Two hundred fifty pages of previously secret internal documents from Facebook show that the company allowed even more companies to be “whitelisted”—granting them extended access to the company’s permissive v1.0 Graph API back in 2015—than has previously been known.
In addition, the Wednesday release by a British lawmaker also confirms what Ars previously discovered via a failure to adequately redact public court filings from last year: Facebook once considered charging for access to user data.
The documents, known as the “Six4Three files,” were published by Damian Collins, a member of the UK Parliament. Collins is the chair of the Digital, Culture, Media, and Sport (DCMS) Committee in Parliament, which has been overseeing inquiries into Facebook’s practices. On November 16, the DCMS again asked CEO Mark Zuckerberg to appear before the committee via video; Zuckerberg has given no indication that he will do so.
The files open with a brief summary of what Collins found most interesting in the trove.
The top-line item is the “whitelisting agreements,” of which he writes: “It is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted or not.”
The 2017 redaction failure showed that Facebook gave extended access to Chrysler/Fiat, Lyft, Airbnb, and Netflix, among others—a point that Facebook says Six4Three got wrong. These new documents show that Facebook also whitelisted dating apps Badoo, HotorNot, and Bumble. “The files show evidence of Facebook taking aggressive positions against apps, with the consequence that denying them access to data led to the failure of that business,” Collins concluded.
Finally, a February 2015 email from Facebook engineering manager Mark Tonkelowitz noted that a new Android version of the Facebook app would, seemingly for the first time, include the “read call log” permission. Users would be required to accept the update in order to use the new version of the app. “This is a pretty high-risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it,” Tonkelowitz wrote to his bosses.
Ashkan Soltani, a technologist formerly with the Federal Trade Commission, who recently testified before the UK Parliament, suggested on Twitter that this disclosure was in violation of Facebook’s consent decree with the FTC.
7) @FTC consent decree required that @Facebook get 1A) affirmative consent before the collection of covered info 4A) create a privacy program to address privacy risks
However, docs show lead of privacy program was actively working to evade user consent https://t.co/mcXhDnSg2i pic.twitter.com/Z3CEvsWE80
— ashkan soltani (@ashk4n) December 5, 2018
London calling
Collins obtained the documents on November 20, when he confronted a Six4Three executive, Ted Kramer, in his London office.
Six4Three is a long-forgotten company that has for years pursued a lawsuit against Facebook alleging that it was shut out from being allowed to access the Graph API, as it was too small. Six4Three made a short-lived app called “Pikinis,” which sought bikini photos on Facebook. It was only downloaded around 5,000 times.
Lawyers for Six4Three have long argued what Collins concluded: once small apps were shut off, they were driven out of business.
That lawsuit, which is currently underway in San Mateo County Superior Court, just miles from Facebook’s headquarters, had numerous documents that were under protective order by the judge, meaning they could not be released publicly. However, Kramer traveled to the UK late last month, apparently on business, with some of those documents on his computer. (It remains unclear why Kramer had the documents to begin with or why he traveled to the UK with them.)
Collins, who is leading a parliamentary investigation into fake news and Facebook’s activities worldwide, then threatened that Kramer would be held in contempt of Parliament if he did not hand over the documents Collins wanted. Kramer, according to his own testimony, “panicked” and quickly copied some files to a USB stick.
The documents Collins released Wednesday appear to be some, and possibly all, of the materials that Kramer shared.
In a recent hearing, San Mateo County Judge V. Raymond Swope was incensed that his order was disregarded and ordered that the devices of both Kramer and his lawyer, Thomas Scaramellino, be handed over for forensic inspection. As a result of the brouhaha, the April 2019 trial date has been cancelled and, for now, has not been rescheduled.
Facebook did not immediately respond to Ars’ request for comment but told The Wall Street Journal in a statement that these files “are only part of the story and are presented in a way that is very misleading without any additional context.”
The company also reiterated that it “never sold people’s data.”
The two sides are set to appear before Judge Swope again on Friday.
https://arstechnica.com/?p=1423393