The scrutiny over Facebook’s data-sharing partnerships highlights how critical APIs are to modern development, and how important it is to restrict how much data can be accessed through these interfaces.
Services like Facebook provide application programming interfaces (APIs) to third-party developers so that they can include the data to create games and other apps for the users. The API owners control what kind of information, and how much, data is available to an API call. If they aren’t careful, they can expose too much. If they don't pay attention to how APIs are being used, they may not notice when someone is abusing the access. If they don't keep track of all their APIs, they don't have a complete picture of who has access to their data.
“People forget the power APIs can have,” said WhiteHat Security’s Katie Carty Tierney.
After The New York Times reported that Facebook had data-sharing partnerships giving around 60 device makers elevated privileges to user data, Facebook clarified the scope of these agreements. Unlike the better-known APIs which let third-party developers reach Facebook users to “build completely new experiences” such as games, these “device-integrated APIs” gave device makers the ability to recreate “Facebook-like experience” on their devices, Facebook said. These partnerships date back to 2008, when smartphone apps were not as ubiquitous, and were pretty common at the time as many services were trying to get traction on mobile devices. The elevated privileges were given because the device makers were considered trusted partners.
“All these partnerships were built on a common interest—the desire for people to be able to use Facebook whatever their device or operating system,” Ime Archibong, Facebook’s vice-president of product partnerships, wrote in the company’s response to the New York Times article. “Given that these APIs enabled other companies to recreate the Facebook experience, we controlled them tightly from the get-go.”
The contracts strictly limited how the partners could use the data, and to obtain the user’s permission before integrating with the user’s Facebook features. While most partners kept the data on the device, there were some cases where the data was kept on partner servers, and the contracts was used to strictly dictate how that data was used on those servers. Facebook’s partnership and engineering teams approved the “Facebook experiences” as they were built, and Archibong said the company knew of no cases where the information had been misused.
While there is a way to spell out the level of access that is available in the API, it’s not clear how that agreement would be enforced, or even what the data audit would look like, Tierney said. Companies frequently struggle with performing due diligence on APIs, such as scanning for vulnerabilities and testing business logic.
The problem with Facebook saying there was no abuse is that the latest revelation comes too soon after political consulting firm Cambridge Analytica which abused its access to data belonging to millions of Facebook users. Facebook CEO Mark Zuckerberg admitted the company had neglected to verify the data was removed when it should have been: “We shouldn’t have taken their word for it.”
How the data was used
Facebook said it had agreements with Amazon, Apple, BlackBerry, HTC, Microsoft, and Samsung. In response to a Congressional inquiry, Facebook said it had partnered with at least four Chinese device makers, including Huawei, Lenovo, OPPO, and TCL. United States intelligence officials have raised concerns over the years about Huawei having ties to Chinese espionage. Facebook said it had wound down partnerships with 22 companies already, and that Huawei would be terminated by the end of the week.
“We wanted to make clear that all the information from these integrations with Huawei was stored on the device, not on Huawei’s servers,” Facebook’s vice president of mobile partnerships Francisco Varela said in a statement.
An Apple spokesperson told the New York Times the company used the Facebook data for features that let users engage with the social network without opening the app, such as posting photos, but that it hadn’t had access to Facebook data since September. HTC had two phone models with a dedicated Facebook button to make it easier to share things on the social network. BlackBerry said the data was used to give users access to their networks and messages on their devices and never for data mining. Microsoft-powered devices were able to add contacts and friends, and receive notifications, and the data was stored locally on the phone and not synced to Microsoft servers.
People forget the power APIs can have.
“The things mentioned in the Times article about relationship statuses and all these kinds of stuff, this is so foreign to us, and not data that we have ever received at all or requested—zero,” Apple CEO Tim Cook told NPR. “What we did was we integrated the ability to share in the operating system, make it simple to share a photo and that sort of thing. So it’s a convenience for the user. We weren’t in the data business. We’ve never been in the data business.”
“If all information was stored on the phone itself, as Facebook says, I honestly do not see what the big deal is supposed to be here,” The Verge’s Casey Newton wrote on Twitter.
The motivation to end these partnerships came about as part of the hard look Facebook was taking with its data policies as a result of Cambridge Analytica. It appears that Facebook, as part of winding down elevated access to its data, is encouraging the device-makers to use Facebook’s existing apps.
Bone of contention
The sticking point here seems to be The New York Times claim that the device makers could obtain data about a user’s Facebook friends, without getting consent from those second-degree contacts. The reporters said that logging into Facebook using The Hub portal on a BlackBerry device from 2013 retrieved information for the user’s 500+ friends, as well as information for nearly 295,000 friends-of-friends. Facebook has adamantly denied the claim, and said partners receive information of user’s friends only if the friend shares information with that user.
“A great way to think about that is, just like when you see your timeline. If you and I are friends, and I post on my timeline, and one of my friends comments on it, you’re still going to be able to see that friend’s comment, and that’s just the nature of sharing on Facebook,” a Facebook spokesperson told Gizmodo.
APIs tend to be headless and lack a “pretty user interface,” making it harder to test to make sure there are no accidental data exposure or leakage, but it's critical for API owners to regularly scan for known vulnerabilities and regularly test that the APIs aren't doing more than designed. Many security teams don’t even learn about APIs under development, and find out after the source code has already been written and deployed, making this an ongoing challenge.
However, there is really no way to avoid APIs. These data-sharing partnerships were essential, and commonplace, back in 2008, and they are even more critical now for platforms to grow and services to provide more features for their users.
API must exist for the future of development, so it is “incumbent [on the owners] to be the ones to protect the information they are giving access to,” Tierney said.