Facebook Internal Emails Show Need for Users to Safeguard Personal Data

According to a UK report, the company allowed 'friends' access to Netflix, Lyft, and Airbnb after the practice had been halted

The Facebook Inc. website is displayed on an Apple Inc. Macbook Air laptop in an arranged photograph taken in New York, U.S., on Thursday, July 26, 2018. Facebook shares plunged 19 percent Thursday after second-quarter sales and user growth missed Wall Street estimates. Photographer: Johannes Berg/Bloomberg via Getty Images GettyImages-1005710182

Internal Facebook emails and other court documents released as part of a United Kingdom probe demonstrate the need for users to take steps to safeguard personal data on social media.

The 250 pages of documents (PDF) released Wednesday by the U.K. Parliament suggest that Facebook shared sensitive consumer information with select business partners in an attempt to boost its fledgling mobile ad-sales business.

The documents reveal that the company at least debated monetizing customer data by sharing it with certain partners in the hopes that they would buy Facebook ads and other products.

“The question is always ‘How can we grow our bottom line?’ and the privacy interests of consumers never come up,” says Justin Brookman, director of consumer privacy and technology policy at Consumer Reports.

This news is another reminder that consumers need to take measures to safeguard their privacy and security as they use digital products and services.

Facebook offers a host of privacy settings, and while the defaults tend to be set up to maximize data collection, you can adjust them to better protect your personal info.

For details and instructions on Facebook’s various privacy settings, you can consult CR’s comprehensive guide. Below we provide some quick advice, including instructions on how to delete your account.

In a statement published Wednesday on Facebook, founder and CEO Mark Zuckerberg stressed that the company has never sold consumer data. “Developers could choose to buy ads if they wanted,” he wrote. “To be clear, that’s different from selling people’s data.”

More on Facebook

On Wednesday, the U.K. Parliament released the documents that had been sealed in a California court case between Facebook and a small app developer called Six4Three. When the company’s CEO traveled to London last month, he was told to produce the documents or be held in contempt of Parliament. The request for the documents came as part of a larger, ongoing investigation into the social media giant by a U.K. Parliamentary committee.

The documents—many of which date back to 2012, a time when Facebook was shifting its business from desktop computers to mobile devices—outlined a process of “whitelisting,” with company executives appearing to give preferential access to certain business partners, including Airbnb, Badoo, Lyft, and Netflix, while also restricting access to an unnamed list of potential competitors.

The whitelisted companies maintained access to so-called “friend” data—information about users’ Facebook friends, who may not have wanted such info shared—even after Facebook had claimed to discontinue that practice with platform changes in 2014 and 2015.

“It looks like pay-to-play with consumer data,” Pam Dixon, executive director of the World Privacy Forum, told Consumer Reports. “It appears that if you’re an advertiser and spend lots of money with Facebook, you get data that no one else has access to.”

This practice seems to violate a 2011 consent decree issued by the Federal Trade Commission, Dixon says. “The FTC made it extremely clear that Facebook had to get express consent to share consumer data.”

Facebook has called the Six4Three lawsuit “baseless,” claiming that the firm’s attorneys “cherrypicked” the evidence released Wednesday. “The set of documents, by design, tells only one side of the story and omits important context,” the company said in a post on its online newsroom.

The documents don’t contain a bombshell revelation on the scale of this spring’s Cambridge Analytica scandal, but they do shed new light on the company’s discussions about consumer privacy.

The documents reveal Facebook’s thoughts about sharing consumer data with potential partners who might do business with the company.

“So instead of every [sic] paying us directly, they’d just use our payments or ads products,” CEO Mark Zuckerberg wrote in a 2012 e-mail released today.

The released documents also suggest that the company used access to consumer data to thwart competitors. In 2013, Facebook shut down “friends API access” for rival Twitter, as it was releasing a product called Vine, which allowed users to post 6-second videos. The change prevented Vine users from finding friends via Facebook.

In 2015, Facebook also changed its policies governing Android mobile users, which allowed the company to continuously collect a record of calls and texts from those Facebook users.

The emails also show that Facebook executives worried about blowback from the Android update. “This is a pretty high-risk thing to do from a PR perspective,” Mark Tonkelowitz, Facebook engineering manager, wrote in a 2015 email. In response, Yul Kwon, Facebook’s director of product management, seemed to suggest that one solution would be an update that circumvented asking users’ permission, which would avoid drawing attention to the change.

What You Can Do

Keep your whereabouts to yourself. Each time you use the Facebook mobile app to “check in” to your favorite diner or tag that family photo op on the Golden Gate Bridge, Facebook pinpoints your location using GPS data and signals from WiFi access points, cell towers, and other sources.

The company also uses that technology to identify the places you routinely visit and nearby businesses that may want to target you with ads. If you use the Facebook app or website, the company reserves the right to glean details about your location no matter what you do. But it’s easy to make the information Facebook gathers a little less precise. Here’s how to turn off location tracking on your phone. (Android instructions may vary slightly by model.)

On an Android phone: Go to the phone’s Settings > Apps (or Apps & Notifications) > Facebook > Permissions > Location > Off.

On an iPhone: Go to the phone’s Settings > Privacy > Location >
Facebook > While Using the App or Never.

Limit data collection by Facebook’s partners. The Facebook Login feature is a quick and easy way to sign in to websites and mobile apps for services such as The New York Times, Pandora, and Yelp. But it also gives companies access to a lot of personal information. Think your name, email, schools you attended, workplaces, Facebook comments, and “likes”—the sort of data that was mined for behavioral patterns during the Cambridge Analytica scandal.

It’s all but impossible to find and delete personal info once it has been harvested by other companies, or to determine what they ultimately do with the information. But you can see which apps are currently collecting data from your account and stop them. You will no longer be able to access these apps using your Facebook log-in, so create a new log-in and password for each app before making changes.

On a computer: Click on the downward arrow at the top right of your Facebook page and choose Settings > Apps and Websites > Active > Click on the box next to the app’s logo > Remove.

Restrict Facebook from tracking your activity on other websites. Facebook’s snooping does not stop when you leave the platform. If you’ve ever visited a website that uses Facebook services—Like and Share buttons, your Facebook log-in, or the company’s analytics tools—you’ve provided info on the stories you’ve read, the videos you’ve watched, even the products you’ve viewed and placed in an online shopping cart.

When you see those buttons on a website, it’s safe to assume Facebook is collecting your data. The company doesn’t offer any settings to put a stop to this process, but you can disrupt Facebook’s efforts to keep tabs on your browsing history by installing an ad blocking extension, such as Disconnect, Privacy Badger, or Ublock, on your browser.

The Mozilla Foundation designed an ad blocker for its Firefox browser specifically for this task. Called Facebook Container, it takes only a few clicks to install, and the directions are easy to find online.

(Consumer Reports uses Facebook’s services, too. For details on the data we collect, consult our privacy policy.)

Delete your Facebook account. If you’re ready to part with Facebook for good, you can delete your account.

Beware: Once you cross this line, there’s no going back. Your photos, posts, and messages will disappear, so you may want to save that and other data by downloading your personal information first. Facebook will generate a copy of your personal archive and send it via an email with a link to a .zip file. Be sure to save that file before you hit “delete.”

Again, if you use your Facebook log-in to access third-party apps and sites, you may also want to create new log-ins and passwords for these accounts that so you don’t lose access. Check out the Apps section in Settings for a complete list of apps and websites linked to your Facebook account.

When you’re ready to make your grand exit, it’s relatively simple: Go to this page and click “Delete my account.”

The decision won’t take effect immediately; Facebook delays erasing your account for 30 days to give you time to change your mind. If you log back in to your account during that stretch, your deletion request will be canceled. It may take up to 90 days from the start of the deletion process for all your information to be deleted from Facebook’s backup systems, according to the company.

Keep in mind that it’s hard to be sure you’ve scrubbed yourself completely from every Facebook platform: Messages you’ve sent to friends will still be visible in their inboxes, for example, and any posts you’ve made in groups will remain unless you delete them before cutting ties with Facebook.

Allen St. John

I believe that technology has the power to change our lives—for better or for worse. That's why I’ve spent my life reporting and writing about it for outlets of all sorts, from newspapers (such as the Wall Street Journal and the New York Times) to magazines (Popular Mechanics and Rolling Stone) and even my own books ("Newton’s Football" and "Clapton’s Guitar"). For me, there's no better way to spend a day than talking to a bunch of experts about an important subject and then writing a story that'll help others be smarter and better informed. 

Headshot image of Electronics editor Thomas Germain

Thomas Germain

I want to live in a world where consumers take advantage of technology, not the other way around. Access to reliable information is the way to make that happen, and that's why I spend my time chasing it down. When I'm off the clock, you can find me working my way through an ever-growing list of podcasts. Got a tip? Drop me an email ( thomas.germain@consumer.org) or follow me on Twitter ( @ThomasGermain) for my contact info on Signal.