On Tuesday evening, The New York Times revealed more startling news about Facebook: the company "gave some of the world’s largest technology companies more intrusive access to users’ personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules.”

The news comes days after Facebook disclosed a massive photo bug, weeks after 50 million people were affected by an access-token harvesting attack, and less than a month after it was revealed that Facebook considered selling access to its users’ data. And all of those scandals are in addition to the Cambridge Analytica debacle. In June 2018, Facebook dodged some lawmakers' questions in written testimony, after two days of CEO Mark Zuckerberg's appearance before the US Senate.

The newspaper cited "hundreds of pages" of internal documents, which it did not publish.

As the Times reported:

Pushing for explosive growth, Facebook got more users, lifting its advertising revenue. Partner companies acquired features to make their products more attractive. Facebook users connected with friends across different devices and websites. But Facebook also assumed extraordinary power over the personal information of its 2.2 billion users—control it has wielded with little transparency or outside oversight. Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.

Jennifer Valentino DeVries, a Times reporter who was not bylined on the story, tweeted:

Users have control over the data they share on Facebook, Zuck tells Congress. OK, in the sense that they can decide not to share it. Or they can decide which friends can see it. They have “control.” But obviously, in another sense, they don’t have control at all. — Jennifer Valentino-DeVries (@jenvalentino) December 19, 2018

Per the Times, these arrangements apparently let selected partners continue to access users’ contact details via friends—despite the fact that in 2014 Facebook said it was ending such access. Sony, Microsoft, and Amazon were specifically named as companies that had this ability.

"Some of the largest partners, including Amazon, Microsoft and Yahoo, said they had used the data appropriately, but declined to discuss the sharing deals in detail," the newspaper reported.

This new revelation appears related to, but separate from, the recent revelation that Facebook extended access to companies that paid for the privilege while shutting it down in 2015. In April 2014, Facebook changed the way the previously permissive Graph API works. The social media giant restricted some data access and eliminated all access to the earlier version by June 2015.

In the wake of the Times' reporting, Sen. Brian Schatz (D-Hawaii) tweeted his frustration.

It has never been more clear. We need a federal privacy law. They are never going to volunteer to do the right thing. The FTC needs to be empowered to oversee big tech. — Brian Schatz (@brianschatz) December 19, 2018

Facebook spokeswoman Katy Dormer declined to provide Ars with a copy of the documents referenced in the story. She did not respond to Ars’ specific question but included two statements from two executives, neither of which denied or refuted the Times’ reporting.

"We know we've got work to do to regain people's trust," Steve Satterfield, director of privacy and public policy at Facebook, said in one of the statements.

"Protecting people's information requires stronger teams, better technology, and clearer policies, and that's where we've been focused for most of 2018. Partnerships are one area of focus and, as we've said, we're winding down the integration partnerships that were built to help people access Facebook."