Facebook Inc. struck customized data-sharing deals that gave select companies special access to user records well after the point in 2015 that the social network has said it walled off that information, according to court documents, company officials and people familiar with the matter.
Continue Reading Below
Some of the agreements, known internally as "whitelists," also allowed certain companies to access additional information about a user's Facebook friends, the people familiar with the matter said. That included information like phone numbers and a metric called "friend link" that measured the degree of closeness between users and others in their network, the people said.
The whitelist deals were struck with companies including Royal Bank of Canada and Nissan Motor Co., who advertised on Facebook or were valuable for other reasons, according to some of the people familiar with the matter. They show that Facebook gave special data access to a broader universe of companies than was previously disclosed. They also raise further questions about who has access to the data of billions of Facebook users and why they had access, at a time when Congress is demanding the company be held accountable for the flow of that data.
Many of these customized deals were separate from Facebook's data-sharing partnerships with at least 60 device makers, which it disclosed this week. Several lawmakers and regulators have said those device-maker arrangements merit further investigation.
Facebook officials said the company struck a small number of deals with developers largely to improve the user experience, test new features and allow certain partners to wind down previously existing data-sharing projects. The company said it allowed a "small number" of partners to access data about a user's friends after the data was shut off to developers in 2015. Many of the extensions lasted weeks and months, Facebook said. It isn't clear when all of the deals ultimately expired or how many companies got extensions.
The vast majority of developers who plugged into Facebook's platform weren't aware that the company offered this preferred access or extensions to certain partners, according to the people familiar with the matter.
Ime Archibong, Facebook's vice president of product partnerships, said in an interview Friday that the company maintained a "consistent and principled approach to how we work with developers over the course of the past 11 years."
Mr. Archibong added that were some cases where the company worked "more closely" with individual developers to test new features or when winding down products. "But we have been extremely, I would say, persistent and objective around how we worked with developers," he added.
Privacy experts said Facebook users likely didn't know how their data was being shared. "I don't think anyone would have a reasonable understanding of how widespread this was," said David Vladeck, director of the Federal Trade Commission's Consumer Protection Bureau from 2009 until 2013 and now a professor at Georgetown Law.
Mr. Vladeck said any deals made after 2012 could draw scrutiny about whether Facebook was in violation of its settlement that year with the FTC, under which the company is required to give the social network's users clear and prominent notice and obtain their express consent before sharing their information beyond their privacy settings. Facebook said Friday it hasn't violated the settlement.
The revelations come as Facebook is dealing with the fallout in March related to the use of personal data by Cambridge Analytica, a political analytics firm that aided President Donald Trump's 2016 presidential campaign and purchased data on 87 million users from another developer. The crisis sparked questions about Facebook's lax oversight of its platform, an FTC probe into whether the company violated the 2012 settlement and two congressional appearances by Facebook Chief Executive Mark Zuckerberg in April.
In his testimony before Congress, Mr. Zuckerberg said Facebook moved to eliminate broad access to information about users' friends in 2014. Developers had until May 2015 to comply with the rules. The move was a harsh blow to developers, forcing a number of apps to shut down without access to the data. Others had to find workaround solutions to continue operating.
On Friday, the company acknowledged that a subset of companies were given extensions beyond May 2015.
"As we were winding down over the year, there was a small number of companies that asked for short-term extensions, and that, we worked through with them," Facebook's Mr. Archibong said. "But other than that, things were shut down."
Facebook's relationships to outside developers have shifted over time as it made key adjustments to how it shares data.
In 2007, Facebook started allowing developers to tap its so-called social graph, including crucial information about a user's friends. Unlike advertisers, developers didn't have to pay for this information, giving rise to a new generation of startups built on social connections.
This arrangement also made Facebook increasingly central to its users' daily lives, despite objections from privacy groups and some users about potential abuses of that data. By 2014, developers could access about 30 different data points about users' friends, including places they checked into, education history and religious and political affiliation.
Early on, Facebook brokered special deals with certain companies, some people with knowledge of the deals said. "Ninety-nine percent of developers were treated the same, but 1% got special treatment because they accounted for all the value of the platform," one former Facebook employee said, referring to popular apps and services that attracted users.
Eventually, Facebook set up internal teams dedicated to brokering and developing customized data deals.
After Facebook said it would restrict outsiders' access to user data, several companies approached it about gaining continued access. One granted an extension was Royal Bank of Canada, which created an app that allowed RBC users to send money to one another -- similar to Venmo, a startup now owned by PayPal Inc. RBC was granted a six-month extension after the May 2015 deadline Facebook imposed on developers when it shut off data access, an RBC spokesman said.
"We take seriously our responsibility to protect customer privacy and we do not share individual client information with Facebook or other advertisers," the spokesman said.
Nuance Communications, based in Burlington, Mass., was given a six-month extension to continue accessing user data -- specifically for a special news feed it had built on behalf of client Fiat Chrysler Automobiles NV, according to a person familiar with the matter. The company signed a nondisclosure agreement in return for the additional access, this person said.
A spokeswoman for Nuance and a spokesman for Fiat declined to comment.