is integral to our product (and indeed a key reason for building Facebook verification into our apps)."

Advertisement
Advertisement - Article continues below

Facebook developed a new, personalised API within a week.

However, apps Facebook deemed to be rivals were revoked access to its platform in a clear attempt to kill them off. For example, the report revealed that the incredibly popular Vine platform, which shuttered in late 2016, had its access to the friends data API revoked. An email from Justin Osofsky, Facebook's vice president, alerted Mark Zuckerberg to the launch of Vine in January 2103, a Twitter-owned app, proposing that the company revoke access to it because it allowed Vine to find friends using Facebook's API. Zuckerberg replied succinctly with 'Yup, go for it."

Advertisement - Article continues below

What's more, the documents support the long-held belief that Facebook was operated from the top down to treat customer data as a commodity, something that the company has been criticised for in the past.

In further email communications between Zuckerberg and an engineer, a new model of revenue generation is discussed built on the sale of user data to developers.

"The basic idea is that any other revenue you generate for us earns you a credit towards whatever fees you own us for using platform," said Zuckerberg. "For most developers, this would probably cover cost completely. So instead of every paying us directly, they'd just use our payments or ads products. A basic model could be: Login with Facebook is always free, Pushing content to Facebook is always free, Reading anything, including friends, costs a lot of money. Perhaps on the order of $0.10/user each year."

Although Facebook has said in a fiery rebuttal via its blog that the 'cherrypicked' quotes from the seized documents showed an initial plan, the actual model is not as set out above and the developer platform remains free.

Advertisement - Article continues below

However, published emails also show that Facebook actively exploited Android firmware to gain access to users' calls and texts and actively made it as difficult a possible for users to realise that it was happening.

"[The growth team] are going to include the 'read call log' permission, which will trigger the Android permissions dialog on update, requiring users to accept the update," said Michael Lebeau, Facebook's product manager, in an email discussion. "They will then provide an in-app opt in NUX for a feature that lets you continuously upload your SMS and call log history to Facebook to be used for improving things like PYMK (people you may know), coefficient calculation, feed ranking etc. This is a pretty high-risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it."

In Facebook's blog post response, the company said: "As we've said many times, Six4Three creators of the Pikinis app cherrypicked these documents from years ago as part of a lawsuit to force Facebook to share information on friends of the app's users. The set of documents, by design, tells only one side of the story and omits important context.

Advertisement - Article continues below

"The documents were selectively leaked to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we've never sold people's data."

When discussing the reasoning behind the publication of the documents, Damian Collins, MP and head of the committee which released the documents, took to Twitter to express why the publication went ahead.

The landmark publication of the documents follows weeks of uncertainty surrounding what potentially damaging information they contained. They were initially seized by Parliament's Serjeant-at-Arms at a London hotel from the founder of Six4Three, an American app developer which is in the middle of a lawsuit with Facebook in California. The documents were originally obtained by the developer through legal discovery for its own case.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/infrastructure/network-internet/355233/russian-isp-intercepted-traffic-from-internet-giants-like
Network & Internet

Russian ISP intercepted traffic from AWS, Facebook, Google and more

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020