Facebook’s Data Sharing and Privacy Rules: 5 Takeaways From Our Investigation.

Facebook deals in data

“We don’t sell data to anyone,” Mark Zuckerberg, Facebook’s founder, told Congress during a hearing in April. His pledge — that the torrent of data Facebook collects from its 2.2 billion users will always remain safely in Facebook’s hands — has been a cornerstone of the company’s defensive strategy this year, as lawmakers, regulators and activists have pummeled the social network over a series of privacy breaches and public relations blunders.

While it is true that Facebook hasn't sold users’ data, for years it has struck deals to share the information with dozens of Silicon Valley companies. These partners were given more intrusive access to user data than Facebook has ever disclosed. In turn, the deals helped Facebook bring in new users, encourage them to use the social network more often, and drive up advertising revenue.

Facebook’s largest partners got far more access than Cambridge Analytica did

Revelations in March that a political consulting firm linked to President Trump had improperly obtained data on as many as 87 million Facebook users set off the worst crisis in Facebook’s history. The company’s stock plunged, as regulators around the world demanded answers and users worried that Facebook wasn’t protecting their data. In response, Facebook pointed to changes it had made to its privacy policy in 2014, saying that developers no longer had the kind of access that Cambridge had exploited.

But The Times’s investigation reveals that Facebook continued to give huge tech companies, including Microsoft and Amazon, access to much more: the data of hundreds of millions of people a month, including email addresses and phone numbers — without users’ knowledge or consent.

Facebook never directly told users that it was sharing this data

Internal documents obtained by The Times show that Facebook shared data with more than 150 companies — most of them tech businesses, but also automakers, media organizations (including The Times) and others.

While Facebook users can control what data they share with most of the thousands of apps on Facebook’s platform, some companies had access to users’ data even if they had disabled all sharing. Many of the partners’ applications never even appeared in Facebook’s user application settings. According to Facebook, each of the outside companies acted as an extension of the social network. Any information a user shared with friends on Facebook, the company argues, could be shared with these partner companies without additional consent.

Facebook was sloppy

The data partnerships date to 2010, at the start of a period of headlong growth and expansion for Facebook. Within a few years, the social network had struck so many of these deals that Facebook employees built a tool to track the different types of access the partners had.

Despite this, Facebook appears not to have kept close tabs on how its users’ data flowed out into the world. A Russian social media company, Yandex, that has been accused of having overly close ties to the Kremlin, still had access to Facebook’s unique user IDs for years after Facebook had cut off other applications from the data, citing security concerns.

Likewise, Facebook gave Yahoo the ability to display a Facebook user’s news feed — including friends’ posts — on the search company’s home page. Yahoo got rid of the feature in 2012. But as of last year, it still had access to data for close to 100,000 people a month.

Regulators let it happen

Under the terms of a 2011 consent agreement with the Federal Trade Commission, Facebook was required to strengthen privacy safeguards and disclose data practices more thoroughly. The company hired an independent firm, PricewaterhouseCoopers, to formally assess its privacy procedures and report back to the F.T.C. every two years.

Four former officials and employees of the F.T.C., briefed on The Times’s findings, said the data-sharing deals likely violated the consent agreement, since users had no way of knowing which companies Facebook had shared their data with, and no clear means of granting or withholding permission. At least one assessment by PricewaterhouseCoopers, in 2013, found that Facebook had done little to ensure that the shared data was appropriately safeguarded.

Facebook maintains that the partnerships are covered by an exemption to the consent decree. A spokeswoman for the F.T.C., which last spring opened a new investigation into Facebook, declined to say whether the commission agreed.