A key British lawmaker alleged Wednesday that Facebook maintained “whitelisting agreements” that gave select companies preferential access to valuable user data several years ago, offering insight into how the company balanced concerns about user privacy with the business imperative of growing revenue.
Damian Collins, chairman of a British parliamentary committee that has led a wide-ranging investigation into Facebook and its dealings with political consultancy Cambridge Analytica, on Wednesday released a summary of findings drawn from documents from a lawsuit against the social network, along with more than 200 pages of documents, many of them labeled “Confidential.” Collins’ allegation echoes a key claim from the lawsuit, which was filed by an app developer in a California court.
Facebook, which has long said it does not sell user data, on Wednesday denied that it used its data as a bargaining chip in exchange for advertising and other concessions, as the app developer, Six4Three, has alleged in its suit.
The documents released in Britain, part of a larger trove that long have been sealed in the lawsuit, afforded a rare glimpse into the inner workings of one of the world’s most prominent and profitable companies during an uncertain time.
The period covered by the documents was when Facebook, as a newly public company, sought to reorganize around emerging mobile devices while seeking to manage persistent claims that it was cavalier with user privacy. Some of the companies mentioned in the newly released documents include Airbnb, Netflix, Royal Bank of Canada, Lyft, Tinder and Badoo.
A series of emails from October 2012 reveal Facebook Chief Executive Mark Zuckerberg’s keen interest in figuring out how to extract revenue from Facebook’s trove of user data — and the app developers that relied on it. “There’s a big question on where we get revenue from,” Zuckerberg wrote to one of his executives.
“Without limiting distribution or access to friends who use this app, I don’t think we have any way to get developers to pay us at all besides offering payments and ad networks,” he continued. Zuckerberg’s private statements appear to contradict a stance he had long maintained publicly, that app developers’ access was open and free.
Along with the selection of legal documents, Collins issued a written summary saying, “Facebook have clearly entered into whitelisting agreements with certain companies, which meant that after the platform changes in 2014/15 they maintained full access to friends data. It is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted or not.”
The data in question included people’s Facebook posts and photos, as well as their name, gender, educational and religious background and hometown. It also consisted of user preferences as they surfed the web hitting Facebook’s familiar “like” button or downloaded an app. Such data, which Cambridge Analytica and tens of thousands of app developers gained access to over several years, offered key marketing insights for advertisers and political campaigns.
Facebook gradually closed off access to this data in 2014 and 2015, saying it wanted to better protect user privacy. But Six4Three and other app developers have argued that the company’s decision to restrict access to user data was also a move to maximize revenue by generating profit from data that previously was freely available.
Facebook said that some legal documents filed by Six4Three were misleadingly crafted and do not represent the company’s practices or policies.
“We stand by the platform changes we made in 2015 to stop a person from sharing their friends’ data with developers,” a spokesperson said. “Like any business, we had many internal conversations about the various ways we could build a sustainable business model for our platform. But the facts are clear: We’ve never sold people’s data.”
The documents emerged out of a closely watched legal battle in San Mateo County federal court in the United States between Six4Three and Facebook. They came into the possession of British authorities last month when Six4Three developer Ted Kramer traveled to London with digital copies of thousands of the documents. British authorities took custody of the documents, sidestepping the sealing order of the California court.
A small number of documents already became public last week, including descriptions of emails suggesting that Facebook executives had discussed giving access to their valuable user data to some companies that bought advertising when it was struggling to launch its mobile-ad business.
The alleged practice started about seven years ago but has become more relevant this year because the practices in question — allowing outside developers to gather data on not only app users but their friends — are at the heart of Facebook’s Cambridge Analytica scandal.
Critics of the company say that the legal documents in the Six4Three case shed light on practices that compromised the privacy of Facebook users and could have violated a 2011 agreement with the U.S. Federal Trade Commission.
Collins said in his written summary accompanying the documents that many major changes to Facebook’s underlying policies and technology were driven by a desire to obtain “increasing revenues from major app developers.” Often, that came through Facebook’s threats to limit “access to friends data,” according to U.K. legislators.
The emails suggest the extent to which Facebook users and developers had been kept in the dark about the company’s data-collection practices. On Android smartphones, for example, Facebook “planned to make it as hard [as] possible for users to know” that it was collecting a record of calls and texts, Collins said.
One exchange from February 2015 bears that out. In a message thread with other employees, a Facebook engineer raised concerns about rolling out a feature of the Android Facebook app that would continually upload a user’s call and SMS history.
“This is a pretty high-risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it,” the engineer said, outlining a scenario in which “the scary Android permissions screen becomes a meme (as it has in the past), propagates around the web, it gets press attention, and enterprising journalists dig into what exactly the new update is requesting, then write stories about ‘Facebook uses new Android update to pry into your private life in ever more terrifying ways — reading your call log, tracking you in businesses with beacons, etc.”’
Later in the thread, Yul Kwon, then Facebook’s deputy chief privacy officer, noted that a tweak to the upgrade that still allowed the app to read call logs would allow for the upgrade to go to users “without subjecting them to an Android permissions dialog at all.”
Facebook largely stopped permitting such wide-ranging access to user data in 2015, but it did not stop it for all outside developers at the same time because, the company has said, some needed extensions to keep their software from breaking in ways that would have harmed users.
Cambridge Analytica’s acquisition and use of such data for political campaigns has spawned several investigations since it was revealed in news reports in March. In the United States, the Justice Department, the Securities and Exchange Commission and the FTC have been investigating Facebook’s handling of this data and its public representations about it.
Since the Cambridge Analytica controversy, lawmakers have repeatedly questioned Facebook about its relationships with data partners. Zuckerberg told Congress in April that the company had cut off outsiders’ access to friends’ data several years ago, but subsequent reports have focused on privileged relationships brokered by the company.
Facebook has not disputed the authenticity of the documents in its battle with Kramer, the Six4Three developer. But the company said that the exhibits in the case were used selectively to give a misleading portrait of decision-making at the company at a time when the social network was sharply limiting the information that app developers could gather from the platform.
Kramer’s company was the developer of Pikinis, an app that enabled people to find photos of Facebook users wearing bikinis. The app was built on the back of Facebook’s data, which Six4Three and thousands of other developers accessed through a feed known as an application programming interface, or API. The data feed enabled Six4Three to scour Facebook for bikini photos of people who were friends with Pikinis’ users.
3:40 p.m.: This article was updated with additional details on Facebook’s internal communication.
12:30 p.m.: This article was updated with additional details and analysis throughout.
This article was originally published at 10:25 a.m.