A British lawmaker has released more than 200 pages of confidential internal Facebook emails revealing discussions of payments for user data and special platform access for certain companies, including Netflix, Airbnb and Lyft.
MP Damian Collins, a vocal critic of Facebook, published the emails Wednesday alongside a summary of his findings and some of the more notable details.
The emails shed a rare behind-the-scenes light on the internal operations at Facebook. The company, reeling from a year of scandals, now faces having to reconcile public statements about user privacy with internal discussions about profit-making.
A Facebook spokesperson told CNBC the documents are "only part of the story and are presented in a way that is very misleading without additional context."
The emails were collected as part of a lawsuit between Facebook and app developer Six4Three. The documents are under seal in a California Court, but Collins and British law enforcement seized the documents from the founder of Six4Three while he was visiting the U.K. last month.
Here's some of what the emails reveal:
White Lists
Facebook in 2014 and 2015 amended its privacy policies to prevent third-party developers from accessing the sensitive data of users' friends. Before that, when a mobile user downloaded an app that was running on Facebook's API, the app could potentially collect profile information about that user's Facebook friends.
The issue is the crux of Facebook's Cambridge Analytica scandal, in which a developer shared friend data with the Trump-aligned British research firm. CEO Mark Zuckerberg said in a post Wednesday that the 2015 policy shift was "an important change to protect our community, and it achieved its goal."
But even after those changes had begun in the spring of 2015, the company maintained "white list" agreements with companies that allowed the companies to maintain "full access to friends data" after the shift, Collins alleges.
Airbnb, Netflix and Lyft were among the companies granted white list agreements, according to the emails. Facebook used an approval system in deciding whether a company would be be on the white list, and on at least one occasion discussed a company's advertising spending on the platform in connection with whether or not the company should be given the special treatment.
Facebook responded to the allegations Wednesday in a blog post, saying:
There is an important distinction between friends' data and friend lists.
We changed our platform policies in 2014/15 to prevent apps from requesting permission to access friends' private information. The history of Cambridge Analytica shows this was the right thing to do. For most developers, we also limited their ability to request a list of who someone's friends were, unless those friends were also using the developer's app. In some situations, when necessary, we allowed developers to access a list of the users' friends. This was not friends' private information but a list of your friends (name and profile pic).
In addition, white lists are also common practice when testing new features and functionality with a limited set of partners before rolling out the feature more broadly (aka beta testing). Similarly, it's common to help partners transition their apps during platform changes to prevent their apps from crashing or causing disruptive experiences for users.
Charging developers for data
Facebook also held serious and detailed discussions about charging developers for access to user data, in part through advertising fees, the emails show.
More than once over a period of several months during 2012 and 2013, Zuckerberg outlined potential structures for charging for data access and emphasized the need to scale revenue. In one email written by Facebook Director of Platform Partnerships Konstantinos Papamiltiadis, the executive hypothesized granting access to user data only to companies that spent at least $250,000 in mobile ad fees each year.
Facebook said Wednesday "the developer platform is free for developers to use" and added:
We explored multiple ways to build a sustainable business with developers who were building apps that were useful to people. But instead of requiring developers to buy advertising — the option discussed in these cherrypicked emails — we ultimately settled on a model where developers did not need to purchase advertising to access APIs and we continued to provide the developer platform for free.
Monitoring rivals and acquisition targets
Facebook-owned Onavo offers a secure VPN, or virtual private network, for mobile users, and in doing so sends app usage data back to Facebook.
Those analytics helped Facebook keep a close eye on rival social media networks and acquisition targets, the internal documents showed. The company circulated charts with growth rates for Snapchat, Twitter, Skype and WhatsApp, among others.
One chart marked "Highly Confidential" shows the number of WhatsApp messages sent per day creeping up on Facebook's totals. Facebook bought WhatsApp for $19 billion in 2014.
"They used this data to assess not just how many people had downloaded apps, but how often they used them. This knowledge helped them to decide which companies to acquire, and which to treat as a threat," Collins claimed.
The company said Wednesday it's "always been clear" about the information Onavo collects, saying:
We let people know before they download the app and on the first screen they see after installing it. Also, people can opt-out via the control in their settings and their data won't be used for anything other than to provide, improve and develop Onavo products and services. Websites and apps have used tools like Onavo for market research services for years. We use Onavo, App Annie, comScore, and publicly available tools to help us understand the market and improve all our services.
Android call logs
In 2015, Facebook was preparing to launch a new partnership with Android that would grant Facebook access to phone call and SMS text logs. The logs were intended to improve things like news feed ranking and friend suggestions, the internal emails show, and would included in an update that required users to accept the changes.
Still, the revelation shocked users earlier this year, when the logs were reported.
Facebook executives anticipated the backlash, though, the emails show.
"This is a pretty high-risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it," Product Manager Michael LeBeau said at the time. He predicted a "fallout" in which a "screenshot of the scary Android permissions screen becomes a meme (as it has in the past), propagates around the web, it gets press attention, and enterprising journalists dig into what exactly the new update is requesting, then write stories about 'Facebook uses new Android update to pry into your private life in ever more terrifying ways — reading your call logs, tracking you in businesses with beacons, etc.'"
The update went ahead, and Facebook collected call and text records for several years. After the public backlash earlier this year, Facebook announced it would delete any records older than one year.
The company said Wednesday:
This specific feature allows people to opt in to giving Facebook access to their call and text messaging logs in Facebook Lite and Messenger on Android devices. We use this information to do things like make better suggestions for people to call in Messenger and rank contact lists in Messenger and Facebook Lite. After a thorough review in 2018, it became clear that the information is not as useful after about a year. For example, as we use this information to list contacts that are most useful to you, old call history is less useful. You are unlikely to need to call someone who you last called over a year ago compared to a contact you called just last week.
