For example, Facebook gave Amazon extended access to user data because it was spending money on Facebook advertising and partnering with the social network on the launch of its Fire smartphone. In another case, Facebook discussed cutting off access to user data for a messaging app that had grown too popular and was viewed as a competitor, according to the documents.
All the while, Facebook was formulating a strategy to publicly frame these moves as a way of protecting user privacy.
Private communication between users is “increasingly important,” Zuckerberg said in a 2014 New York Times interview. “Anything we can do that makes people feel more comfortable is really good.”
But the documents show that behind the scenes, in contrast with Facebook’s public statements, the company came up with several ways to require third-party applications to compensate Facebook for access to its users’ data, including direct payment, advertising spending and data-sharing arrangements. While it’s not unusual for businesses that are working together to share information about their customers, Facebook has access to sensitive data that many other companies don’t possess.
Facebook ultimately decided not to sell the data directly but rather to dole it out to app developers who were considered personal “friends” of Zuckerberg or who spent money on Facebook and shared their own valuable data, the documents show.
Facebook denied that it gave preferential treatment to developers or partners because of their ad spending or relationship with executives. The company has not been accused of breaking the law.
About 400 of the 4,000 pages of documents have previously been reported by other media outlets, and also by a member of the British Parliament who has been investigating Facebook’s data privacy practices in the wake of the Cambridge Analytica scandal. However, this cache represents the clearest and most comprehensive picture of Facebook’s activities during a critical period as the company struggled to adapt to the rise of smartphones following its rocky debut as a public company.
The thousands of newly shared documents were anonymously leaked to the British investigative journalist Duncan Campbell, who shared them with a handful of media organizations: NBC News, Computer Weekly and Süddeutsche Zeitung. Campbell, a founding member of the International Consortium of Investigative Journalists, is a computer forensics expert who has worked on international investigations including on offshore banking and big tobacco. The documents appear to be the same ones obtained by Parliament in late 2018 as part of an investigation into Facebook. Facebook did not question the authenticity of the documents NBC News obtained.
U.K. lawmaker Damian Collins releases seized Facebook emails, claims company lacks ‘straight answers’
The documents stem from a California court case between the social network and the little-known startup Six4Three, which sued Facebook in 2015 after the company announced plans to cut off access to some types of user data. Six4Three’s app, Pikinis, which soft-launched in 2013, relied on that data to allow users to easily find photos of their friends in bathing suits.
Facebook has acknowledged that it considered charging for access to user data. But Facebook has challenged the significance of those discussions, telling the Wall Street Journal last year and NBC News this month that the company was merely mulling various business models.
Facebook has also repeatedly said that the documents had been “cherry-picked” and were misleading. Facebook reiterated this stance when NBC News contacted the social media company for comment on the newly leaked documents.
“As we’ve said many times, Six4Three — creators of the Pikinis app — cherry picked these documents from years ago as part of a lawsuit to force Facebook to share information on friends of the app’s users,” Paul Grewal, vice president and deputy general counsel at Facebook, said in a statement released by the company.
“The set of documents, by design, tells only one side of the story and omits important context. We still stand by the platform changes we made in 2014/2015 to prevent people from sharing their friends’ information with developers like the creators of Pikinis. The documents were selectively leaked as part of what the court found was evidence of a crime or fraud to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we’ve never sold people’s data.”
The finding of “evidence of a crime or fraud” came from a preliminary decision by the judge in the Six4Three case about an earlier round of leaked documents.
NBC News has not been able to determine whether the documents represent a complete picture. Facebook declined to provide additional evidence to support the claim of cherry-picking.
Still, these freshly leaked documents show that the plans to sell access to user data were discussed for years and received support from Facebook’s most senior executives, including Zuckerberg, chief operating officer Sheryl Sandberg, chief product officer Chris Cox and VP of growth Javier Olivan. Facebook declined to make them available for comment.
After NBC News contacted Facebook for comment, Facebook’s lawyers wrote to the judge in the Six4Three case, claiming that Six4Three had leaked the documents to a “national broadcast network” and seeking to depose Six4Three’s founders. NBC News received the documents from Campbell, who received them from an anonymous source. Six4Three denied leaking the documents.
Facebook’s 2018 timeline: Scandals, hearings and security bugs
When Facebook ultimately cut off broad access to user data in 2015, the move contributed to the decline of thousands of competitors and small businesses that relied on what Facebook had previously described as a “level-playing field” in terms of access to data. In addition to Pikinis, the casualties included Lulu, an app that let women rate the men they dated; an identity fraud-detecting app called Beehive ID; and Swedish breast cancer awareness app Rosa Bandet (Pink Ribbon).
The strategy orchestrated by Zuckerberg had some of his employees comparing the company to villains from Game of Thrones, while David Poll, a senior engineer, called the treatment of outside app developers “sort of unethical,” according to the documents. But Zuckerberg’s approach also earned admiration: Doug Purdy, Facebook’s director of product, described the CEO as a “master of leverage,” according to the documents.
Facebook declined to comment on these employee communications.
A PRIVACY MYTH
One of the most striking threads to emerge from the documents is the way that Facebook user data was horse-traded to squeeze money or shared data from app developers.
In the wake of the Cambridge Analytica scandal in early 2018 and raising awareness of the Six4Three case, Facebook has attempted to frame changes it made to its platform in 2014 and 2015 as being driven by concerns over user privacy. In statements to media organizations, Facebook has said it locked down its platform to protect users from companies that mishandled user data, such as Cambridge Analytica, as well as apps that spammed users’ news feeds or were creepy, such as Six4Three’s bikini-spotting app Pikinis.
Mark Zuckerberg to shift Facebook toward a ‘privacy-focused’ platform
However, among the documents leaked, there’s very little evidence that privacy was a major concern of Facebook’s, and the issue was rarely discussed in the thousands of pages of emails and meeting summaries. Where privacy is mentioned, it is often in the context of how Facebook can use it as a public relations strategy to soften the blow of the sweeping changes to developers’ access to user data. The documents include several examples suggesting that these changes were designed to cement Facebook’s power in the marketplace, not to protect users.
In Six4Three’s case, for example, Facebook’s head of policy Allison Hendrix acknowledged in a June 2017 deposition obtained by NBC News that the social network never received any complaints about the Pikinis app, nor did Facebook send Six4Three any policy or privacy violation notices. Six4Three, Hendrix confirmed, was playing within the rules Facebook had set for developers.
Despite this, Six4Three’s access to data, specifically access to a user’s friends’ photos, was cut off in April 2015 as part of sweeping changes to Facebook’s platform announced a year earlier, which affected as many as 40,000 apps. Six4Three shut down the app soon afterward.
“Our case is about Zuckerberg’s decision to weaponize the reliance of companies on his purportedly neutral platform and to weaponize the private and sensitive data of billions of people,” said Six4Three founder Ted Kramer.
A TURNING POINT FOR FACEBOOK
Facebook recognized early on that working with third-party app developers could help make the social network more interesting and drive the platform’s expansion. Beginning in early 2010, Facebook created tools that allowed the makers of games (remember Farmville?) and other apps to connect with its audience in return for ensuring those users spent more time on Facebook.
Facebook achieved this through its “Graph API” (Application Programming Interface), a common means to allow software programs to interact with each other. In Facebook’s case, this meant that third-party apps such as games could post updates on people’s profiles, which would be seen by players’ friends and potentially encourage them to play, too. Beyond that, it allowed the makers of those games to access a slew of data from Facebook users, including their connections to friends, likes, locations, updates, photos and more.
The Graph API — and particularly the way it let third parties promote their products to and extract data from a user’s social connections — was a key feature of Facebook that Six4Three and thousands of other companies relied upon for viral marketing and user growth.
However, after a few years, Facebook decided the app developers were getting more value from the user data they extracted from Facebook than Facebook was getting out of the app developers, the documents show.
After Facebook went public in May 2012, its stock price plummeted, which Zuckerberg later characterized as “disappointing.” The company was in a desperate position, documents show, with users sharing fewer photos and posts on the platform as they spent more time on their cellphones. An internal Facebook presentation looking back at this period used the phrase “terminal decline” to describe the fall in engagement.
Facebook executives, including Zuckerberg and Sandberg, spent months brainstorming ways to turn the company around. An idea that they kept returning to: make money from the app partners, by charging them for access to Facebook’s users and their data.
‘SELL DATA FOR $”
Several proposals for charging developers for access to Facebook’s platform and data were put forward in a presentation to the company’s board of directors, according to emails and draft slides from late August 2012.
Among the suggestions: a fixed annual fee for developers for reviewing their apps; an access fee for apps that requested user data; and a charge for “premium” access to data, such as a user trust score or a ranking of the strongest relationships between users and their friends.
“Today the fundamental trade is ‘data for distribution’ whereas we want to change it to either ‘data for $’ and/or ‘$ for distribution,’” Chris Daniels, a Facebook business development director, wrote in an August 2012 email to other top leaders in the company discussing the upcoming presentation.
Discussions continued through October, when Zuckerberg explained to close friend Sam Lessin the importance of controlling third-party apps’ ability to access Facebook’s data and reach people’s friends on the platform. Without that leverage, “I don’t think we have any way to get developers to pay us at all,” Zuckerberg wrote in an email to Lessin.
In the same week, Zuckerberg floated the idea of pursuing 100 deals with developers “as a path to figuring out the real market value” of Facebook user data and then “setting a public rate” for developers.
“The goal here wouldn’t be the deals themselves, but that through the process of negotiating with them we’d learn what developers would actually pay (which might be different from what they’d say if we just asked them about the value), and then we’d be better informed on our path to set a public rate,” Zuckerberg wrote in a chat.
Facebook told NBC News that it was exploring ways to build a sustainable business, but ultimately decided not to go forward with these plans.
“I just can’t think of any instances where that data has leaked from developer to developer and caused a real issue for us.”
Zuckerberg was unfazed by the potential privacy risks associated with Facebook’s data-sharing arrangements.
“I’m generally skeptical that there is as much data leak strategic risk as you think,” he wrote in the email to Lessin. “I think we leak info to developers but I just can’t think of any instances where that data has leaked from developer to developer and caused a real issue for us.”
Facebook told NBC News that this was an example of a cherry-picked email designed to bolster Six4Three’s case.
Zuckerberg didn’t know it at the time, but a privacy bug affecting an unnamed third-party app would create precisely this kind of strategic risk the following year, according to a panicked chatlog between Michael Vernal, who was director of engineering, and other senior employees.
It’s not clear exactly what happened or which app was involved, but it appears that Zuckerberg’s private communications could have leaked from Facebook to the external app in an unexpected way.
Vernal said that it “could have been near-fatal for Facebook platform” if “Mark had accidentally disclosed earnings ahead of time because a platform app violated his privacy.”
“Holy crap,” replied Avichal Garg, then director of product management.
“DO NOT REPEAT THIS STORY OFF OF THIS THREAD,” added Vernal. “I can’t tell you how terrible this would have been for all of us had this not been caught quickly.”
Vernal and Garg did not respond to requests for comment.
‘GOOD FOR THE WORLD’ BUT NOT ‘GOOD FOR US’
In late November 2012, Zuckerberg sent a long email to Facebook’s senior leadership team saying that Facebook shouldn’t charge developers for access to basic data feeds. However, he said that access to Facebook data should be contingent on the developers sharing all of the “social content” generated by their apps back to Facebook, something Zuckerberg calls “full reciprocity.”
The existing arrangement, where developers weren’t required to share their data back with Facebook, might be “good for the world” but it’s not “good for us,” Zuckerberg wrote in the email.
He noted that though Facebook could charge developers to access user data, the company stood to benefit more from requiring developers to compensate Facebook in kind — with their own data — and by pushing those developers to pay for advertising on Facebook’s platform.
