Select Page

Internal, and confidential, Facebook documents containing revelations around how the business agreed to hand over data to household brands despite it being unclear whether there was any user consent to do so have been published by the UK government.

As part of an ongoing inquiry into fake news and the fallout from the Cambridge Analytica scandal, the department for culture, media and sport (DCMS) has shared excerpts from sensitive exchanges between Facebook execs and companies like Netflix, Airbnb, Lyft and dating apps Tinder and Badoo. 

Around 250 pages have been published, some of which are marked as being 'highly confidential'. Facebook has opposed their publication, saying they were "only part of the story" and were presented in a way that was "very misleading".

The documents appear to show that after announcing plans in 2014 to shut down a tool that allowed apps to access the data of users' Facebook friends (who hadn't necessarily given permission), Facebook continued to 'whitelist' certain companies for a similar privilege on a case-for-case basis.

The data mined by Cambridge Analytica, gathered by way of a political quiz in 2014, exposed a loophole this API for political gain, then sold it (against Facebook's policy). 

According to DCMS chair Damian Collins, Facebook "clearly entered into whitelisting agreements with certain companies" which meant after the platform changes in 2014/15 these companies maintained full access to friends' data. 

He added: "It is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted or not."

The fact the likes of Netflix and Tinder were offered a way to potentially still access data belonging to users' friends list after Facebook promised to clamp down on the practice is likely to prompt further questions from authorities and users around Facebook's commitment to user privacy. 

The Drum has reached out to Netflix, Tinder and Lyft for comment. 

What else do the documents reveal?

The documents under scrutiny were gathered by Six4Three, a startup tech firm which is embroiled in a lawsuit against Facebook. They were turned over to Westminster last week and Collins said they have been released "in the public interest". 

Along with claims Facebook allowed some firms to maintain "full access" to users' friends data, Collins also noted that:

  • Execs, including Marc Zuckerberg, discussed the idea of linking access to friends data to the financial value of the developers relationship with Facebook

  • Facebook had been aware that an update to its Android app that let it collect records of users' calls and texts would be controversial. "To mitigate any bad PR, Facebook planned to make it as hard as possible for users to know that this was one of the underlying features," Collins wrote

  • Facebook used data provided by the Israeli analytics firm Onavo to determine which other mobile apps were being downloaded and used by the public. It then used this information to decide which apps to acquire or treat as a competitor

  • The files showed evidence of Facebook taking "aggressive positions" against rival apps, denying them access to data that caused their businesses to fail. Such examples included an engineer suggesting Faceboook shutting down Twitter-owned Vine's access to friends data, to which Zuckerberg replied "yup, go for it"

A Facebook spokesperson said: “As we've said many times, the documents Six4Three gathered for their baseless case are only part of the story and are presented in a way that is very misleading without additional context.

"We stand by the platform changes we made in 2015 to stop a person from sharing their friends' data with developers.

"Like any business, we had many of internal conversations about the various ways we could build a sustainable business model for our platform. But the facts are clear: we've never sold people’s data."

You can read excepts from Facebook documents published by DCMS below:

Exhibit 84 – whitelisting of Badoo [dating app]

Email: from Badoo to Konstantinos Papamiltidas (director of platform partnerships at Facebook)
16 September 2014:
'We have been compelled to write to you to explain the hugely detrimental effect that removing friend permissions will cause to our hugely popular (and profitable) applications Badoo and Hot or Not. ‘The friends data we receive from users is integral to our product (and indeed a key reason for building Facebook verification into our apps).’

Email: from Konstantinos Papamiltidas to Badoo,
23 January 2015
‘We have now approval from our internal stakeholders to move ahead with a new API – working name Hashed Anon All Friends API. The new API as well as the relevant docs will be ready next week. ‘How would this API work…For each of the FB logged in users, the API will return:
FBIDs: App friends that logged in before your migration to V2: App Scoped IDs: App friends that logged in after your migration to V2: Annonymous one-way hashed IDs: Non-app friends The API will hopefully let you understand some of the structure of the graph in order to determine which non-app friends to recommend to a given user.’

Email 5 February 2015: from Konstantinos Papamiltidas
‘We have whitelisted Badoo App, HotorNot and Bumble for the Hashed Friends API that was shipped late last night.’

Email 6 February 2015: From Konstantinos Papamiltidas to Badoo
‘Badoo APP ID has definitely been whitelisted…According to out logs you have already made 100 calls against this API.’

Exhibit 87 – whitelisting of Lyft [taxi app]
Email: from Konstantinos Papamiltidas to Lyft, 30 March 2015
‘As far as I can tell, the App ID below has been whitelisted for All Mutual Friends access.’

Exhibit 91 – whitelisting of Airbnb
Email: Konstantinos Papamiltidas (Facebook's director of developer platforms and programs) to Airbnb
18 March 2015 
As promised, please find attached the docs for Hashed Friends API that can be used for social ranking. Let us know if this would be of interest to you, as we will need to sign an agreement that would allow you access to this API.’ 

Exhibit 92 – whitelisting of Netflix
Email: Netflix and Chris Barbour and Papamiltidas at Facebook 
17 February 2015
Netflix wrote on 13 February ‘We will be whitelisted for getting all friends, not just connected friends’ 

Exhibit 97 – discussion about giving Tinder full friends data access in return for use of the term ‘Moments’ by Facebook
Email: discussion between Konstantinos Papamiltiadis and Tinder regarding allowing Facebook to use ‘Moments’, a term that had already been protected by Tinder Email from Konstantinos
Papamiltidas to Tinder
11 March 2015
‘I was not sure there was not a question about compensation, apologies; in my mind we have been working collaboratively with [name redacted] and the team in good faith for the past 16 or so months.

He’s a member of a trusted group of advisers for our platform (Developer Advisory Board) and based on our commitment to provide a great and safe experience for the Tinder users, we have developed two new APIs that effectively allow Tinder to maintain parity of the product in the new API world.’

Email: from Konstantinos Papamiltidas 
Tinder 12 March 2015
‘We have been working with [name redacted] and his team in true partnership spirit all this time, delivering value that we think is far greater than this trademark.’