Since March, when news broke that the political consulting firm Cambridge Analytica used a Facebook app to amass data on as many as 87 million people without their consent, the social networking giant has been forced to repeatedly answer for how it has given away user data and who it's given that data to. In the immediate wake of the scandal, Facebook rushed to defend itself in a blog post, saying that in 2014, it changed an element of its API to prevent apps from collecting data on their users' friends, as the Cambridge Analytica app did. Facebook has since clarified that while it announced this change in 2014, apps that already had access to people's friends' data continued to have access until May 2015.

Then, in more than 700 pages of written responses delivered to the House Energy and Commerce Committee late last month, Facebook acknowledged that some apps had this access for up to six months longer, to allow them to "come into compliance" with the new rules. There were dozens of companies on the list, including dating apps like Hinge and music-streaming services like Spotify, but one may raise more than a few eyebrows in Washington: the Russian internet giant Mail.ru.

According to Facebook, Mail.ru was given a two-week extension to wind down a feature on two messaging apps that enabled users to see their Facebook friend lists and message with people who also had the Mail.ru apps. During the extension, at least, the app only had access to people's friend lists, not any information about those friends' likes or interests. And yet, long before that extension was in place, Facebook says Mail.ru ran hundreds of apps on the platform, all of which operated under Facebook's old rules, which did allow app developers to collect their users' friends' data. Some of those apps began operating as early as 2009.

"Some apps were built prior to the platform change in 2015, so they did have access to the earlier version of our platform," a Facebook spokesperson said. "That made it possible for users to consent to sharing information about themselves, as well as their friends."

Facebook says the majority of Mail.ru's apps were test apps that remained private and that only a handful actually launched publicly. It did not share details on how many users may have had their information exposed to Mail.ru apps without their consent. The company adds that Mail.ru's collection of apps have not had access to people's friends' data since May 2015, when Facebook changed its API. Still, Facebook is now investigating Mail.ru, along with all other apps that had access to large quantities of user data prior to the changes. But, the spokesperson says the investigation is not itself a condemnation. "We found no indication of misuse with Mail.ru. If we detect any suspicious activity or potential misuse, that’s when we formally audit a company."

Facebook granted thousands of other companies the same data access as Mail.ru prior to 2015. And yet, recent concern over Russia's manipulation of social networks in the run-up to the 2016 election may cast the relationship between the two companies in a new light.

In a statement to WIRED, a spokesperson for Mail.ru wrote, "We assume that while changing API Facebook changed the terms for the clients who had popular applications that had not been updated to the latest version [...] We definitely use our cooperation with Facebook strictly for business needs of our products and strictly according to the Facebook regulations."

Mail.ru and Facebook have a history. Mail.ru’s founder Yuri Milner was a major investor in Facebook, but he divested his shares in 2013 and also left Mail.ru years ago. A spokesperson for Milner said in a statement, "Yuri Milner has not been involved as CEO of Mail.ru since 2003. Shortly after the IPO of Mail.ru in 2010, he sold all of his shares in the company. In 2012, he stepped down from the board of directors and has not been involved since then.1

'It’s disconcerting that four months after this scandal became public, Facebook still has no idea how many others have its users’ data and how that data is being used today.' Representative Frank Pallone Jr.

Over the last year, reports have also surfaced about Milner's ties to the Kremlin. In November 2017, following the so-called Paradise Papers leak of 13.4 million confidential documents related to offshore payments, The New York Times reported that Milner had received hundreds of millions of dollars in Russian state funding, which he used in part to invest in both Facebook and Twitter through his international investment firm, DST Global.