Facebook's arrangements with Amazon, Apple, BlackBerry and Samsung that allowed their devices to access data from the social network's users could further expose Facebook to steep fines and other penalties, experts said.
The practice - which may have occurred without users' full knowledge - drew sharp rebukes from lawmakers on Monday, who said Facebook has misled them about the way it collects and swaps consumers' data. And it could spark additional scrutiny from the Federal Trade Commission, which is already investigating Facebook for a series of other recent, privacy mishaps.
"I think the more unauthorised sharing that comes out, the more the FTC is going to be inclined to impose a significant civil penalty on Facebook," said David Vladeck, a former top official at the agency when it punished Facebook in 2011.
On the Hill, Senator Richard Blumenthal said the new reports showed that Facebook "has failed to come clean with the American people about the extent, the scope and the scale, of data sharing. The secret agreements raise serious credibility issues about recent testimony."
Newly at issue is a series of relationships brokered over the past decade between Facebook and roughly 60 firms, including Amazon, Apple, BlackBerry, HTC, Microsoft and Samsung. Through a combination of legal agreements and software, Facebook "allowed companies to recreate Facebook-like experiences for their individual devices or operating systems," the social giant acknowledged in a blog post Monday. The New York Times first reported on the matter.
An arrangement with Apple, for example, allowed Facebook users to download profile photos for their friends and use them in their iPhone contact lists. Apple contends it did not store the data for itself.
An older BlackBerry device, meanwhile, appeared to access many categories of data, including messages, while tapping data about friends and others one step removed on the network, the Times found. In response, a spokesman for BlackBerry stressed that it "has always been in the business of protecting, not monetising, customer data."
Facebook declined Monday to detail a full list of device makers with which it had brokered such arrangements. But the company said it phased out its system in April. It acknowledged that device-makers may have kept data on their servers. And Facebook stressed in a blog post it is "not aware of any abuse by these companies."
In the United States, the tech giant's treatment of its users' sensitive information triggered new questions as to whether Facebook violated a settlement it brokered with the FTC in 2011 over a different privacy mishap. At the centre of that consent decree is a requirement that Facebook be more transparent about the data it collects about its users.
The agency is already investigating if Facebook ran afoul of that accord in another matter: allowing a political consultancy, Cambridge Analytica, to access 87 million users' personal data, including the pages they had "liked" on the site. The potential for additional infractions may only compound Facebook's legal woes.
"This company from what I've seen has disregarded a consent decree and behaved in a way that is inimical to consumers' interest," Vladeck said. "You shouldn't be able to lie to people."
Vladeck said the additional penalties could include a court-ordered monitor of Facebook's business practices, injunctions against particular ways of using of consumers' data or heightened monitoring by the FTC.
In Congress, meanwhile, some Democratic lawmakers on Monday also rebuked Facebook CEO Mark Zuckerberg. In April, multiple committees on Capitol Hill had peppered him with questions about Facebook's dealings with Cambridge Analytica. They said the new reports only heightened the need for additional scrutiny - in Congress and at the FTC - focused on Facebook's business practices.
"Facebook and other data collectors, including these device manufacturers, should be prepared to come before Congress so that we can get a better grasp of the entire data collection ecosystem," New Jersey Rep. Frank Pallone, the top Democrat on the House Energy and Commerce Committee, said in a statement.
Minnesota Sen. Amy Klobuchar later stressed in a statement that the incident demonstrated the need to pass comprehensive online privacy reform legislation, which she offered earlier this year. "I'm extremely concerned that we are just now learning that even more personal user data was provided without consent," she said.
Legally, Facebook's fate may rest on a few key phrases.
Under the 2011 decree with the FTC, Facebook is required to obtain permission before sharing a user's private information with a third party in a way that exceeds that user's existing privacy settings. The agreement defines "third party" to include a whole host of other individual entities, potentially like advertisers or app-makers. But it exempts "service provider[s]" who help Facebook carry out basic functions of its site.
To that end, Facebook contends that companies like Samsung or BlackBerry in these cases are suppliers, not third parties. In a blog post, a company executive also stressed Monday that "friends' information, like photos, was only accessible on devices when people made a decision to share their information with those friends."
"These contracts and partnerships are entirely consistent with Facebook's FTC consent decree," Ime Archibong, Facebook's vice president of Product Partnerships, in a statement.
Vladeck, the former FTC official, said regulators could see it differently. "Facebook has not really explained how it obtained consent for the sharing of this data," he said in an interview. "It may be they see [device makers] as first parties, but they're plainly not under the consent decree."
The FTC declined to comment. One of the commission's Democratic members, Commissioner Rohit Chopra, declined to discuss Facebook. But, he said more generally in a statement: "FTC orders are not suggestions. If a company violates them, there can and should be serious consequences."
In New York, meanwhile, state Attorney General Barbara Underwood also pledged to investigate the matter, adding on to its existing probe into Facebook's relationship with Cambridge Analytica. "Consumers have the right to know how their personal information is being used, and the companies we trust with our information have a critical responsibility to protect it," Underwood said in a statement.