It could also access other information, including unique identifiers, on 294,258 friends of his friends. The finding appears to fly in the face of Facebook CEO Mark Zuckerberg's comments to Congress in March, when he said that "every piece of content that you share on Facebook you own. You have complete control over who sees it and how you share it." Facebook started phasing out the program in April, but it's still in effect for many of the partners.

In a piece entitled "Why We Disagree with The New York Times," Facebook pushed back strongly against the claims. It said that it created APIs for Amazon, Apple, Blackberry, HTC, Microsoft, Samsung and other device makers so that they could offer Facebook on their operating systems at a time when there were no apps or app stores. "All these partnerships were built on a common interest -- the desire for people to be able to use Facebook whatever their device or operating system," wrote VP of Product Partnerships Ime Archibong.

Sure looks like Zuckerberg lied to Congress about whether users have "complete control" over who sees our data on Facebook. This needs to be investigated and the people responsible need to be held accountable. https://t.co/rshBsxy32G — David Cicilline (@davidcicilline) June 4, 2018

Facebook controlled the APIs tightly, and said the partners signed agreements that prevented information from being used for anything other than to "recreate Facebook-like experience." It also said that the features couldn't be used with permission and that its engineering teams approved all of them. "Contrary to claims by the New York Times, friends' information, like photos, was only accessible on devices when people made a decision to share their information with those friends," Facebook said. "We are not aware of any abuse by these companies."

Some critics don't agree with Facebook's assessment of the situation, however. A former Facebook employee who led third-party ad and privacy compliance, Sandy Parakilas, noted that the program was controversial even within Facebook. "This was flagged internally as a privacy issue," he said. "It is shocking that this practice may still continue six years later, and it appears to contradict Facebook's testimony to Congress that all friend permissions were disabled."

The issue has also caught the attention of the US government. "Sure looks like Zuckerberg lied to Congress about whether users have 'complete control' over who sees our data on Facebook," tweeted Rhode Island Congressman (D) and consumer privacy advocate David Cicilline. "This needs to be investigated and the people responsible need to be held accountable."