What the NYT’s Facebook Investigation Really Tells Us

Facebook may or may not have lost its handle on our data. But it has definitely lost its handle on the public narrative—and the benefit of the doubt.

Mark Zuckerberg
The Zucc.
Gerard Julien/AFP/Getty Images

There were many important and troubling revelations in the New York Times’ latest investigation into Facebook’s privacy practices. There were others that seem less sinister the closer you look at them.

Perhaps more important than either, however, was how the story resonated and what people took from it—which, in many cases, was far more than it actually proved. People didn’t just get mad; they got not-gonna-take-this-anymore mad.

Above all, what the story and its fallout tell us is this: Any benefit of the doubt that Facebook once enjoyed—from the media, the government, the tech-savvy public—is long gone. And that’s a bigger blow than any EU penalty or FTC fine the social network could incur.

Let’s look first at what the Times’ deeply reported piece actually did. It called well-deserved attention to the broad access to user data that Facebook handed out for years to its platform partners and its evidently lax oversight of those arrangements. And it highlighted several specific arrangements that are worrisome in their own right.

For instance, the Times reported that Facebook struck deals with several companies that allowed for the sharing of users’ contact lists and address books, partly to enhance Facebook’s shady “People You May Know” recommendation engine. One of those partners was the Chinese firm Huawei, which the U.S. government views as a national cybersecurity risk. Facebook also had a partnership with the Russian tech firm Yandex, which is suspected of Kremlin ties, that gave it access to Facebook user IDs. And not only did it sling user data around, the company failed to reel it back in once its partners no longer needed it.

All of which is deeply disconcerting, even if the concrete harms remain speculative at this point. (No evidence has yet surfaced that Facebook’s partners misused the data, though it’s certainly possible.) We now know that Facebook’s carelessness with users’ information, highlighted in March by the Cambridge Analytica scandal, extended to its relationships with larger corporate partners, which got even more access than small-time developers. While this is hardly shocking, the Times deserves credit for unearthing the documents that prove it.

Of course, anyone paying attention already knew Facebook wasn’t exactly Fort Knox when it came to users’ personal information. Moreover, the most alarming new details in the New York Times story, such as agreements that allowed Netflix and Spotify to “read, write, and delete users’ private messages,” appear to have been wildly overblown.

A response from Facebook on Wednesday evening explained that these permissions were about allowing Facebook users to read, write, and delete their own Facebook messages from within Netflix and Spotify once they linked their accounts and logged in. It was a way of encouraging people to use Facebook features without leaving the streaming app, which was a strategy that Facebook pursued very publicly for years. While there are some key differences, from a functional standpoint it’s loosely analogous to the way that Google allows Apple iOS users to read, write, and delete their Gmail messages from their iPhone. And it makes far more sense than the notion that Facebook would give other big tech companies free rein to effectively steal the identities and communications of its users.

Such nuance did not come across clearly in the Times story and was often lost completely in the public conversation that swirled around it. To pick just one striking example, here’s an excerpt from an NPR interview with Democratic Sen. Amy Klobuchar of Minnesota on Wednesday. Klobuchar, mind you, is not just any senator, but she sits on the Commerce and Judiciary committees and is the co-author of a well-known social media privacy bill.

NPR’s Mary Louise Kelly: On the specific revelations that are coming out, the part I found most unsettling is this revelation that Spotify and Netflix, two other big tech companies, could read our private messages on Facebook.

Sen. Amy Klobuchar: It is an unbelievable thought. So you are, you know, going back-and-forth with your mom and—about what movie they liked or what movie they were going to see and then—on Facebook. Never in a million years do people think that is then going to go to Netflix so they can presumably direct things at you, if you have an account with them, or try to lure you into their service by advertising things—or the same with music and Spotify.

Kelly: But to your point that we—you said we should not be surprised—I mean, should we be surprised? Or should we just accept that …

Klobuchar: I’m not surprised … 

Based on the available evidence, this is a complete misreading by both host and “expert” of the arrangement between Facebook and those two streaming companies. It is indeed an unbelievable thought that Netflix or Spotify were reading the messages people typed on Facebook, let alone using that information to target them with ads. Still more outrageous if they did this for people who weren’t even Netflix or Spotify subscribers, as Klobuchar implies.

But by all indications, they were doing none of those things. The companies’ Facebook integrations simply allowed existing customers to log into their Facebook accounts from within the streaming app and use its messaging features without having to navigate to Facebook proper. It’s the sort of arrangement that looks foolhardy or even sinister today but that many internet users took for granted at the time.

I know that because I was one of them. I thought nothing of using Facebook to log into Spotify, because I naïvely trusted Facebook to guard my data, probably more so than I trusted Spotify. I even tested for a while a Mozilla Firefox feature that brought a Facebook feed directly into your browser, as a sidebar, so that you could see what your friends were up to even when you were on other websites. It eventually dawned on me that this was imprudent, and certainly there were some activists at the time who were sounding alarms, but it was hardly a scandal.

The real problem turned up by the Times’ reporting is that Facebook failed to pull the plug on this type of access until last year, even though many of the integrations had been abandoned years earlier. But that sloppiness, while inexcusable, isn’t the part that made headlines.

What has changed to make this sort of feature the subject of a front-page New York Times exposé? Not Facebook’s privacy practices, which by all accounts were worse several years ago than they are today. No, what has changed is that Facebook has forfeited our trust to the point that we are primed to assume the worst of it.

That confirmation bias has become so pervasive that even people like Klobuchar let it cloud their understanding of Facebook’s actions. You can see it in her reply to Kelly’s follow-up question, when she says she’s not surprised. You can see it in my own snarky tweet responding to the NYT report, before I dived deeper into its particularities. When your baseline assumption is that Facebook is nefarious, even cartoonishly fictitious misdeeds like letting Spotify delete people’s private Facebook messages don’t surprise you.

To be clear, Facebook has earned this mistrust, even if it hasn’t earned all of the specific outrages that have been levied against it. From Cambridge Analytica to Zuckerberg’s evasive congressional testimony to the massive data breach to the Definers affair to its internal emails to its perpetual evasiveness about “People You May Know,” the throughline is clear: For most of its history, Facebook has systematically prioritized its own growth over its users’ privacy while claiming to do the opposite.

That doesn’t mean Facebook is doomed, or even that #DeleteFacebook will dent its short-term bottom line this time any more than it did last time. What it does mean is that every Facebook privacy misstep from here on out is likely to be viewed as more villainous than it really is, including by people who have the power to do something about it. The complexity of Facebook’s systems will no longer be countenanced as an excuse for failing to regulate it. Public naïveté about its business model will gradually give way to paranoia.

And while these outcomes are probably still a ways off, it’s hard to see how this cycle ends except in some sort of seismic event: a sweeping privacy law, a federal antitrust suit, Zuckerberg’s resignation. Otherwise, the blows will keep coming until they start to hit the company where it really hurts: in the same precious growth metrics that all of its aggressive, privacy-compromising initiatives were intended to fuel.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.