No, Netflix and Spotify weren't spying on your Facebook Messenger account
The social network people once couldn’t stay away from is becoming the one people love to hate—and in some cases, leave.
Why the dislike for Facebook (FB)? Pick your poison: Ignoring Russian disinformation campaigns, leaving your data exposed to the likes of Cambridge Analytica, tolerating scammers on its site and so on. But one of the latest criticisms—that Facebook let other firms read your private correspondence—looks like a misunderstanding of some messaging basics.
Getting hung up on that will not only prime you to fall for the next big techno-panic episode; it will also distract you from the other, real mistakes Facebook keeps making that provide plenty of reason to #deletefacebook, or at least cut down on your time there.
Storing versus reading
Facebook’s latest earned misery involves a New York Times report unpacking deals the company struck beginning in 2010 that were meant to tailor your experience on other sites to your Facebook use, in order to boost Facebook’s precious user engagement.
The Times found this gave more data than advertised to firms including Microsoft (MSFT), Amazon (AMZN), Netflix (NFLX), Spotify (SPOT) Yahoo (formerly this site’s parent firm) and the Times itself. Perhaps the scariest such finding: Facebook “gave Netflix and Spotify the ability to read Facebook users’ private messages.”
That suggests the video and music apps could see everything you shared via your Facebook chats.
But as a subsequent Times piece and a Facebook blog post clarified, the feature actually enabled users to use Facebook Messenger inside Netflix and Spotify, so that users of those services could send their Facebook pals advice about what to watch or listen to next.
Having your messages land on another site does theoretically allow that site’s management to read them (something Netflix and Spotify denied), but that’s true of email in general. It usually parks your messages on somebody else’s computer.
Consider, for instance, Google (GOOG, GOOGL). Does letting other mail services like Apple’s (AAPL) Mail and Microsoft’s (MSFT) Outlook read, write and delete Gmail messages amount to Google giving Apple and Microsoft the ability to read all of your mail? No. It just means you’ve got another way to get to your messages; even in Apple and Microsoft’s webmail, nobody else is sifting through them.
The same goes for Facebook’s abandoned 2010 plan to turn its messaging system into an email-compatible service you could reach through other mail apps.
The way to stop a service that stores your messages from reading them is end-to-end encryption…which Facebook, unlike most, has offered since 2016.
Oversharing is a real problem
But the Times’ reporting provides other reasons to resent Facebook, starting with the overall carelessness on display. Years after Facebook had ended these deals, some of these partners could still access information they no longer used.
That invites disaster. The abandoned interface you leave open can easily become the small thermal exhaust port that an attacker exploits.
Facebook’s first response on its corporate blog acknowledged that error, saying “we’ve recognized we’ve needed tighter management over how partners and developers can access information.”
Facebook also showed dismal judgment in granting this special access to the Russian search engine Yandex (the announcement remains on Facebook’s site, blandly headlined “Yandex and Facebook Strike a Deal”) in 2010. By then, a decade of Vladimir Putin’s oppressive rule had crumpled civil liberties in the country, and Yandex has since found itself under increasing government pressure to turn over information about dissidents.
And not for the first or last time, Facebook didn’t seem to think about data minimization at all. Instead of limiting a Netflix or Spotify user to sending “you’ve gotta check this out!” messages that they could discuss back in Facebook Messenger, Facebook replicated the entire Messenger experience.
It’s possible for a social network to invite third-party apps but limit their data access to only what is necessary. Look at how many Twitter (TWTR) applications request read-only access to your data, which is all they need for routine verification and analytics.
What’s left for Facebook to do
Facebook needs to document how all these admitted errors happened and how far your data traveled—then throw its support behind a strong federal privacy law that will constrain it, Google, Amazon and future tech companies.
But it’s transparency that Facebook has consistently balked at when asked about things like its creepily-accurate ad targeting and off-putting “People You May Know” recommendations.
As Facebook’s former chief security officer Alex Stamos tweeted Tuesday: “What they really need is a table that gets updated over the next several days that lists the company, the kind of integration, what data was accessible, what steps a user took to activate the integration, and when/whether it was shut down.”
Companies that have banked a balance of trust with customers can get away with variations of “we’re sorry and we’ve learned.” But Facebook is burning that balance down to ashes, and yet another round of stone-faced apologies and full-page-ad pledges to do better won’t cut it.
More from Rob:
Facebook wants to give you a way to fight having your posts taken down
Google Maps will now help you find Lime scooters
Microsoft is asking the government to regulate the company’s facial recognition technology
Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.
