In an unprecedented move Wednesday, British lawmakers published hundreds of pages of internal Facebook emails and other documents that previously had been ordered sealed as part of an ongoing legal case between Facebook and a now-defunct app developer called Six4Three.
The documents, which date back to 2012, provide a rare window into CEO Mark Zuckerberg’s thoughts on how to expand his social media juggernaut as users made the transition from desktop to mobile phones. They also suggest a willingness within Facebook to sacrifice user privacy and undercut its competitors to continue driving growth.
“I believe there is considerable public interest in releasing these documents. They raise important questions about how Facebook treats users’ data, their policies for working with app developers, and how they exercise their dominant position in the social media market,” tweeted Damian Collins MP, who heads up Parliament’s Digital, Culture, Media, and Sport Committee. The committee, which is conducting an investigation into Facebook privacy concerns, seized the documents from Six4Three’s founder while he was traveling in London last month.
Facebook says the documents are “very misleading without additional context.” “Like any business, we had many internal conversations about the various ways we could build a sustainable business model for our platform,” a spokesperson said in a statement. “But the facts are clear: We’ve never sold people’s data.”
The documents were collected by Six4Three’s legal team as part of the discovery process for a lawsuit that alleges Facebook defrauded app developers by luring them with the promise of data, only to later cut them off from that information. The unredacted exhibits posted by Collins on Wednesday include internal emails, presentations, and memos. In one email, Zuckerberg personally approves a decision to shut down API access to Vine, a video-based social network backed by Twitter, in January 2013. In another, Facebook executives discuss giving Android devices access to users’ call logs without requiring their informed consent. Zuckerberg himself toys with the idea of trading app developer access to Facebook’s APIs for advertising revenue from those developers in 2012. That same year, he expresses openness to “locking down” developers’ access to their users’ friends data. Facebook wouldn’t actually announce that change for another two years, even as it built relationships with developers on the back of that data.
In 2012, Zuckerberg voices his skepticism in an email to Facebook’s then-director of product management, Sam Lessin, that sharing friend data with app developers might ever pose privacy risk. “I just can’t think if any instances where that data has leaked from developer to developer and caused a real issue for us,” he writes. “Do you have examples of this?”
Six years later, amid ongoing global investigations into how an app developer working with the political firm Cambridge Analytica was able to weaponize data for political purposes, that question looks remarkably naive. The Cambridge Analytica scandal, which made international headlines in March and elevated a global conversation about the need for stricter data privacy laws, also cast the lawsuit between Six4Three and Facebook in a new light. The case began in 2015, after Facebook changed its API to cut developers off from friend data. Six4Three’s app, Pikinis, used friend data to let users find people’s bathing suit photos. Without access to friend data, the Pikinis app shut down, and its founder Ted Kramer sued Facebook, asking the company to either reinstate access or pay damages.
But it’s the documents that Six4Three unearthed through discovery that have become the focal point of the case. Though they were ordered sealed earlier this year by a US court, UK lawmakers repeatedly ordered Kramer to hand them over while he was in London. Kramer, who had illicit access to the documents through a Dropbox folder that was supposed to be limited to his legal team, later told the court he “panicked” and handed over what he could to Collins and his staff. Facebook is now asking the California court to reopen the discovery process into Six4Three. Kramer and his legal team have been ordered to hand over their laptops and other devices for forensic investigation.
In a hearing Friday in Redwood City, California, Judge V. Raymond Swope told Kramer and his team: “What’s happened here is unconscionable. Your conduct is not well taken by this court.”
In that same hearing, Kramer’s new lawyer, Peder Thoreen, told the court he was taking steps to ensure the DCMS committee did not release the sealed documents, as promised. But it seems those efforts were ineffective.
The documents revealed by the committee bear out some, but not all of the accusations that Kramer has been making about how Facebook dealt with overlapping concerns around data privacy, competition, growth, and public relations. Among the most damning email chains released shows Facebook employees discussing a plan to allow Android devices to access users’ call history without alerting users. Facebook’s Mike LeBeau notes in a 2015 email that opening up call logs was a “pretty high-risk thing to do from a PR perspective, but it appears that the growth team will charge ahead and do it.”
LeBeau worries about how users and the press would react to their Android phones asking users for this permission. “Screenshot of the scary Android permissions screen becomes a meme (as it has in the past), propagates around the web, it gets press attention, and enterprising journalists dig into what exactly the new update is requesting, then write stories about ‘Facebook uses new Android update to pry into your private life in ever more terrifying ways – reading your call logs, tracking you in businesses with beacons, etc.'”
In a follow-up note, another Facebook employee, Yul Kwon, who was working on mitigating privacy concerns at the time, says that the growth team tested a way to get users to upgrade to this new permission “without subjecting them to an Android permissions dialog at all.”
In other words, in the interest of growth and protecting its reputation, Facebook seems to have been working on ways to give away more user data without users knowing it. Critically, this change happened years after the Federal Trade Commission entered a consent decree with Facebook which, among other things, “barred [Facebook] from making misrepresentations about the privacy or security of consumers’ personal information.” In the aftermath of the Cambridge Analytica scandal, the FTC confirmed it is investigating Facebook’s privacy practices.
In a response to the documents, Facebook didn’t offer much detail on these discussions, except to say that this was an opt-in feature that allowed Facebook apps to “make better suggestions for people to call in Messenger and rank contact lists.”
The documents released Wednesday also appear to back up Kramer’s assertion that Facebook was trying to trade access to data for ad revenue. Beginning in 2012, Zuckerberg and other executives repeatedly debate ways to get developers to pay for access to the Facebook platform. This is not out of the ordinary, of course. Plenty of tech companies charge a fee for their APIs. Facebook has never done that, but the documents reveal the company seriously considered it. “If we make it so developers can generate revenue for us in different ways, then it makes it more acceptable for us to charge them quite a bit more for using platform,” Zuckerberg writes in a 2012 email.
Facebook imposed other requirements on developers that didn’t include outright payment, but did include a data-sharing agreement. In a 2012 email, Zuckerberg argues for what he calls “full reciprocity,” which he defines as requiring app developers to let their users share their data back to Facebook. Zuckerberg notes that this is in Facebook’s best interest. Sometimes, he explains, the best way for people to share information online is to do so through a specialized app. “That may be good for the world but it’s not good for us unless people also share back to Facebook and that content increases the value of our network,” he writes. In a follow-up email, Facebook’s chief operating officer Sheryl Sandberg says “I like full reciprocity and this is the heart of why.”
The documents also show Facebook made special arrangements for data access with certain developers through what the company called “whitelists.” According to the emails, some companies appear to have been whitelisted for friend data in 2015, after Facebook already announced it would be shutting down access to this data. Those companies include Badoo, HotorNot, Bumble, Lyft, Airbnb, and Netflix. None of these companies appears on the list Facebook issued in responses to the House Energy and Commerce Committee earlier this year of companies that got access to friend data beyond May 2015, when all other apps were cut off. Facebook previously has told WIRED that Lyft, Airbnb, and Netflix did not have access beyond May 2015. The company has not responded to WIRED’s request for comment on Badoo, HotorNot, and Bumble.
Asked for a definition of “whitelisted,” a Facebook spokesperson said the company works “more closely with partners in certain cases to provide a better experience for people.” “It’s a common practice to test new features and functionality with a limited set of partners before rolling out the feature more broadly (aka beta testing),” the spokesperson added. “Similarly, it’s common to work closely with partners when features are shut down to limit the disruption for people.”
Throughout the emails, Zuckerberg and other executives grapple with how to treat their competitors. In some cases, the decisions appear clear-cut, as is the case when Facebook vice president Justin Osofsky tells Zuckerberg that Twitter’s app, Vine, allows users to find friends on Facebook. “Unless anyone raises objections, we will shut down their friends API access today. We’ve prepared reactive PR,” Osofsky writes. Zuckerberg replies simply: “Yup, go for it.”
In another undated company memo, Facebook says it maintains a “small list of strategic competitors that Mark personally reviewed.” These apps, the memo says, are “subject to a number of restrictions” and any additional access is “not permitted without Mark level sign-off.”
But other times, the young CEO expresses unease about crushing competitors. “At some level I think helping your competitors is a fact of life,” he writes in a 2012 email. “We need to make sure we’re not doing this to an extent that it destroys us, but we also shouldn’t be so rigid as to rule out any model where competitors get benefit from us.”
In its response, Facebook says that it’s normal for tech companies to deal with competitors this way. “These kind of restrictions are common across the tech industry with different platforms having their own variant including YouTube, Twitter, Snap and Apple,” the blog post reads. Still, the company appears to be trying to head off at least some of these competition concerns now: It announced Tuesday that third-party developers would no longer be prohibited from building apps for the platform that “replicate core functionality that Facebook already provides.”
It may be relatively easy for Facebook to explain away some of the concerns raised through these emails by arguing that it was merely debating these ideas, not implementing them. But others, like the attempt to subtly open users’ call logs up to Android devices without users’ full knowledge, may be tougher to explain. And as conversations about breaking up big tech companies heat up in the United States, Facebook’s approach to competitors like Vine may not be looked at favorably from an antitrust perspective.
But in a Facebook post Wednesday afternoon, Zuckerberg emphasized an important point that does play to Facebook’s favor. The platform changes the company made in 2014 and 2015 were explicitly designed to stop “sketchy” app developers from accessing too much data. “In fact, this was the change required to prevent the situation with Cambridge Analytica,” Zuckerberg wrote. “While we made this change several years ago, if we had only done it a year sooner we could have prevented that situation completely.”
Even as Facebook answers for its decisions regarding privacy and competition, Six4Three faces plenty of questions too. As do the British lawmakers who broke with international norms to make public documents that were sealed by a US court. Just how the documents made their way from Kramer’s secret Dropbox account to the hands of British parliamentarians will be the subject of further scrutiny as the court case rages on in California.
The next hearing in the case is scheduled for this Friday.
1Update: 1:51 pm ET 12/5/2018 This story has been updated to include additional responses from Facebook.