On Friday, Facebook submitted a 747-page document to Congress containing answers to more than 1,000 questions that members of the House Energy and Commerce Committee had posed to CEO Mark Zuckerberg during his hearing on Cambridge Analytica and data privacy in April.
The document contains two new substantial pieces of information:
Facebook gave at least 52 companies special access to user data: The company listed the hardware and software firms with which it had entered into “integration partnerships,” an arrangement that essentially allowed third parties to obtain an extensive amount of data on users and their friends in order to better integrate the platform into products. The list includes Silicon Valley mainstays such as Apple, Mozilla, and Amazon, along with foreign firms like Sony, HTC, and Huawei. (Lawmakers have said that Facebook’s relationship with Huawei, a Chinese telecom company with ties to the country’s government, may pose a security risk.) The New York Times first reported on the extent of such partnerships in June, noting that the practice may violate the consent decree that the social media giant reached with the FTC in 2011 because users’ friends had not explicitly authorized such access to their data. Facebook responded at the time that it had not violated the decree and had strictly limited the data sharing. Facebook further claims in the document that it has discontinued 38 of the partnerships and plans to sever seven more over the course of 2018. The company will continue to allow Apple, Amazon, and others to access such data.
Facebook gave 61 app developers an extension so they could continue to obtain data from users’ friends after it claimed to be cutting off such access in 2015: Nike, Spotify, Coffee Meets Bagel, and Hinge were among the apps that were allowed to continue to access data from users’ friends for approximately six months after May 2015, which was the deadline for most other developers to bring their platforms into compliance with regulations aimed at preventing privacy violations. Aleksandr Kogan, the academic at the center of the Cambridge Analytica scandal who harvested user data using a Facebook quiz, was reportedly able to obtain personal information from up to 87 million accounts in 2014 even though only 270,000 people had used his app. This is because he was able to access data from those users’ friends. Facebook executives have stated that the new regulations it subsequently imposed in 2015 would prevent other developers from repeating what Kogan did. Apart from the 61 apps who received extra time to fall in line with the regulations, Facebook disclosed that an additional five apps “theoretically could have accessed limited friends’ data” during a beta test. Facebook also announced on Monday that it will be placing more restrictions on the data that developers can access.
As the Washington Post has pointed out, however, the 747-page document still manages to leave questions unanswered. Here are some notable omissions:
How many data points does Facebook have on the average user? Facebook described the categories of information that it collects on users – data on what people “do and share” on the platform, data describing the devices that people use to connect to its services, and data it receives from partners. But it neglected to disclose anything about quantities. The company wrote in the document, “As far as the amount of data we collect about people, the answer depends on the person.” Though it makes sense that the company would have different amounts of data on different people, it is unclear why it could not provide an average.
Why didn’t Facebook investigate apps like Kogan’s quiz years ago? Zuckerberg pledged in March that his company would audit thousands of apps that use vast amounts of data in order to avoid another Cambridge Analytica scandal shortly after the New York Times broke the story. Facebook did not explain in the documents why it neglected to conduct this audit in 2015, when the company claims it first learned of Kogan’s alleged indiscretions.