Royal Bank of Canada denied allegations that the lender had access to private conversations on Facebook, forcefully arguing that it never could see or delete user messages.
“We did not have the ability to see users’ messages,” RBC said in a statement after a New York Times story alleged that a number of large companies were given preferential access to Facebook user data, including private messages, through partnerships they formed with the social-media giant. Other companies named in the story include Spotify and Netflix.
On Wednesday, Spotify and Netflix also commented on the story. In a statement to The Globe and Mail, Spotify said “we have no evidence that Spotify ever accessed users’ private Facebook messages.” In a separate statement, Netflix said its access gave customers the ability to recommend TV shows and movies to their friends. “Beyond these recommendations, we never accessed anyone’s personal messages and would never do that," the company said.
In an e-mailed response, Facebook said the technology that RBC had access to did have the ability to both read and write messages, but that the bank only used the write-message features to send notices confirming that money transfers had gone through.
The company stressed that users would have first been required to sign into Facebook to authorize RBC’s messaging features. “Partners could not integrate the user’s Facebook features with their devices without the user’s permission.”
Corporate partnerships have come into focus over the past few weeks after the head of a British parliamentary investigation into Facebook released hundreds of the social-media giant’s internal e-mails, saying the company entered into contracts with a host of large firms, including RBC, that gave the partners preferential access to user data.
Late Tuesday, The New York Times made more specific allegations, noting that Facebook “allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread – privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show.”
Facebook’s shares fell 7.3 per cent on Wednesday amid a broad market sell-off spurred by the Federal Reserve’s latest interest-rate hike. The social-media giant has come under pressure in 2018 after revelations that app developers and corporate partners may have had access to user data, without user consent. Its shares have dropped 24 per cent this year.
RBC formed a partnership with Facebook in 2013 to launch a program that would allow its clients to send money transfers through the Facebook Messenger service. At the time, Silicon Valley giants including Facebook, Apple and Google were looking to get into banking, and there was a fear among financial institutions that tech companies would upend their business models. In response, some banks decided to partner with the newcomers for competitive reasons.
After e-mails from the British parliamentary investigation were released, RBC said it only had access to the unique “user-IDs” of Facebook users, which allowed the bank to integrate the money-transfer tool into its own apps, and to also monitor the service for money laundering. It also allowed a client to write a message to the recipient of its money transfer.
On Wednesday, the bank went further. “RBC’s use of the Facebook platform was limited to the development of a service that enabled clients to facilitate payment transactions to their Facebook friends, which was launched in December, 2013. As part of our security and fraud protocols, we needed to uniquely identify the recipient of funds and payments to securely process the transaction and deliver the notification. We did not have the ability to see users’ messages,” the bank said in the statement.
“We decommissioned the service in 2015 and our limited access, which was used strictly to enable our clients’ payments, ended at that time,” the bank added. RBC said it provided the same comments to The New York Times before its story was published, but the statement was not included.
In its own statement, Spotify said its integration with the social-media giant "has always been about sharing and discovering music and podcasts. Spotify cannot read users’ private Facebook inbox messages across any of our current integrations. Previously, when users shared music from Spotify, they could add on text that was visible to Spotify. This has since been discontinued. We have no evidence that Spotify ever accessed users’ private Facebook messages.”
The e-mails released in Britain are part of a U.S. lawsuit against Facebook by California app developer Six4Three. A California court has sealed the material, but the founder of Six4Three recently gave it to Damian Collins, the chair of the British House of Commons digital, culture, media and sport committee.
Several e-mails related to Royal Bank’s money-transfer program. In the batch of e-mails, Sachin Monga, who was a product developer at Facebook Canada at the time, noted that RBC was a firm with preferential-partner status. He also mentioned that Facebook teams were excited about the money-transfer app’s potential to make the financial-services industry rethink the role of Facebook in retail banking.
Mr. Monga no longer works for Facebook and did not return a request for comment. But on Wednesday, he pushed back against the latest private-message allegations, writing on Twitter that the Spotify, Netflix and RBC partnerships were "at the app-level, Facebook was never giving those companies access to FB messages.”
The access granted by Facebook, he added, gave “people the ability to send messages to their friends through these apps, if they chose to authenticate the app for that permission,” he wrote.
Facebook wrote in an e-mail Wednesday evening: “At the time, the Facebook team in Canada may have believed that this had the potential to be among the largest financial services campaign[s] in Canada.” It added that it did not have a minimum ad-spending agreement with RBC.