A report by The New York Times on Tuesday evening laid out a series of apparently scandalous revelations about how Facebook gave other technology companies access to users’ private information, including friends lists and private messages. The report, however, may have exaggerated the scope of Facebook partners’ access to that data, which in many cases was limited to application integration.

Still, while Facebook executives have responded to the report by claiming that all access to user data was given with explicit permission from the users, the report does raise concerns that Facebook was not entirely transparent about how far those permissions went. For just one example, look at how Facebook harvested phone call records and SMS data on Android devices through Facebook applications.

In a statement issued Tuesday night, Facebook's director of developer platforms, Konstantinos Papamiltiadis, wrote of the integration features offered to Facebook partners:

To put it simply, this work was about helping people do two things. First, people could access their Facebook accounts or specific Facebook features on devices and platforms built by other companies like Apple, Amazon, Blackberry and Yahoo. These are known as integration partners. Second, people could have more social experiences—like seeing recommendations from their Facebook friends—on other popular apps and websites, like Netflix, The New York Times, Pandora and Spotify.

Papamiltiadis asserted that none of these integration points violated Facebook’s 2012 settlement with the Federal Trade Commission, because users gave permission for applications and websites to access their Facebook data. These included mobile and browser integration points (with Windows Phone and Apple’s Safari browser, for example), integration with Web mail clients to help find Facebook friends by mining contact lists, and integration with Facebook messaging to share things like Spotify song recommendations.

Access to many of these features required connecting users’ Facebook accounts with the applications and Web services. Most of these integration points, including one with Microsoft’s Bing search engine to allow sharing of searches with friends, were ostensibly shut down by Facebook in 2014, Papamiltiadis claimed.

But while the direct integration points were ended, the interfaces for a feature called “instant personalization” were left in place in Facebook’s platform. Instant personalization sent profile data automatically to some websites (including Bing), including the user’s name, friends list, and email address. Papamiltiadis said that instant personalization “only involved public information, and we have no evidence that data was used or misused after the program was shut down.” But the director did note that Facebook should not have left the application interfaces in place after the program was ended.

“We’ve taken a number of steps this year to limit developers’ access to people’s Facebook information, and as part of that ongoing effort, we’re in the midst of reviewing all our APIs and the partners who can access them,” Papamiltiadis said.

Loose ends

The problem is with the word “access.” The New York Times report suggests that Facebook’s partner companies had access to users’ personal data, while in many cases what was made available was a way for users of those partners’ apps to interact with Facebook through the app. For example, The New York Times report called out an integration of Facebook Messenger with the Spotify music streaming service and other companies’ applications as a privacy threat. But Alex Stamos, former chief security officer at Facebook, told Ars, “I think the Times’ section on Messenger will come to be seen as intentionally misleading.” That third-party integration into Spotify’s client was already well known “and explicitly activated by users,” Stamos noted. “If the other integrations turn out to be similar, then it is inappropriate to imply that these companies had unrestricted access to Messenger messages.”

Facebook executives themselves, however, decided that the free market of application integration with the Facebook platform was not necessarily a good thing. The integration interfaces were originally introduced in 2012 as part of the company’s efforts to rapidly expand the user base by hooking into the mobile app boom. But in 2014, the company started to shut down access to friends lists and other data, giving developers a year to switch to a new, more locked-down version of the Facebook API. That happened in part because of applications that were causing privacy concerns, including one from Six4Three that scoured Facebook photos for images of women in bikinis. Notably, Six4Three has been pursuing a lawsuit against Facebook over the changes for years.

But even as Facebook shut down smaller developers, the company gave some partners, including device manufacturers, special access to users' friends data—a move revealed by Facebook in June after another New York Times report. Those agreements with companies such as Apple, BlackBerry, and Amazon were being “winded down” by Facebook starting in April of this year. They were intended to allow phone developers to integrate the Facebook “experience” more deeply into their devices for tasks such as sharing photos. However, the interfaces provided to phone developers allowed them to bypass explicit settings enabled by users to block sharing of personal data through other users’ friends lists.

While these interfaces were intended to only provide access to device and application users who had explicitly given permission, they still may have left users’ data vulnerable—especially since the permissions being granted may not have been entirely obvious to the users. As demonstrated by Facebook’s Messenger application, those permissions can extend far beyond what the user intended. On Android, Messenger uploaded call history and SMS data to Facebook’s servers, ostensibly to help Facebook’s algorithms make better friend recommendations, for example. Other applications tied to Facebook interfaces could have easily cached Facebook data offline because of their architecture.

Facebook is still allowing a number of companies to tie into Facebook data: Amazon and Apple retain integration with Facebook user profile data, for example, and Facebook allows integration for notifications with the Mozilla, Opera, and Alibaba Web browsers. Papamiltiadis also noted that Facebook was providing such data hooks for the eye-tracking and assistive technology company Tobii in order to help people with ALS access Facebook.

Stamos noted that part of the problem with Facebook’s response to the report—and the company’s privacy posture in general—is that Facebook executives have failed to be transparent about what has and has not been shut down in Facebook’s application interfaces. “They need to list out all of these integrations, what was available, the user experience, and if and when it was shut down,” he said. “That is the right thing for users but also the best way for the company to respond to press and government questions.”