Facebook has faced scrutiny following revelations about its data sharing practices, including the inappropriate sharing of user data with over 60 device manufacturers such as Amazon, Apple, Microsoft, BlackBerry, and Samsung. A detailed report published by The New York Times outlined these partnerships, which aimed to incorporate Facebook features like messaging functions and “Like” buttons into devices without requiring users to install separate applications.
These agreements, established over the past decade, predate the proliferation of smartphone apps. Notably, the data-sharing arrangements raise potential violations of a 2011 consent decree from the Federal Trade Commission (FTC), which restricted Facebook from granting access to users’ friends’ data without explicit user consent.
The controversy erupted amid the Cambridge Analytica scandal, where the social media giant disclosed that it had halted third-party access to user data in 2015 but inferred that this limitation did not apply to hardware manufacturers. The misuse of data belonging to 87 million users by Cambridge Analytica has intensified the scrutiny on Facebook’s data governance policies.
An investigation by a New York Times journalist using an older BlackBerry device revealed that the “Hub” app could still collect personal data from 556 friends, including politically sensitive information. Furthermore, it could acquire identifying information about nearly 294,258 contacts related to these friends.
In response to the report, Facebook issued a statement highlighting its commitment to user privacy. The company’s VP of Product Partnerships, Ime Archibong, asserted that the APIs developed for device manufacturers were essential for delivering Facebook features at a time when app ecosystems were not yet established. Facebook maintained that it governed these APIs closely, enforcing agreements to ensure that partners could only use user data for enhancing their devices’ Facebook-like functionalities.
Archibong contended that friends’ information was accessible on devices only when users consented to share it, denying claims of misuse. He noted that as mobile platforms like iOS and Android gained prominence, the necessity for these partnerships dwindled, prompting Facebook to discontinue 22 of the partnerships as of April.
This incident serves as a compelling case study in data governance and the potential vulnerabilities that can arise from lax data-sharing agreements. The MITRE ATT&CK Matrix identifies several relevant tactics that may have been employed in these dynamics, including initial access through partnered device manufacturers, as well as persistence and privilege escalation related to the exploitation of user permissions to access friends’ data.
As businesses navigate the complex landscape of data privacy, the implications of this incident underscore the necessity for robust cybersecurity frameworks that not only protect user information but also ensure compliance with regulatory standards in an increasingly scrutinized digital economy.
