Since march when the news broke that the political consulting firm Cambridge Analytica used a Facebook app to amass data on as many as 87 million people without their consent, the social networking giant has been forced to repeatedly answer for how it has given away user data and who it’s given that data to. In the immediate wake of the scandal, Facebook rushed to defend itself in a blog post, saying that in 2014, it changed an element of its API to prevent apps from collecting data on their users’ friends, as the Cambridge Analytica app did. Facebook has since clarified that while it announced this change in 2014, apps that already had access to people’s friends’ data continued to have access until May 2015.
Then, in more than 700 pages of written responses delivered to the House Energy and Commerce Committee late last month, Facebook acknowledged that some apps had this access for up to six months longer, to allow them to “come into compliance” with the new rules. There were dozens of companies on the list, including dating apps like Hinge and music-streaming services like Spotify, but one may raise more than a few eyebrows in Washington: the Russian internet giant Mail.ru.
According to Facebook, Mail.ru was given a two-week extension to wind down a feature on two messaging apps that enabled users to see their Facebook friend lists and message with people who also had the Mail.ru apps. During the extension, at least, the app only had access to people’s friend lists, not any information about those friends’ likes or interests. And yet, long before that extension was in place, Facebook says Mail.ru ran hundreds of apps on the platform, all of which operated under Facebook’s old rules, which didallow app developers to collect their users’ friends’ data. Some of those apps began operating as early as 2009.
“Some apps were built prior to the platform change in 2015, so they did have access to the earlier version of our platform,” a Facebook spokesperson said. “That made it possible for users to consent to sharing information about themselves, as well as their friends.”
Facebook says the majority of Mail.ru’s apps were test apps that remained private and that only a handful actually launched publicly. It did not share details on how many users may have had their information exposed to Mail.ru apps without their consent. The company adds that Mail.ru’s collection of apps have not had access to people’s friends’ data since May 2015, when Facebook changed its API. Still, Facebook is now investigating Mail.ru, along with all other apps that had access to large quantities of user data prior to the changes. But, the spokesperson says the investigation is not itself a condemnation. “We found no indication of misuse with Mail.ru. If we detect any suspicious activity or potential misuse, that’s when we formally audit a company.”
Facebook granted thousands of other companies the same data access as Mail.ru prior to 2015. And yet, recent concern over Russia’s manipulation of social networks in the run-up to the 2016 election may cast the relationship between the two companies in a new light.
In a statement to a spokesperson for Mail.ru wrote, “We assume that while changing API Facebook changed the terms for the clients who had popular applications that had not been updated to the latest version […] We definitely use our cooperation with Facebook strictly for business needs of our products and strictly according to the Facebook regulations.”
The fact that Facebook would have brokered an extension with Mail.ru may not come as a surprise to people who are familiar with Facebook CEO Mark Zuckerberg’s relationship with Yuri Milner. The Russian billionaire and Mail.ru founder was also a major investor in Facebook. (A spokesperson for Milner said in a statement, “Yuri Milner has not been involved as CEO of Mail.ru since 2003. Shortly after the IPO of Mail.ru in 2010, he sold all of his shares in the company. In 2012, he stepped down from the board of directors and has not been involved since then.”)
Over the last year, reports have also surfaced about Milner’s ties to the Kremlin. In November 2017, following the so-called Paradise Papers leak of 13.4 million confidential documents related to offshore payments, The New York Times reported that Milner had received hundreds of millions of dollars in Russian state funding, which he used in part to invest in both Facebook and Twitter through his international investment firm, DST Global.
While nothing in the reports suggested that the investments were part of Russian influence operations, the news broke after the US launched federal investigations into Russian interference in the election. Milner defended his reputation in an open letter last fall, saying the suggestion that he tried to infiltrate American tech companies to help Russia was “far-fetched” and a “fairy tale.”
In a statement following Facebook’s disclosures, the House committee’s ranking member, New Jersey Democrat Frank Pallone Jr., said Facebook’s answers to Congress “raise more questions than they answer.” While he didn’t respond to WIRED’s request for comment regarding Mail.ru, Pallone Jr. said in the statement, “It’s disconcerting that four months after this scandal became public Facebook still has no idea how many others have its users’ data and how that data is being used today.”
Democratic senator Mark Warner, who has been investigating Russia’s manipulation of social media platforms as vice chairman of the Senate Intelligence Committee, said in a statement, “We need to determine what user information was shared with Mail.ru and what may have been done with the captured data.” Warner expressed particular concern that current Mail.ru executives including Ali Usmanov “boast close ties to Vladimir Putin.”1
At the very least, the fact that Facebook is only now coming forward with this bit of information, nearly a year after investigations into Russian actors’ manipulation of Facebook began, indicates a glaring lack of transparency on Facebook’s part. Throughout its thousands of responses to the House committee, Facebook was asked repeatedly about what access Russian state agencies had to Facebook user data. Facebook responded saying that it received 34 requests for data from the Russian government between 2013 and 2017 and didn’t provide data in response to any of them. But experts say the Mail.ru deal, viewed alongside the news that Facebook gave data to device manufacturers including Chinese companies like Huawei, reflects naïveté on Facebook’s part about the power that international regimes have over businesses within their borders.
“If you are a Russian businessperson of a certain scale, you can’t escape the requirements Russian intelligence services are going to put on you,” says Brett Bruen, a US diplomat who served as director of global engagement under President Obama and now runs the consulting firm Global Situation Room. “This is the reality of doing business in Russia today.”
It’s not unique to Russia, either. Bruen notes that the National Security Agency in the United States has found its own ways to hoover data from American tech companies, as revealed by whistleblower Edward Snowden. The Cambridge Analytica scandal looks tiny in comparison to what a state-sponsored intelligence agency could do with all of that data. “Cambridge Analytica was a relatively small company that was fiddling on the edges,” Bruen says. “Now put that information in the hands of a massive intelligence agency.”