Awkward... Revealed Facebook emails show plans for data slurping, selling access to addicts' info, crafty PR spinning

Brit parliamentarians dump documents on the internet

Analysis Emails released today reveal Facebook CEO Mark Zuckerberg discussing how to squeeze more cash from companies hoping to tap into the platform's goldmine of personal data on a billion-plus people.

And the memos show staff deliberately hid the amount of data the Facebook Android app was slurping, and Zuck personally giving the OK to shut down Twitter's access to the Friends API after it acquired video-hosting service Vine.

These emails were published by the British Parliament's Digital, Culture, Media and Sport Select Committee after the panel seized them from a US exec, Ted Kramer, who was visiting London last month.

Kramer obtained the documents during the discovery phase of a bitter legal battle between Facebook and his biz, bikini-picture app biz Six4Three, which alleges Facebook behaved in an anti-competitive and misleading way. After arriving on Blighty's soil, he was ordered by the committee to hand over copies of these files, seeing as the panel is investigating Facebook's activities.

Damian Collins, chairman of the Commons committee, issued a brief note at the top of the 250-page document setting out what he sees as the main issues.

These include whitelisting certain third-party apps so that they could access profile information of their users' friends seemingly without permission. When you granted an app access to your Facebook account, it got its hands on your personal info. Crucially, though, it's known that Facebook was a little loose in protecting the privacy of your friends, offering apps a chance to peek at their profiles, too, seemingly without consent.

A number of the emails come direct from the big cheese himself, with messages revealing how Zuckerberg mulled milking fees from advertisers and other businesses that were interested in slurping data from Facebook user profiles, while others are internal discussions between FB execs.

Most of the conversations are from 2012 and 2013, prior to the rollout of version 3.0 of its Graph API, which third-party Facebook apps use to extract information from their users. This API was overhauled to limit access and avoid more bad headlines, like the ones generated by data-gobbling Cambridge Analytica.

It's also important to note that the committee's MPs, who have chosen which parts of the Six4Three cache to release, are very much keen to prove Facebook is a bad apple – not to mention they are smarting from repeat rejections by Zuck, who had been asked to attend their hearings. Something to keep in mind.

Data in exchange for what?

Emails that link Zuckerberg to revenue discussions, mostly in autumn 2012, show he had been "thinking about platform business model a lot" and considered making it so that devs can generate revenue for Facebook, "then it makes it more acceptable for us to charge them quite a bit more for using [the] platform."

The idea would be that any other revenue earned for Facebook by developers would earn them credits towards fees owed for accessing the social network and its users. "So instead of every[one] paying us directly, they'd just use our payments or ads products," he said, proposing a model with login being free, pushing content to FB being free, but that reading anything, including friends' data, “costs a lot of money. Perhaps on the order of $0.10/user each year."

In other words, proposals to charge apps makers, one way or another, to peek at users' and their friends' profiles.

Later that month, he sent an email to colleagues saying he was “getting more on board with locking down some parts of platform, including friends data and potentially email addresses for mobile apps. Without limiting distribution or access to friends who use this app, I don’t think we have any way to get developers to pay us at all besides offering payments and ad networks."

In that same email – and in words he surely lived to regret – he said he was “generally sceptical that there is as much data leak strategic risk as you think." He said: “I agree there is clear risk on the advertiser side, but I haven’t figured out how that connects to the rest of the platform. I think we leak info to developers, but I just can’t think if any instances where that data has leaked from developer to developer and caused a real issue for us.”

'It might be good for the world, but it's not good for us'

In an email from November 2012, Zuckerberg's thoughts had progressed to the idea of data reciprocity – if companies build services on Facebook's platform, they should share their data with the antisocial network giant.

"The quick summary is that I think we should go with full reciprocity and access to app friends for no charge," said Zuck. "Full reciprocity means that apps are required to give any user who connects to FB a prominent option to share all of their social content within that service back... to Facebook."

He acknowledged that sometimes the best way for people to share stuff on Facebook is to have a software maker build a special purpose app, and have Facebook plug into it. However, he said, "that may be good for the world but it’s not good for us unless people also share back to Facebook and that content increases the value of our network. So ultimately, I think the purpose of platform – even the read side – is to increase sharing back into Facebook.”

A separate discussion, which was reported last week, involved Facebook's Konstantinos Papamiltida discussing whether to sell access to user data, telling a colleague to find out if and what a firm spent on its new ad platform:

Communicate in one-go to all apps that don’t spend that those permission will be revoked. Communicate to the rest that they need to spend on NEKO $250k a year to maintain access to the data.

Facebook has repeatedly denied it ever considered selling user data – and so, despite the fact it didn’t actually follow through with this idea, the proposal has been seized by critics as evidence of the Silicon Valley titan's dishonesty.

'This will have dire consequences for our partnership'

Other emails seemingly show Facebook discussing how to get some apps whitelisted, to ensure they could have continued access to friends-of-users. The cache contains a number of documents from companies complaining that the Graph API change had damaged their business model – and shows them being whitelisted.

Dating biz Badoo said: “The friends data we receive from users is integral to our product (and indeed a key reason for building Facebook verification into our apps).”

In response, a series of emails from Papamiltidas discussed and then confirmed the app had been whitelisted for the new Hashed Friends API. Similar emails were included to Lyft, AirBnB, and Netflix. Another discusses how to whitelist the Royal Bank of Canada, a Facebook partner.

"Without the ability to access non-app friends, the Messages API becomes drastically less useful. It will also be impossible to build P2P payments within the RBC app, which would have dire consequences for our partnership with them,” said Sachin Monga to a colleague. Later emails in this chain saw the app sent for whitelisting.

Six4Three alleges that these emails prove Facebook gave preferential treatment to certain apps by allowing them this extra data access for longer than everyone else. Facebook denies this, saying that it was the only option to ensure users' apps didn't break.

A separate conversation about the Friends API allegedly shows Zuckerberg giving the thumbs up to shutting down access to Twitter after it launched Vine – during the time when Facebook was working on video.

"Twitter launched Vine today which lets you shoot multiple short video segments to make one single, 6-second video.," one message explained. "As part of their NUX, you can find friends via FB. Unless anyone raises objections, we will shut down their friends API access today. We’ve prepared reactive PR, and I will let Jana know our decision."

To which Zuckerberg replied: "Yup, go for it."

'This is a high risk thing to do from a PR perspective'

In one set of emails, Facebook's Michael LeBeau discussed an update on Android – which allowed the app to collect a record of calls and texts – that the biz knew it would be controversial, and figuring out if there was a way to temper the reveal.

"Guys, as you know all the growth team is planning on shipping a permissions update on Android at the end of this month," he wrote. "They are going to include the ‘read call log’ permission, which will trigger the Android permissions dialog on update, requiring users to accept the update.

Thumb down to Facebook

International politicos gather round to grill Dick, head of Facebook policy, on data slurping


"This is a pretty highrisk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it."

In response, a mail from Yul Kwon said that the team was "exploring a path where we only request Read Call Log permission, and hold off on requesting any other permissions for now." Initial testing, Kwon said, suggested "this would allow us to upgrade users without subjecting them to an Android permissions dialog at all. It would still be a breaking change, so users would have to click to upgrade, but no permissions dialog screen."

At 250 pages, the email cache is an early Christmas present for Facebook watchers, who will pore over it this week. In the shorter term, the firm's stock price took an initial hit of about three per cent.

Zuckerberg and his Social Network may live to regret his decision not to give evidence to this band of British MPs. ®

Narrower topics

Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022