Published Facebook documents expose data sharing agreements, Android firmware exploits

A Facebook business page with notifications
(Image credit: Shutterstock)

The UK Parliament has published 250-pages of leaked documents taken from the Six4Three seizure which show Facebook's directors using user data as a commodity with which it could build business and knowingly exploit firmware to access sensitive data outside of Facebook.

A summary of the documents revealed that the platform had adopted a series of exploitative practices, including in the strategic whitelisting of apps, use of friends data in commerce, Android firmware exploitation and systematic targeting of rival apps.

Whitelisting was prevalent for the friends' data API, allowing companies such as Baddoo, Bumble, Netflix and Airbnb to all receive special APIs for hashed friends access. The report contends this was done because only those apps were capable of generating revenue, traffic and overall growth for the Facebook platform. Badoo specifically used its profitability as a way of convincing Facebook to whitelist them on the friends data API.

"We have been compelled to write to you to explain the hugely detrimental effect that removing friend permissions will cause to our hugely popular (and profitable) applications Badoo and Hot or Not," an email from Baddoo to Facebook reads. "The friends data we receive from users is integral to our product (and indeed a key reason for building Facebook verification into our apps)."

Facebook developed a new, personalised API within a week.

However, apps Facebook deemed to be rivals were revoked access to its platform in a clear attempt to kill them off. For example, the report revealed that the incredibly popular Vine platform, which shuttered in late 2016, had its access to the friends data API revoked. An email from Justin Osofsky, Facebook's vice president, alerted Mark Zuckerberg to the launch of Vine in January 2103, a Twitter-owned app, proposing that the company revoke access to it because it allowed Vine to find friends using Facebook's API. Zuckerberg replied succinctly with 'Yup, go for it."

What's more, the documents support the long-held belief that Facebook was operated from the top down to treat customer data as a commodity, something that the company has been criticised for in the past.

In further email communications between Zuckerberg and an engineer, a new model of revenue generation is discussed built on the sale of user data to developers.

"The basic idea is that any other revenue you generate for us earns you a credit towards whatever fees you own us for using platform," said Zuckerberg. "For most developers, this would probably cover cost completely. So instead of every paying us directly, they'd just use our payments or ads products. A basic model could be: Login with Facebook is always free, Pushing content to Facebook is always free, Reading anything, including friends, costs a lot of money. Perhaps on the order of $0.10/user each year."

Although Facebook has said in a fiery rebuttal via its blog that the 'cherrypicked' quotes from the seized documents showed an initial plan, the actual model is not as set out above and the developer platform remains free.

However, published emails also show that Facebook actively exploited Android firmware to gain access to users' calls and texts and actively made it as difficult a possible for users to realise that it was happening.

"[The growth team] are going to include the 'read call log' permission, which will trigger the Android permissions dialog on update, requiring users to accept the update," said Michael Lebeau, Facebook's product manager, in an email discussion. "They will then provide an in-app opt in NUX for a feature that lets you continuously upload your SMS and call log history to Facebook to be used for improving things like PYMK (people you may know), coefficient calculation, feed ranking etc. This is a pretty high-risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it."

In Facebook's blog post response, the company said: "As we've said many times, Six4Three creators of the Pikinis app cherrypicked these documents from years ago as part of a lawsuit to force Facebook to share information on friends of the app's users. The set of documents, by design, tells only one side of the story and omits important context.

"The documents were selectively leaked to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we've never sold people's data."

When discussing the reasoning behind the publication of the documents, Damian Collins, MP and head of the committee which released the documents, took to Twitter to express why the publication went ahead.

The landmark publication of the documents follows weeks of uncertainty surrounding what potentially damaging information they contained. They were initially seized by Parliament's Serjeant-at-Arms at a London hotel from the founder of Six4Three, an American app developer which is in the middle of a lawsuit with Facebook in California. The documents were originally obtained by the developer through legal discovery for its own case.

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.