Update, December 19 at 5:12 p.m. ET: A spokesperson from Netflix reached out to Android Authority to deny claims that it had read users’ private messages. The full comment can be found below:
Over the years we have tried various ways to make Netflix more social. One example of this was a feature we launched in 2014 that enabled members to recommend TV shows and movies to their Facebook friends via Messenger or Netflix. It was never that popular so we shut the feature down in 2015. At no time did we access people’s private messages on Facebook, or ask for the ability to do so.
In addition, we have updated the title to reflect the changes.
Original article, December 19 at 8:06 a.m. ET: Facebook has endured a tumultuous 2018 in the wake of the Cambridge Analytica scandal, government hearings, and a host of other privacy-related matters. But the bad news isn’t over just yet, as it transpires the company may have given tech firms access to your most confidential information.
According to the New York Times, citing internal documents and interviews with former employees, the social network gave tech companies deep access to user data. One example cited by the outlet was Microsoft’s Bing search engine being able to see the names of all your Facebook friends without your consent.
But probably the most invasive move cited in the story was Facebook’s decision to let Spotify and Netflix read your private messages. The outlet reported that the two companies, along with the Royal Bank of Canada, also had the ability to write and delete users’ private messages.
Why would firms need these privileges?
Netflix and Spotify representatives told the New York Times that they didn’t know they had access to these abilities, while a Royal Bank of Canada spokesperson disputed the claim outright.
The New York Times noted Spotify lets users share music via Facebook Messenger — a feature that might require read/write access to a user’s messages. But it added that Netflix and the Royal Bank of Canada no longer have features that might require this permission. Additionally, the New York Times noted that these privileges “appeared to go beyond what the companies needed to integrate Facebook into their systems.”
The publication also took Facebook to task for not directly telling users it was sharing user data with partners. “Many of the partners’ applications never even appeared in Facebook’s user application settings,” the Times noted.
Facebook director of developer platforms and programs Konstantinos Papamiltiadis responded to the claims in a blog post. The executive confirmed that partners gained access to messages, but said that “people had to explicitly sign in to Facebook first to use a partner’s messaging feature.”
The executive used Spotify as an example: “After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature.”
Nevertheless, even if these permissions were indeed required in order to enable a partner’s functionality, it doesn’t explain why the likes of Netflix and Royal Bank of Canada still had these controls. After all, if you don’t have features that require these permissions, then you don’t need said permissions in the first place, right? It also doesn’t explain why many partner applications don’t appear in a Facebook user’s app settings menu, as the outlet claims.
A Facebook spokesperson told the New York Times it found no evidence of data abuse by its partners. But the spokesperson also acknowledged that they had failed to revoke access to certain privileges when companies no longer needed them.
To be fair, it’s not unheard of for an app to require permissions related to your messages. For example, third-party SMS apps need read/write/delete permissions in order to fulfill its duties. Some apps running on older versions of Android require the ability to read text messages in order to automatically fill one-time PINs. However, these permissions are usually clearly communicated to the user upon installation or when they’re required for the first time — and you can always visit your settings menu to revoke access.