The British Parliament published a 250-page internal Facebook document on the Digital, Culture, Media, and Sport Committee website, which is investigating the company’s privacy standards as a portion of its report on disinformation and fake news. Previously the documents had been sealed in US courts, but they can now provide a rare look into Facebook’s policies on privacy, user data, how it handles competitors and more.
The documents, labelled highly classified by Facebook and sealed by a US judge, were obtained when the founder of Six4Three, Ted Kramer, entered the United Kingdom. His company is suing Facebook for causing its app — that searches for pictures of Facebook friends in swimwear — to become defunct after it tightened its stance on privacy in 2015.
When MPs found that the software executive had internal Facebook documents in his possession, they sent an official from the House of Commons to his hotel to retrieve them. He refused and was taken to the Parliament where he was threatened with imprisonment if he did not comply.
With several hundred pages of documentation it’s difficult to read and understand all the revelations, which include Facebook making “whitelisting” agreements with other companies, taking an aggressive stance against competitors and hiding the fact it was collecting call and text logs from Android users. Damian Collins, chair of the committee that released the documents, believes “there is considerable public interest in releasing these documents,” explaining in a series of tweets that there wasn’t “straight answers from Facebook on these important issues [data and app developer policies], which is why we are releasing the documents”.
Previously Mark Zuckerberg, co-founder and CEO of Facebook, had been invited to present evidence to the committee but had declined multiple times, most recently sending policy Richard Allan instead.
In response to the documents, a spokesperson said “… the documents Six4Three gathered for their baseless case are only part of the story and are presented in a way that is very misleading without additional context,” before explaining that “We've never sold people's data." Zuckerberg posted a short response on his personal Facebook profile too, attempting to add context to the narrative.
There’s a lot of information contained in the documents and below are some of the key takeaways from what can be found inside.
The idea of charging companies to access certain data was considered in October 2012, with logging into and pushing content to Facebook remaining free, but charging for reading data would cost $0.10/user per year.
Zuckerberg explained the concept in more detail:
I’ve been thinking about platform business model a lot this weekend…if we make it so devs can generate revenue for us in different ways, then it makes it more acceptable for us to charge them quite a bit more for using platform. The basic idea is that any other revenue you generate for us earns you a credit towards whatever fees you own us for using plaform. For most developers this would probably cover cost completely. So instead of every paying us directly, they’d just use our payments or ads products.
Companies would be able to repay the money in several different ways, including buying ads from Facebook, running ads in the developer’s app or on its website, using Facebook’s payment processing services, selling items in the Karma store (though it’s not clear what exactly the “Karma store” is) or by directly paying the fees owed to the company.
Then in a separate document from February 2017 related to the ongoing court case, it can be seen that Facebook once considered charging companies a minimum of $250,000 to access the Graph API. The 250-page document details this as well, showing that it was briefly considered sometime around September 2013. The company changed how the API worked in 2014, introduced a new version and redacted all access to the earlier on in 2015.
Responding to the revelation that Facebook once considered selling access to users’ data, he explained that “that's different from selling people's data,” reiterating that “we've [sic] never sold anyone's data”
Though the document is redacted it is possible to see some of the blacked-out text by copying and pasting it into a word processor, reports Ars Technica. This text reveals that Facebook allowed Nissan, RBC and possibly others extended access to the original API,
Facebook “whitelisted” select companies after it made changes to its platform in 2015 which saw tighter controls on privacy. Though most other companies were shut out, some companies still had full access to users’ friends’ information and as Collins explains, “it is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted or not”. Companies on the whitelist included Netflix, Badoo and its sister companies Hot or Not and Bumble, Lyft and Airbnb.
Netflix wrote to Facebook for further clarification on the partnership:
We will be whitelisted for getting all friends, not just connected friends
Vine seemed to become a big competitor to Facebook, which aggressively attempted to shut it down quickly by revoking its access to the Facebook API.
Facebook VP Justin Osofsky quickly recommended the solution:
Twitter launched Vine today which lets you shoot multiple short video segments to make one single, 6-second video... Unless anyone raises objections, we will shut down their friends API access today. We've prepared reactive PR, and I will let Jana know our decision."
Zuckerberg seemed to have no problem with it:
Yup, go for it.
Facebook previously had a policy that restricted developers from accessing its platform if their apps copied a part of the platform, but announced before the documents were released that it would remove the policy to “remain as open as possible”.
Friends’ data is a big source of revenue due to growing sales from app developers and throughout the document it’s clear that Facebook is interested in using this as an evaluation of its relationship with the developer.
Zuckerberg wanted app developers to be required to share their data with Facebook in order to receive data in return:
The quick summary is that I think we should go with full reciprocity and access to app friends for no charge. Full reciprocity means that apps are required to give any user who connects to FB a prominent option to share all of their social content within that service back (ie all content that is visible to more than a few people, but excluding 1:1 or small group messages) back to Facebook. In addition to this, in the future, I also think we should develop a premium service for things like instant personalization and coefficient, but that can be separate from this next release of platform…
When the company purchased Onavo — makers of popular VPN software for iOS and Android — in 2013, it did so with the purpose of using it to find out what consumer’s usage of mobile apps was like. This helped the company decide to purchase WhatsApp due to its popularity in developing countries and to build a Houseparty competitor.
One of the main issues the committee brought up is that Facebook issued an update to its Android app that enabled it to collect user call logs and text messages — and did so in a way that make it as hard as possible for users to understand that this was happening. The company started uploading the logs in 2016, including entire call histories, records of current and deleted contacts and records of texts, focusing on how to minimize publicity around the addition of the feature.
Mike LeBeau, Product Manager during the time, according to his LinkedIn:
He guys, as you know all the growth team is planning on shipping a permissions update on Android at the end of this month. They are going to include the ‘read call log’ permission, which will trigger the Android permissions dialog on update, requiring users to accept the update. They will then provide an in-app opt in NUX for a feature that lets you continuously upload your SMS and call log history to Facebook to be used for improving things like PYMK, coefficient calculation, feed ranking etc. This is a pretty highrisk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it.
Then Yul Kwon, Director of Product Management responds:
The Growth team is now exploring a path where we only request Read Call Log permission, and hold off on requesting any other permissions for now.
Based on their initial testing, it seems this would allow us to upgrade users without subjecting them to an Android permissions dialog at all.
It would still be a breaking change, so users would have to click to upgrade, but no permissions dialog screen.
Though technically allowed since users did have to opt-in to the process,
The company responded to the revelations by telling that the feature “allows people to opt in to giving Facebook access to their call and text messaging logs in Facebook Lite and Messenger on Android devices” and that it helps them “make better suggestions for people to call in Messenger and rank contact lists in Messenger and Facebook Lite”.