Which third parties can access sensitive data that users post on Facebook, such as email addresses? It depends on the partner, according to Facebook. So here’s the latest tidbit about how this policy is being implemented.
Earlier today, Michael Arrington at Techcrunch spotted a way for Microsoft’s Windows Live Messenger instant message service to access your Facebook friends’ email addresses, using its Invite2Messenger feature for importing contacts from other sites. Invite2Messenger has been live for eight months. It lets you pick which Facebook friends you want to add to the service, and apparently until today showed you their email addresses within its interface. While it’s supposed to work with a variety of social networks, only Facebook is currently available. See the screenshot Arrington took, above.
Email is a great way for companies to communicate with users about their services, and Facebook has always kept a very tight lid on who could access the addresses in its possession. Now Facebook has removed the ability to see email addresses in Live2Messenger, telling me that what Arrington saw must have been a bug.
Arrington interprets Facebook’s data-sharing relationship with Microsoft to be a contradiction of its policy about sharing user data.
But the issue isn’t so much that Facebook is breaking its own policy by sharing email addresses with Microsoft. The issue is the policy itself. Facebook wants to maintain control over the sharing process. Its rationale: This is sensitive data that not just anyone should have access to, and there’s no technical and legally permissible way to share it in a generally open manner.
So user email addresses are not available to companies using its developer platform. Nor are email addresses available to third-party sites that access Facebook user profile information from their own sites using the forthcoming Facebook Connect service.
The problem here, to many people, is that the data they put into Facebook belongs to them. Why should Facebook decide which partners — like Microsoft — should be the ones getting access to it?
The policy in question:
We do not provide contact information to third party marketers without your permission. We share your information with third parties only in limited circumstances where we believe such sharing is 1) reasonably necessary to offer the service, 2) legally required or, 3) permitted by you.
Facebook “Chief Privacy Officer” Chris Kelly says the company reserves the right to share email addresses with “trusted partners” like Microsoft. Facebook’s data-sharing relationship with Microsoft doesn’t contradict this policy, he says.
The email-sharing issue has come up before, as many of our readers may remember. Facebook lets users publish their own email addresses on their personal profiles, to share with friends. But, to protect against things like automated third-party scripts scraping these addresses out of the site, the company makes each email address into an image. Typically, scripts can’t easily scrape images. Plaxo, a company that aggregates contact information from other web services, built a script in January designed to scan these images and set it loose on Facebook — then, got banned. Aside: Facebook was very interested in buying Plaxo, at one point, before Comcast finally did last May.
