"It's complicated." So might read Facebook's latest status update to Congress on how the social network collects, shares and sells users' personal data.
On Friday, Facebook responded to more than 2,000 questions posed by U.S. Senate and House committees. The questions pertain to how data gathered by the social network was shared with third parties, as well as investigations into Russia's use of social media to manipulate U.S. public opinion - via fake news - and to influence the 2016 presidential election (see US Indicts 13 Russians for Election Interference).
Facebook delivered 747 pages of answers that provide greater detail about its data handling and privacy practices (see Probes Begin as Facebook Slammed by Data Leak Blowback).
The answers reveal that Facebook had still been providing special access to user data to dozens of companies, six months after it had said it had stopped doing so in 2015. The apps had access to users' friends' data, "such as name, gender, birthdate, location - i.e. current city or hometown, photos and page likes," Facebook says.
The 61 organizations with which it was sharing information beyond the date it had previously claimed ranged from ABC Television Network, dating site Hinge and carmaker Nissan, to Russian webmail portal Mail.ru, Salesforce.com's "social listening tool" Radian6 and shipping giant UPS.
Facebook says it had given the 61 organizations a six-month extension "to migrate to the more restricted API and be subject to Facebook's new review and approval protocols."
In June, the Wall Street Journal reported that Facebook had struck special deals with some companies, including Nissan, giving them access to user data well after it says it blocked such access in 2015.
Facebook says that the API access it provided to third parties before 2015 could also have given them unintended amounts of information, after it revamped its API to restrict such access.
"In the context of our ongoing review of third-party apps, we discovered a very small number of companies (fewer than 10) in the following list that theoretically could have accessed limited friends' data as a result of API access that they received in the context of a beta test. We are not aware that any of this handful of companies used this access, and we have now revoked any technical capability they may have had to access any friends' data."
Facebook says the companies are Activision/Bizarre Creations, Fun2Shoot, Golden Union Co., IQ Zone/PicDial and PeekSocial.
Facebook says it also negotiated "special access" relationships with 52 companies, some of which have ended and some which are in the process of being wrapped up. It says arrangements with three firms - Apple, Amazon and Tobii - are continuing. Also continuing are arrangements with Alibaba and Opera Software, "but integrations will not have access to friends' data."
Cambridge Analytica Investigations
The 747 pages of responses to Congressional questions represents the second attempt by Facebook to answer U.S. lawmakers' queries. In June, it delivered 450 pages of answers to Congress.
The questions were prompted by revelations earlier this year that data analysis firm Cambridge Analytica, owned by British military contractor SCL Group, had obtained profile data for as many as 87 million Facebook users via a "thisisyourdigitallife" personality app created by a U.K.-based researcher named Aleksandr Kogan. Facebook says that Kogan's app was able to access personal data not just for people who used his personality survey, but also some of their friends' data.
In the wake of the scandal triggered by the public being alerted to Cambridge Analytica and others having obtained Facebook users' personal data and potentially used it to target them with advertising and disinformation campaigns, Facebook CEO Mark Zuckerberg appeared before Congress in April to answer questions (see Senators Raise Issue of Regulating Facebook).
Britain's Parliament is investigating Cambridge Analytica and Facebook as part of a wide-ranging investigation into Russian disinformation campaigns.
The U.K.'s privacy watchdog, the Information Commissioner's Office, is also investigating Cambridge Analytica, which worked for the "leave" campaign during the 2016 "Brexit" referendum over the U.K.'s membership in the EU.
Facebook Talks Policy Violations
Facebook has attempted to spin Kogan's research and data gathering as a violation of its policies and data leak, rather than a breach of its user data.
"Kogan and his company violated Facebook's Platform Policies, which explicitly prohibited selling user data accessed from Facebook and from sharing any user data accessed from Facebook with any ad network, data broker or other advertising or monetization related service," Facebook says.
Asked why the social network didn't appear to be actively policing whether apps were violating the company's policies, Facebook said in its answers: "We take action on potential violations of our Platform Policies based on proactive review, external reports, and other signals."
As Facebook's answers to Congress make clear, Kogan's app was not the only app enjoying access to Facebook users' data (see Report: Facebook App Exposed 3 Million More Users' Data).
Facebook Still Investigating Apps
The company says its investigation into how third-party apps were using Facebook - which it claims to have already been policing - is continuing. "We are in the process of investigating every app that had access to a large amount of information before we changed our platform in 2014," Facebook says in the report. "The investigation process is in full swing. We have large teams of internal and external experts working hard to investigate these apps as quickly as possible."
Facebook says that as of last month, it had reviewed thousands of apps and suspended about 200 of them, pending a more thorough review.
Life After GDPR
The EU's passage of the General Data Protection Regulation - which has been enforced since May 25 - has led to questions about whether Facebook may need to revise its business model.
Some companies, including Microsoft, have promised to comply with GDPR's terms everywhere in the world that they do business, meaning the European regulation is already having a global impact. But organizations have been moving data out of the EU. In April, one month before GDPR enforcement began, Microsoft's LinkedIn division moved all non-EU data to the U.S. "We've simply streamlined the contract location to ensure all members understand the LinkedIn entity responsible for their personal data," Microsoft said in a statement to Reuters.
Likewise, Facebook, moved 1.5 billion users' data out of Ireland - its European operations are based in Ireland - and into California. Facebook characterized the move as being because privacy rule language between the EU and the U.S. differ.
"We apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc. or Facebook Ireland," Facebook told Reuters, noting that it moved the user data because unlike U.S. law, "EU law requires specific language" in private notices.
But privacy researcher Lukasz Olejnik told the Guardian that moving users' data would have legal ramifications.
"This is a major and unprecedented change in the data privacy landscape. The change will amount to the reduction of privacy guarantees and the rights of users, with a number of ramifications, notably for consent requirements," he said. "Users will clearly lose some existing rights, as U.S. standards are lower than those in Europe.