The head of a British Parliamentary investigation into Facebook has released hundreds of the social media giant’s internal e-mails, saying the company entered into contracts with a host of large firms, including the Royal Bank of Canada, that gave them special access to friends' user data.
The e-mails were released on Wednesday by the chair of the British House of Commons’ digital, culture, media and sport committee, which has launched a wide-ranging investigation into how Facebook manages personal data and the spread of disinformation. The documents are part of a U.S. lawsuit against Facebook by California app developer Six4Three. A California court has sealed the material, but the founder of Six4Three recently gave it to committee chair Damian Collins.
Mr. Collins said the documents showed that Facebook entered into “whitelisting” agreements with companies including Royal Bank, Netflix, AirBnB and Lyft that gave them access to friends data in return for online advertising even after Facebook restricted access in 2015. “It is not clear that there was any user consent for this nor how Facebook decided which companies should be whitelisted or not,” Mr. Collins said. Whitelisting involves compiling a list of companies that will be offered access to particular information. Mr. Collins added that “it is clear that increasing revenues from major app developers was one of the key drivers behind the [2015 access change] at Facebook.”
Facebook changed its access policy in 2015 to prevent app developers from collecting data from friends of users who downloaded their apps. That was how London-based Cambridge Analytica obtained personal information from more than 80 million Facebook users in 2014. However, it is not clear exactly what data were shared with companies named in the internal e-mails released on Wednesday.
The documents contained several e-mails from Facebook chief executive Mark Zuckerberg to company executives discussing at length how to generate more revenue from app developers in return for data access. “What I’m assuming we’ll do here is have a few basic thresholds of [access] and once you pass a threshold you either need to pay us some fixed amount to get to the next threshold or you get rate limited at the lower threshold,” he said in an e-mail dated Nov. 19, 2012.
An e-mail marked “confidential” from Konstantinos Papamiltiadis, Facebook’s director of platform partnerships, suggested tying data access to ad spending. He wrote on Sept. 18, 2013, telling Ime Archibong, Facebook’s director of product partnerships, to revoke access to user data for app developers that did not buy ads. “Communicate in one-go to all apps that don’t spend that [access] permission will be revoked. Communicate to the rest that they need to spend on [advertising] $250k a year to maintain access to the data.”
Facebook has said it does not sell user data, and on Wednesday denied requiring app developers to buy advertising in return for access. “We explored multiple ways to build a sustainable business with developers who were building apps that were useful to people,” the company said in a statement. “But instead of requiring developers to buy advertising — the option discussed in these cherry picked e-mails — we ultimately settled on a model where developers did not need to purchase advertising to access [data] and we continued to provide the developer platform for free.”
Several e-mails related to giving Royal Bank access to Facebook data in 2013 so the bank could develop an app that would allow customers to transfer money via Facebook Messenger. One e-mail talked about giving Royal Bank the same “extended [access] agreement” as Netflix, although it is not clear from the e-mails exactly how much access Royal Bank got or how much it spent on Facebook advertising. All of the e-mails relate only to RBC’s connection to the messenger service. An e-mail from Sachin Monga, who was a product developer at Facebook Canada at the time, noted that Royal Bank was a whitelist entity and added: “I believe [the new RBC app] will be one of the biggest [advertising] campaigns ever run in Canada.” He also mentioned that Facebook teams were excited about the app’s potential to make the financial services industry re-think the role of Facebook in retail banking, and to be a test case "for more compelling high-signal ‘transactions’ over FB messages (sending money, sharing files, customer service with a business, etc.).”
Royal Bank said in a statement on Wednesday that the app was launched in December, 2013, and that it learned about Facebook’s change in the access two years later. “Shortly afterwards, we began the process of discontinuing this service and continued access granted by Facebook ensured it could be wound down without compromising our clients’ transactions and information,” the bank said in a statement. “We have never had a minimum marketing spend or target agreement with Facebook. Investment decisions are based on campaign performance. We take seriously our responsibility to protect customer privacy and we do not share individual client information with Facebook or other advertisers.”
Mr. Collins also said the material showed that Facebook began continuously uploading logs of calls and texts in 2015 from Android phone users who have the Facebook app, and that the company “planned to make it as hard as possible for users to know that this was one of the underlying features of the upgrade of their app.”
In an e-mail on Feb. 4, 2015, Facebook engineering manager Mark Tonkelowitz said, “this is a pretty high-risk thing to do from a PR perspective, but it appears that the growth team will charge ahead and do it.”