NEW YORK • As Facebook sought to become the world's dominant social media service, it struck agreements allowing phone and other device makers access to vast amounts of its users' personal information.
Facebook has reached data-sharing partnerships with at least 60 device makers - including Apple, Amazon, BlackBerry, Microsoft and Samsung - during the last decade, starting before Facebook apps were widely available on smartphones, company officials said.
Facebook allowed the device companies access to the data of users' friends without their explicit consent, even after declaring that it would no longer share such information with outsiders.
Some device makers could retrieve personal information even from users' friends who believed they had barred any sharing, The New York Times found.
The deals, most of which remain in effect, allow the social media firm to expand its reach and let device makers offer customers popular features of the social network, such as messaging, "like" buttons and address books.
But the partnerships, whose scope has not previously been reported, raise concerns about the company's privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission (FTC).
It's like having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission.
MR ASHKAN SOLTANI, a research and privacy consultant, on the ability to override Facebook's sharing restrictions.
Facebook came under intensifying scrutiny after news reports in March that a political consulting firm, Cambridge Analytica, misused the private information of tens of millions of Facebook users.
In the furore that followed, Facebook's leaders said that the kind of access exploited by Cambridge in 2014 was cut off by the next year, when Facebook prohibited developers from collecting information from users' friends.
But the company officials did not disclose that Facebook had exempted the makers of mobile phones, tablets and other hardware from such restrictions.
In interviews, Facebook officials defended the data-sharing as consistent with its privacy policies, the FTC agreement and pledges to users. They said its partnerships were governed by contracts that strictly limited use of the data, including any stored on partners' servers.
The officials added that they knew of no cases where the information had been misused.
The company views its device partners as extensions of Facebook, serving its more than two billion users, the officials said.
"Contrary to claims by the New York Times, friends' information, like photos, was only accessible on devices when people made a decision to share their information with those friends," said Mr Ime Archibong, a Facebook vice-president.
"These partnerships work very differently from the way in which app developers use our platform."
Unlike developers that provide games and services to Facebook users, the device partners can use Facebook data only to provide versions of "the Facebook experience", the officials said.
"There were no app stores at the time and this was the only way to make our product work on their devices. We tightly controlled these APIs (application programming interfaces) from the get-go," Mr Archibong said.
Tests by the New York Times showed that the partners requested and received data in the same way other third parties did.
Facebook's view that the device makers are not outsiders lets the partners go even further, the Times found. They can obtain data about a user's Facebook friends, even those who have denied Facebook permission to share information with any third parties.
In interviews, former Facebook software engineers and security experts were surprised at the ability to override sharing restrictions.
"It's like having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission," said Mr Ashkan Soltani, a research and privacy consultant.
The device partnerships provoked discussion even within Facebook as early as 2012, according to Ms Sandy Parakilas, who led Facebook's third-party advertising and privacy compliance department at the time.
"This was flagged internally as a privacy issue," said Ms Parakilas, who left Facebook that year and has recently emerged as a harsh critic of the company.
"It is shocking that this practice may still continue six years later, and it appears to contradict Facebook's testimony to Congress that all friend permissions were disabled."
NYTIMES, REUTERS, BLOOMBERG