struck customized data-sharing deals with a select group of companies, some of which had special access to user records well after the point in 2015 that the social-media giant has said it cut off all developers from that information, according to court documents, company officials and people familiar with the matter.
The unreported agreements, known internally as “whitelists,” also allowed certain companies to access additional information about a user’s Facebook friends, the people familiar with the matter said. That included information like phone numbers and a metric called “friend link” that measured the degree of closeness between users and others in their network, the people said.
The whitelist deals were struck with companies including
, who advertised on Facebook or were valuable for other reasons, according to some of the people familiar with the matter. They show that Facebook gave special data access to a broader universe of companies than was previously disclosed. They also raise further questions about who has access to the data of billions of Facebook users and why they had access, at a time when Congress is demanding the company be held accountable for the flow of that data.
Many of these customized deals were separate from Facebook’s data-sharing partnerships with at least 60 device makers, which it disclosed this week. Several lawmakers and regulators have subsequently said those device-maker arrangements merit further investigation.
Facebook officials said the company struck a small number of deals with developers largely to improve the user experience, test new features and allow certain partners to wind down previously existing data-sharing projects. The company said it allowed a “small number” of partners to access data about a user’s friends after the data was shut off to developers in 2015. Many of the extensions lasted weeks and months, Facebook said. It isn’t clear when all of the deals ultimately expired or how many companies got extensions.
The vast majority of developers who plugged into Facebook’s platform weren’t aware that the company offered this preferred access or extensions to certain partners, according to the people familiar with the matter.
Ime Archibong, Facebook’s vice president of product partnerships, said in an interview Friday that the company maintained a “consistent and principled approach to how we work with developers over the course of the past 11 years.”
He added that were some cases where the company worked “more closely” with individual developers to test new features or when winding down products. “But we have been extremely, I would say, persistent and objective around how we worked with developers,” Mr. Archibong added.
Privacy experts said Facebook users likely didn’t know how their data was being shared. “I don’t think anyone would have a reasonable understanding of how widespread this was,” said
director of the Federal Trade Commission’s Consumer Protection Bureau from 2009 until 2013 and now a professor at Georgetown Law.
Mr. Vladeck said any deals made after 2012 could draw scrutiny about whether Facebook was in violation of its settlement that year with the FTC, under which the firm is required to give the social network’s users clear and prominent notice and obtain their express consent before sharing their information beyond their privacy settings. Facebook said Friday it hasn’t violated the settlement.
The revelations come as Facebook is dealing with the fallout in March related to the use of personal data by Cambridge Analytica, a political analytics firm that aided President
2016 presidential campaign and purchased data on 87 million users from another developer. The crisis sparked questions about Facebook’s lax oversight of its platform, an FTC investigation into whether the company violated the 2012 settlement and two congressional appearances by Facebook Chief Executive
In his testimony before Congress, Mr. Zuckerberg said Facebook moved to eliminate broad access to information about users’ friends in 2014. Developers had until May 2015 to comply with the rules. The move was a harsh blow to developers, forcing a number of apps to shut down without access to the data. Others had to find workaround solutions to continue operating.
On Friday, the company acknowledged that a subset of companies were given extensions beyond May 2015.
“As we were winding down over the year, there was a small number of companies that asked for short-term extensions, and that, we worked through with them,” Facebook’s Mr. Archibong said. “But other than that, things were shut down.”
Facebook’s relationships to outside developers have shifted over time as it made key adjustments to how it shares data.
In 2007, the company started allowing developers to tap its so-called social graph, including crucial information about a user’s friends. Unlike advertisers, developers didn’t have to pay for this information, giving rise to a new generation of startups built on social connections.
This arrangement also made Facebook increasingly central to its users’ daily lives, despite objections from privacy groups and some users about potential abuses of that data. By 2014, developers could access about 30 different data points about users’ friends, including places they checked into, education history and religious and political affiliation.
Early on, Facebook brokered special deals with certain companies, some people with knowledge of the deals said. “Ninety-nine percent of developers were treated the same, but 1% got special treatment because they accounted for all the value of the platform,” one former Facebook employee said, referring to popular apps and services that attracted users.
Eventually, Facebook set up internal teams dedicated to brokering and developing customized data deals.
—Vipal Monga, Eliot Brown and Tripp Mickle contributed to this article.
Corrections & Amplifications
Royal Bank of Canada was among the companies Facebook gave special access to data. An earlier version of the article incorrectly said RBC Capital Markets had special access. (June 8, 2018)