Was Facebook Right? Was Facebook right in its sharing of user data to phone manufacturers? How do we define third party? Etiker Founder Erik Partridge weights in.

Preface

To determine if Facebook was right in sharing the user data to phone manufacturers, we need to first determine what a third party means. It sounds simple–anyone outside the company. In practice, this gets a lot trickier with the way modern software systems are developed.

How we define third party

Using a more traditional thought, a third party would appear to be any party that is not immediately part of the corporation that the initial terms were agreed to with. But, given the path of modern software development, this is often unrealistic. Independent contractors and freelancers frequently replace employees, and pieces of the application are frequently run out-of-house by companies using the software-as-a-service model. So, which of these are third parties. Or, better yet, which of these are third parties that require the user to have informed consent about their usage.

So long as a freelancer or independent contractor is held to the same standard as an employee, there’s no need for an additional box to check saying, “I’m okay with this company paying independent contractors instead of employees”. If a company is using an external company to store their log files, and the logs are anonymized, also no need. If a company uses social authentication say using Google, then there is a reasonable need for the company to require the user to opt-in–in this case by giving the option of email registration. If there is no email registration, then the company should explain why it requires Google, and in some cases, this may be perfectly fine–identity verification for a financial app for example. In other cases, such as wishing to better market, this may not be. The line for third party is going to be drawn slightly differently in each case. In the case of a fairly standard web application, this is where we would draw the line.

When it comes to phone manufacturers, the line seems to be somewhere between helping to debug the phone’s API using anonymous data, and outright handing over data, closer to the former than the latter. It will be based on this that I’ll discuss the Facebook case.

A bit more context for this case

The New York Times reported earlier this month that Facebook, despite having testified to Congress a month earlier, had shared user data with phone manufacturers, including the data that a user’s friends had on the Facebook platform. To some, this may appear to be a violation of the 2011 F.T.C. agreement requiring user consent when sharing data with third parties. Facebook had agreed to this, in order to settle a complaint made regarding their data sharing practices in its earlier years. Facebook argues that phone manufacturers were instead service providers, and therefore exempt from requiring consent. Facebook’s claims are under a substantial level of scrutiny.

Perhaps the most central thing to this specific instance, is the F.T.C.’s 2011 agreement. This revolved around a complaint that Facebook had failed to keep user data private and safe. To resolve this, Facebook agreed that they would receive consent from users before sharing data with a third party, and that should they violate this, the F.T.C. could fine them $40,000 per instance, per day. Facebook cannot claim ignorance either–it is clear from this that they were aware of the need to collect informed consent, and have been sternly warned before the F.T.C. before. This is not the first time Facebook has gotten itself in hot water like this before.

The ethical principles

In this case, the most substantial principle in question is that of informed consent. In effect, this would be entirely fine if Facebook had given the users a box asking if they could share this data with the person’s phone manufacturer and for what purposes. Except maybe not. Because Facebook was sharing data involving the users’ friends, Facebook could not reasonably claim in any situation, to have obtained consent to share this data with phone manufacturers. This works on the same general principle and reasoning that a friend of yours cannot legally sign a contract in your name, in most situations, nor should they be able to.

So, was Facebook right?

Mostly not, no. Very limited data sharing could be ethically okay without having informed users beyond the Terms & Conditions of their site. For example, if the Facebook app was crashing on Blackberry anytime a user received a notification of a friends birthday party, Facebook could reasonably share this data with Blackberry if they conclude it to be a hardware issue. At the same time, sharing the name and location of the friend’s birthday party would not be.

The challenge is sharing the minimal amount, in an anonymous manner, for in order to keep the service functioning: that’s okay. Going beyond that, or doing so for other purposes is not ethically okay in this situation.

So, what do you think? Drop us a line: [email protected]