Facebook Explains Why Third-Party Apps Had Access to Messages

Back on December 19th, Facebook published a press release hoping to clarify the nature of several key partnerships, which among other potential issues, may have provided unwanted access to users’ private messaging data. The announcement came one day after the New York Times published a story claiming that Facebook had been providing this undisclosed access to partners for years. In an interesting twist, the New York Times was one of the companies provided access to this data.

Facebook’s explanation was brief and focused on four partners that it had worked with to build messaging integrations that would allow users to easily communicate with their Facebook friends directly in third party applications. The company noted that read/write/delete access was necessary to provide this functionality, and that access was only granted after users authorized access via Facebook Login. Discussing the partnerships Facebook said:

These experiences were publicly discussed. And they were clear to users and only available when people logged into these services with Facebook. However, they were experimental and have now been shut down for nearly three years.

Later in the article, Facebook explains that these partnerships “were agreed via extensive negotiations and documentation, detailing how the third party would use the API, and what data they could and couldn’t access.” It is interesting to note that Facebook does not mention any of these negotiations including end users. Although we have no evidence to support the idea that this data was ever mishandled, Facebook’s recklessness with user information is concerning to all.

The New York Times highlighted how seemingly innocuous this access can appear initially. Back in 2008 the company was developing a feature that incorporated Facebook friend lists and allowed users to easily share stories. The feature was shut down in 2011, but the company still had access to this information until 2017. A spokeswoman for the Times claims that they were unaware of the access and that no data was received. 

Be sure to read the next Security article: Telegram Bot API Compromised by GoodSender Malware


Comments (0)