When the New York Times reported in December that three major corporations had obtained the ability to read all private messages of any Facebook users that connected to their accounts, Netflix and Spotify admitted they were granted that power by Facebook, but claimed they didn’t use it.

Announcements, Events & more from Tyee and select partners This Moment Calls for More Independent Journalism. We Need Your Help to Deliver It We can’t let journalism fade away. Contribute to The Tyee so we can add to our team.

The other company, Royal Bank of Canada, was alone in denying that it ever had any such access. It would repeat its denial in coverage of the report by the Globe and Mail and CBC.

Now The Tyee has been told by a Facebook spokesperson that RBC did in fact have the power to read, write and delete private messages by Facebook members using RBC’s banking app, as the New York Times reported.

RBC repeated its denial to The Tyee.

If Facebook is correct it raises serious questions, says Charlie Angus, an MP and member of the Parliament’s Standing Committee on Access to Information, Privacy and Ethics that questioned Facebook in April 2018, after revelations of Facebook’s data sharing practices.

“My question is why did RBC want to have this capacity? And if they did obtain private messages, that would be very, very serious. They’ve said they haven’t so I have to take them at their word. But I would like clarification on why they would have wanted access,” Angus told The Tyee.

RBC began allowing customers to connect to Facebook in 2013 in order to send money transfers over the social media network, and shut down the service quietly in 2015.

If RBC had the abilities Facebook says it was granted, the bank could read every message its customers ever sent or received via Facebook, not just send or receive e-transfer notifications as RBC claims.

Though RBC customers had to approve Facebook’s connection, access to messages on Facebook’s platform typically included those the customer sent and received from other Facebook users who did not use RBC or consent.

“That was the whole [kind of] breach that allowed Aleksandr Kogan to end up with 67 million people’s personal information. Those loopholes were enormous. It’s hard to trust that those loopholes weren’t abused. I think it’s incumbent on a company like RBC to be very clear,” said Angus.

“This was at a time when there was very much a Wild West attitude about personal data and information — if you could get it you took it. So they would need to be able to explain very clearly that they did not.”

Among the questions left hanging, given the contradictory statements by RBC and Facebook are these:

1. Why do RBC and Facebook’s stories differ?

Did RBC merely misunderstand the abilities it obtained from Facebook or plan messaging features it didn’t use? If so why does it continue to double down when Facebook itself has confirmed the abilities?

2. Why would RBC want to read messages and why did Facebook grant it?

RBC says its app needed to “uniquely identify the recipient of funds” and notify these recipients via Facebook when it launched a payment service in 2013. It didn’t need to read previous Facebook messages of the sender, an ability Facebook says the bank acquired.

Documents released by U.K. Parliament show Facebook scrutinizing and denying Vancouver-based Hootsuite’s request for the ability to read mailboxes.

Why was RBC among a handful of companies granted that ability?

RBC was already on the defensive in 2013 about extensive permissions its app requested from users, the Globe and Mail then reported. The bank said then it would create a website to explain to consumers precisely which permissions it asked for and why.

3. How many RBC customers connected their accounts to Facebook?

Neither Facebook nor RBC disclosed how many RBC clients connected their bank accounts to the social network.

Facebook’s permission scheme required first that companies approve their apps for mailbox reading from Facebook. Next, the companies had to request permission from each customer of an app in turn when they installed the app.

Over 60 per cent of Canadian consumers in 2014 used mobile banking apps. That number grew to over 80 per cent by 2016, according to Statista. RBC is Canada’s largest bank, with 16 million clients.

Over 13 million Canadians used “over-the-top” messaging — online alternatives to text messages provided by phones — by 2015, the year RBC claimed it decommissioned its Facebook-connected services. Facebook boasted 700 million users of its messaging service the same year, and is now the top messaging service in Canada, also according to Statista.

Messaging apps, including Facebook Messenger in 2013, offered to take over internal text messaging on phones, making the networks the primary text communication route between some users.

4. Did RBC ever read any customer’s Facebook mailboxes?

Facebook said RBC did not make use of the mailbox-reading abilities it acquired in its app.

But Facebook did not answer if it could definitively determine the bank never read any mailboxes in testing or external to the features of the app once it acquired permissions to do so. The Facebook spokesperson instead referred The Tyee to RBC, who denied having the ability in the first place.

EXCLUSIVE: Facebook Closes Security Flaws Found by The Tyee read more

5. What does Facebook mean that data can’t be used for ‘independent purposes’?

Facebook’s claim may give the impression that companies are limited in uses of the data by some kind of technical restriction.

However, once data is downloaded from its “Application Programming Interface” — the live database used by software developers — it could be stored externally and manipulated or applied for any purpose without Facebook’s knowledge.

Political consulting firm Cambridge Analytica acquired data extracted from a Facebook app to influence elections, contrary to Facebook’s terms of use. The revelation caused a major scandal, partly because data obtained by the app included information about app users’ friends without their consent or awareness.

The data was collected by a separate app developer and provided to Cambridge Analytica. This was also against Facebook’s rules, but impossible to prevent by the nature of data in Facebook’s API.