On Wednesday morning, a U.K. Parliament committee released a trove of internal Facebook documents that give new insight into how the company negotiates with third-party apps, as well the company’s thoughts about its relationships with developers.
The 250-page report includes select emails sent to representatives from Badoo, Airbnb, Netflix, and Lyft, in the 2015 timeframe, in which a Facebook executive tells someone from that company that they’ve been ‘whitelisted’ to get access to certain APIs. The emails were sent shortly after Facebook announced that it was shutting down access to the Friends data API.
“We will be whitelisted for getting all friends, not just connected friends,” according to an email sent from a Netflix representative to Facebook’s Konstantinos Papamiltiadis, director of partnership platforms at Facebook at the time.
“We have whitelisted Badoo App, HotorNot and Bumble for the Hashed Friends API that was shipped late last night,” Papamiltiadis wrote in another email. The Hashed Friends API appeared to give companies data that helped them identify which “non-app friends to recommend to a given user,” and they had to sign a special agreement to get access to it.
Damian Collins, the head of the DCMS committee in the U.K. Parliament that seized the documents, wrote that these agreements “meant that after the platform changes in 2014/15 they maintained full access to friends data. It is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted or not.”
Facebook has previously said that the documents seized by the U.K. Parliament “are presented in a way that is very misleading without additional context.”
After publication, Facebook posted a response to its corporate blog. In regards to the allegations of whitelisting, Facebook said that “in some situations, when necessary, we allowed developers to access a list of the users’ friends.” The company said that this is different than the friend data that Facebook revoked developers’ access to in 2014.
“In addition, white lists are also common practice when testing new features and functionality with a limited set of partners before rolling out the feature more broadly (aka beta testing),” the company’s statement read. “Similarly, it’s common to help partners transition their apps during platform changes to prevent their apps from crashing or causing disruptive experiences for users.”
It’s not surprising that a company with as many customers as Facebook would give certain customers more privileges — or in this case, access to more data. But what Collins is objecting to is that Facebook was making these deals behind the scenes, and perhaps without giving users the proper notice.
The documents come by way of a lawsuit between Six4Three and Facebook. Six4Three sued Facebook after the company removed developers’ access to friend data. That change meant that Pikini, one of Six4Three’s apps that helped people find bikini pictures, no longer worked. The complaint is that Facebook defrauded developers by encouraging them to build on the platform, and then suddenly made changes that harmed their business.
The U.K. Parliament was able to seize a cache of documents from the lawsuit after the founder of Six4Three traveled to London for business.
Some other important findings from the documents released this morning include:
Mark Zuckerberg personally gave the OK to shut off Vine’s API access in 2013
Facebook’s Justin Osofsky sent an email to Zuckerberg in 2013 asking to shut off Vine’s API access, saying that “As part of their [Vine’s] NUX, you can find friends via FB. Unless anyone raises objections, we will shut down their friends API access today. We’ve prepared reactive PR, and I will let Jana know our decision.” Zuckerberg replied with “Yup, go for it.”
Wired described Facebook’s response at the time as “passive aggressive,” as Facebook published a blog post “clarifying its platform policies” without referencing Vine.
Facebook knew its Android call and text permissions could be controversial
In 2015, Facebook made a permissions update on Android so that it could collect data on contacts, SMS, and call history so its friend recommendation algorithm could make better suggestions. Emails show Facebook managers discussing how the company’s growth team was testing a way that would force Android users to accept the permissions update by clicking, but without subjecting the user to a separate permissions dialog screen.
Facebook’s Michael LeBeau wrote, “This is a pretty highrisk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it.”
Facebook’s Android permissions did kick up a PR storm earlier this year, as Ars Technica published an investigation about how Android users unwittingly gave Facebook permission to scrape call and text data.
Zuckerberg was more concerned about advertiser misuse of data, not developers
Per a 2012 email from Zuckerberg to Facebook’s Sam Lessin, continuing discussions on whether to charge developers for access to certain data:
“I’m generally sceptical [sic] that there is as much data leak strategic risk as you think. I agree there is clear risk on the advertiser side, but I haven’t figured out how that connects to the rest of the platform. I think we leak info to developers, but I just can’t think if any instances where that data has leaked from developer to developer and caused a real issue for us. Do you have examples of this?”
If only 2018 Zuckerberg could have warned him about the PR risks of developer’s leaking data.
Update at 10:30 a.m. Pacific Updated with comment from Facebook about whitelisting in the seventh paragraph.
Update at 10:13 a.m. Pacific Facebook CEO Mark Zuckerberg posted a note in response to the documents released today. He didn’t comment on the discussions of whitelisting or Android permissions.
But, he did the company’s decision to limit the amount of data developers could access starting in 2014, and explains why the company considered charging developers access for data at one point.
“At the same time as we were focusing on preventing abusive apps, we also faced another issue with our platform — making it economically sustainable as we transitioned from desktop to mobile,” Zuckerberg wrote. “Other ideas we considered but decided against included charging developers for usage of our platform…To be clear, that’s different from selling people’s data.”