Senate Intelligence Committee Chairman Mark Warner (D-Va.) and Vice Chairman Marco Rubio (R-Fla.) sent a letter (pdf) to Meta CEO Mark Zuckerberg on Monday, questioning him about crucial data Meta’s Facebook platform shared with developers in China in recent years.
Warner and Rubio alleged, based on past reporting and company documents, that Facebook has known that hundreds of thousands of developers in what it deemed “high-risk” countries like China had access to “significant amounts of sensitive user data.” The senators specifically noted a 2018 New York Times article stating Facebook had given privileged access to key application programming interfaces (APIs) to Huawei, OPPO, TCL, and other device-makers based in China.
Meta, which is the parent company of Facebook, has been the subject of an ongoing lawsuit over allegations it improperly shared data with third-party organizations. A recent court filing from the case (pdf) indicated that Facebook had more than 244,000 developers based in what it considered “high-risk” nations, including 86,961 in China and 42,078 in Russia.
Facebook’s internal materials described “high-risk” nations were ones that “may be governed by potentially risky data storage and disclosure rules or be more likely to house malicious actors,” including “states known to collect data for intelligence targeting and cyber espionage.”
Facebook revealed it worked with developers in other “high-risk” countries, including Vietnam, Ukraine, Cuba, Iran, North Korea, Sudan, and Syria.
Warner and Rubio said they were “startled to learn” so many Chinese developers had access to Facebook data “given that Facebook has never been permitted to operate in the PRC.”
The senators called on Meta to detail its security review process for sharing data with developers in China and Russia and to provide a record of the types of information for which these Chinese and Russian developers had access and the timeframes of that access. The senators also called on Meta to provide an estimate of the number of U.S. Facebook users whose data was shared with a developer located in each of the countries identified as “high-risk” nations.
The senators also asked if Meta has any indication that any developers’ access enabled coordinated inauthentic activity, targeting activity, malicious advertising, fraudulent activity, or any other malign behavior by foreign governments.
NTD News reached out to Meta for comment on this issue, but they did not respond by the time this article was published.
In a response letter shared with Bloomberg, Meta said the documents detailing Facebook’s data-sharing with developers in “high-risk” nations “are an artifact from a different product at a different time.”
“Many years ago, we made substantive changes to our platform, shutting down developers’ access to key types of data on Facebook while reviewing and approving all apps that request access to sensitive information,” Meta’s response letter read.
Facebook Privacy Lawsuit
Facebook has been the subject of a privacy lawsuit for the past four years. That lawsuit raised allegations the platform inappropriately shared user data with third parties including Cambridge Analytica.
Cambridge Analytica was a British political consulting firm that came under investigation in 2018 after allegations it had improperly used the data of 87 million Facebook users to support the 2016 “Brexit” vote for the UK to leave the European Union and Donald Trump’s 2016 election campaign. After the allegations came about, the political consulting firm filed for bankruptcy.
While Cambridge Analytica closed down, the lawsuit against Facebook has continued. In addition to their complaints about Cambridge Analytica, the plaintiffs allege Facebook’s practices had compromised their data privacy and that data “may be available on the dark web or in the hands of foreign nationals.”
In August, Meta agreed in principle to settle the lawsuit.
In December, the parties had reached a settlement figure of about $725 million. In that settlement agreement, Meta maintained that it had done nothing wrong and that its users consented to the practices and suffered no actual damages.