Zuckerberg leveraged Facebook user data to fight rivals and help frat
boy friends, leaked documents show
leaders seriously discussed selling access to user data — and privacy
was an afterthought.
Leaked internal Facebook documents show that the plans to
sell access to user data were discussed for years and received support
from Facebook’s most senior executives, including CEO Mark Zuckerberg
and chief operating officer Sheryl Sandberg. Doug
Chayka for NBC News / Getty Images
Solon and Cyrus Farivar
Facebook CEO Mark Zuckerberg oversaw plans to
consolidate the social network’s power and control competitors by
treating its users’ data as a bargaining chip, while publicly
proclaiming to be protecting that data, according to about 4,000
pages of leaked company documents largely spanning 2011 to 2015
and obtained by NBC News.
The documents, which include emails, webchats,
presentations, spreadsheets and meeting summaries, show how
Zuckerberg, along with his board and management team, found ways
to tap Facebook’s trove of user data — including information about
friends, relationships and photos — as leverage over companies it
In some cases, Facebook would reward favored companies
by giving them access to the data of its users. In other cases, it
would deny user-data access to rival companies or apps.
For example, Facebook gave Amazon extended access to user data
because it was spending money on Facebook advertising and partnering with
the social network on the launch of its Fire smartphone. In another case,
Facebook discussed cutting off access to user data for a messaging app
that had grown too popular and was viewed as a competitor, according to
All the while, Facebook was formulating a strategy to publicly
frame these moves as a way of protecting user privacy.
Private communication between users is “increasingly important,”
Zuckerberg said in a 2014
New York Times interview. “Anything we can do that makes people feel
more comfortable is really good.”
But the documents show that behind the scenes, in contrast with
Facebook’s public statements, the company came up with several ways to
require third-party applications to compensate Facebook for access to its
users’ data, including direct payment, advertising spending and
data-sharing arrangements. While it’s not unusual for businesses that are
working together to share information about their customers, Facebook has
access to sensitive data that many other companies don’t possess.
Facebook ultimately decided not to sell the data directly but
rather to dole it out to app developers who were considered personal
“friends” of Zuckerberg or who spent money on Facebook and shared their
own valuable data, the documents show.
Facebook denied that it gave preferential treatment to
developers or partners because of their ad spending or relationship with
executives. The company has not been accused of breaking the law.
About 400 of the 4,000 pages of documents have previouslybeenreported
by other media outlets, and also by a member of the British Parliament who
has been investigating
Facebook’s data privacy practices in the wake of the Cambridge Analytica
scandal. However, this cache represents the clearest and most
comprehensive picture of Facebook’s activities during a critical period as
the company struggled to adapt to the rise of smartphones following its
rocky debut as a public company.
The thousands of newly shared documents were anonymously leaked
to the British investigative journalist Duncan Campbell, who shared them
with a handful of media organizations: NBC News, Computer Weekly and
Süddeutsche Zeitung. Campbell, a founding member of the International
Consortium of Investigative Journalists, is a computer forensics expert
who has worked on international investigations including on offshore
banking and big tobacco. The documents appear to be the same ones obtained
by Parliament in late 2018 as part of an investigation into
Facebook. Facebook did not question the authenticity of the documents NBC
The documents stem from a California court case between the
social network and the little-known startup Six4Three, which sued
Facebook in 2015 after the company announced plans to cut off access
to some types of user data. Six4Three’s app, Pikinis, which soft-launched
in 2013, relied on that data to allow users to easily find photos of their
friends in bathing suits.
Facebook has acknowledged that it considered charging
for access to user data. But Facebook has challenged the
significance of those discussions, telling the Wall Street Journal last
year and NBC News this month that the company was merely mulling various
Facebook has also repeatedly said that the documents had been “cherry-picked”
and were misleading. Facebook reiterated this stance when NBC News
contacted the social media company for comment on the newly leaked
“As we’ve said many times, Six4Three — creators of the Pikinis
app — cherry picked these documents from years ago as part of a lawsuit to
force Facebook to share information on friends of the app's users,” Paul
Grewal, vice president and deputy general counsel at Facebook, said in a
statement released by the company.
“The set of documents, by design, tells only one side of the
story and omits important context. We still stand by the platform changes
we made in 2014/2015 to prevent people from sharing their friends'
information with developers like the creators of Pikinis. The documents
were selectively leaked as part of what the court found was evidence of a
crime or fraud to publish some, but not all, of the internal discussions
at Facebook at the time of our platform changes. But the facts are clear:
we've never sold people’s data.”
NBC News has not been able to determine whether the documents
represent a complete picture. Facebook declined to provide additional
evidence to support the claim of cherry-picking.
Still, these freshly leaked documents show that the plans to
sell access to user data were discussed for years and received support
from Facebook’s most senior executives, including Zuckerberg, chief
operating officer Sheryl Sandberg, chief product officer Chris Cox and VP
of growth Javier Olivan. Facebook declined to make them available for
After NBC News contacted Facebook for comment, Facebook’s
to the judge in the Six4Three case, claiming that Six4Three had
leaked the documents to a “national broadcast network” and seeking to
depose Six4Three’s founders. NBC News received the documents from
Campbell, who received them from an anonymous source. Six4Three denied
leaking the documents.
When Facebook ultimately cut off broad access to user data in
2015, the move contributed to the decline of thousands of competitors and
small businesses that relied on what Facebook had previously described
as a “level-playing field” in terms of access to data. In addition
to Pikinis, the casualties included Lulu, an app that let women rate the
men they dated; an identity fraud-detecting app called Beehive ID; and
Swedish breast cancer awareness app Rosa Bandet (Pink Ribbon).
The strategy orchestrated by Zuckerberg had some of his
employees comparing the company to villains from Game of Thrones, while
David Poll, a senior engineer, called the treatment of outside app
developers “sort of unethical,” according to the documents. But
Zuckerberg’s approach also earned admiration: Doug Purdy, Facebook’s
director of product, described the CEO as a “master of leverage,”
according to the documents.
Facebook declined to comment on these employee communications.
A PRIVACY MYTH
One of the most striking threads to emerge from the documents is
the way that Facebook user data was horse-traded to squeeze money or
shared data from app developers.
In the wake of the Cambridge Analytica scandal in early 2018 and
rising awareness of the Six4Three case, Facebook
has attempted to frame changes it made to its platform in 2014 and
2015 as being driven by concerns over user privacy. In statements to media
organizations, Facebook has said it locked down its platform to protect
users from companies that mishandled user data, such as Cambridge
Analytica, as well as apps that spammed users’ news feeds or were creepy,
such as Six4Three’s bikini-spotting app Pikinis.
However, among the documents leaked, there’s very little
evidence that privacy was a major concern of Facebook’s, and the issue was
rarely discussed in the thousands of pages of emails and meeting
summaries. Where privacy is mentioned, it is often in the context of how
Facebook can use it as a public relations strategy to soften the blow of
the sweeping changes to developers’ access to user data. The documents
include several examples suggesting that these changes were designed to
cement Facebook’s power in the marketplace, not to protect users.
In Six4Three’s case, for example, Facebook’s head of policy
Allison Hendrix acknowledged in a June 2017 deposition obtained by NBC
News that the social network never received any complaints about the
Pikinis app, nor did Facebook send Six4Three any policy or privacy
violation notices. Six4Three, Hendrix confirmed, was playing within the
rules Facebook had set for developers.
Despite this, Six4Three’s access to data, specifically access to
a user’s friends’ photos, was cut off in April 2015 as part of sweeping
changes to Facebook’s platform announced a year earlier, which affected as
many as 40,000 apps. Six4Three shut down the app soon afterward.
“Our case is about Zuckerberg’s decision to weaponize the
reliance of companies on his purportedly neutral platform and to weaponize
the private and sensitive data of billions of people,” said Six4Three
founder Ted Kramer.
A TURNING POINT FOR FACEBOOK
Facebook recognized early on that working with third-party app
developers could help make the social network more interesting and drive
the platform’s expansion. Beginning in early 2010, Facebook created tools
that allowed the makers of games (remember Farmville?) and other apps to
connect with its audience in return for ensuring those users spent more
time on Facebook.
Facebook achieved this through its “Graph API” (Application
Programming Interface), a common means to allow software programs to
interact with each other. In Facebook’s case, this meant that third-party
apps such as games could post updates on people’s profiles, which would be
seen by players’ friends and potentially encourage them to play, too.
Beyond that, it allowed the makers of those games to access a slew of data
from Facebook users, including their connections to friends, likes,
locations, updates, photos and more.
The Graph API — and particularly the way it let third parties
promote their products to and extract data from a user’s social
connections — was a key feature of Facebook that Six4Three and thousands
of other companies relied upon for viral marketing and user growth.
However, after a few years, Facebook decided the app developers
were getting more value from the user data they extracted from Facebook
than Facebook was getting out of the app developers, the documents show.
After Facebook went public in May 2012, its stock price
plummeted, which Zuckerberg
later characterized as “disappointing.” The company was in a
desperate position, documents show, with users sharing fewer photos and
posts on the platform as they spent more time on their cellphones. An
internal Facebook presentation looking back at this period used the phrase
“terminal decline” to describe the fall in engagement.
Facebook executives, including Zuckerberg and Sandberg, spent
months brainstorming ways to turn the company around. An idea that they
kept returning to: make money from the app partners, by charging them for
access to Facebook’s users and their data.
‘SELL DATA FOR $”
Several proposals for charging developers for access to
Facebook’s platform and data were put forward in a presentation to the
company’s board of directors, according to emails and draft slides from
late August 2012.
Among the suggestions: a fixed annual fee for developers for
reviewing their apps; an access fee for apps that requested user data; and
a charge for “premium” access to data, such as a user trust score or a
ranking of the strongest relationships between users and their friends.
“Today the fundamental trade is ‘data for distribution’ whereas
we want to change it to either ‘data for $’ and/or ‘$ for distribution,’”
Chris Daniels, a Facebook business development director, wrote in an
August 2012 email to other top leaders in the company discussing the
Discussions continued through October, when Zuckerberg explained
to close friend Sam Lessin the importance of controlling third-party apps’
ability to access Facebook’s data and reach people’s friends on the
platform. Without that leverage, “I don’t think we have any way to get
developers to pay us at all,” Zuckerberg wrote in an email to Lessin.
In the same week, Zuckerberg floated the idea of pursuing 100
deals with developers “as a path to figuring out the real market value” of
Facebook user data and then “setting a public rate” for developers.
“The goal here wouldn’t be the deals themselves, but that
through the process of negotiating with them we’d learn what developers
would actually pay (which might be different from what they’d say if we
just asked them about the value), and then we’d be better informed on our
path to set a public rate,” Zuckerberg wrote in a chat.
Facebook told NBC News that it was exploring ways to build a
sustainable business, but ultimately decided not to go forward with these
just can’t think of any instances where that data has leaked from
developer to developer and caused a real issue for us.”
Zuckerberg was unfazed by the potential privacy risks associated
with Facebook’s data-sharing arrangements.
“I’m generally skeptical that there is as much data leak
strategic risk as you think,” he wrote in the email to Lessin. “I think we
leak info to developers but I just can’t think of any instances where that
data has leaked from developer to developer and caused a real issue for
Facebook told NBC News that this was an example of a
cherry-picked email designed to bolster Six4Three’s case.
Zuckerberg didn’t know it at the time, but a privacy bug
affecting an unnamed third-party app would create precisely this kind of
strategic risk the following year, according to a panicked chatlog between
Michael Vernal, who was director of engineering, and other senior
It’s not clear exactly what happened or which app was involved,
but it appears that Zuckerberg’s private communications could have leaked
from Facebook to the external app in an unexpected way.
Vernal said that it “could have been near-fatal for Facebook
platform” if “Mark had accidentally disclosed earnings ahead of time
because a platform app violated his privacy.”
“Holy crap,” replied Avichal Garg, then director of product
“DO NOT REPEAT THIS STORY OFF OF THIS THREAD,” added Vernal. “I
can’t tell you how terrible this would have been for all of us had this
not been caught quickly.”
Vernal and Garg did not respond to requests for comment.
‘GOOD FOR THE WORLD’ BUT NOT ‘GOOD FOR US’
In late November 2012, Zuckerberg sent a long email to
Facebook’s senior leadership team saying that Facebook shouldn’t charge
developers for access to basic data feeds. However, he said that access to
Facebook data should be contingent on the developers sharing all of the
“social content” generated by their apps back to Facebook, something
Zuckerberg calls “full reciprocity.”
The existing arrangement, where developers weren’t required to
share their data back with Facebook, might be “good for the world” but
it’s not “good for us,” Zuckerberg wrote in the email.
He noted that though Facebook could charge developers to access
user data, the company stood to benefit more from requiring developers to
compensate Facebook in kind — with their own data — and by pushing those
developers to pay for advertising on Facebook’s platform.
The endgame: to ensure Facebook maintained its dominant position
in the market.
“The purpose of the platform is to tie the universe of all the
social apps together so we can enable a lot more sharing and still remain
the central social hub,” Zuckerberg said in the email.
Facebook told NBC News that the focus of “full reciprocity” was
to enable users to share their experiences within external apps with their
friends on Facebook, not about providing Facebook with user data.
With Zuckerberg’s vision for Facebook set, the company began
making deals with some of its most valued partners, including dozens of
app developer friends of Zuckerberg and Sandberg. Facebook whitelisted
their access to feeds of user data while restricting that same access to
apps that Facebook viewed as competitors.
These data access deals prepared key partners, including Tinder,
Sony and Microsoft, for sweeping changes to the Facebook platform that the
company planned to announce at its annual developer conference in April
2014 and enforce within a year.
In one instance, described in June 2013 documents, Amazon
received special treatment for the launch of a group gifting product,
despite the fact that it competed with one of Facebook’s own products.
“Remind me, why did we allow them to do this? Do we receive any
cut of purchases?” Chris Daniels, then Facebook’s director of business
development, asked in an email.
“No, but Amazon is an advertiser and supporting this with
advertisement ... and working with us on deeper integrations for the
Fire,” Amazon’s smartphone, replied Jackie Chang, who worked with
Facebook’s “strategic partners.”
Amazon released a statement to NBC News: “Amazon uses publicly
available APIs provided by Facebook in order to enable Facebook
experiences for our products and only uses information in accordance with
Apps that were not considered “strategic partners” got different
treatment. In a March 2013 discussion, Justin Osofsky, then director of
platform partnerships, described restricting the MessageMe app from
accessing Facebook data because it had grown too popular and could compete
with Facebook messages. He asked colleagues to see if any other messenger
apps have “hit the growth team’s radar recently.”
“If so, we'd like to restrict them at the same time to group
this into one press cycle," he wrote in an email.
‘IT’S SORT OF UNETHICAL’
Deal negotiations created confusion among partners who had grown
accustomed to unfettered access to Facebook user data.
“We gave a bunch of stuff ‘for free’ historically (data,
distribution) and now we’re making you ‘pay’ for it via reciprocal value,”
Vernal, director of engineering, wrote in an email in June 2013. He added,
“The confusing thing here is that we haven’t really announced these
changes publicly/broadly yet.”
Some Facebook employees were unhappy about this direction,
particularly the way the company appeared to be blocking competitors from
Here’s an extract from a December 2013 chatlog between several
senior engineers talking about the changes:
Bryan Klimt: “So we are literally going to group apps into
buckets based on how scared we are of them and give them different APIs?
... So the message is, ‘if you’re going to compete with us at all, make
sure you don’t integrate with us at all’? I’m just dumbfounded.”
Kevin Lacker: “Yeah this is complicated.”
David Poll: “More than complicated, it’s sort of unethical.”
Lacker and Poll declined to comment. Vernal and Klimt did not
respond to requests for comment.
Facebook declined to comment on the employee exchanges.
THE PR SPIN
When it came to publicly announcing the sweeping changes at
Facebook’s annual F8 developer conference in April 2014, members of the
communications team worked with Zuckerberg to craft a narrative around
user trust, not competition or profitability.
In a March 2014 email discussing Zuckerberg’s keynote speech at
the event, where he was due to announce the removal of developers’ access
to friends’ data, Jonny Thaw, a director of communications, wrote that it
“may be a tough message for some developers as it may inhibit their
“So one idea that came up today was potentially talking in the
keynote about some of the trust changes we’re making on Facebook itself.
So the message would be: ‘trust is really important to us — on Facebook,
we’re doing A, B and C to help people control and understand what they’re
sharing — and with platform apps we’re doing D, E and F.’”
If that doesn’t work, he added, “we could announce some of
Facebook’s trust initiatives in the run up to F8” to make the changes for
developers “seem more natural.”
Facebook told NBC News that it was “completely reasonable” for
someone on the communications team to discuss the best way to get the
message out on changes to the platform.
User trust was crucial when Zuckerberg delivered his speech at
the event on April 30, 2014.
“Over the years, one of the things we’ve heard over and over
again is that people want more control over how they share their
information, especially with apps, and they want more say and control over
how apps use their data,” he told
the audience of journalists and developers. “And we take this really
seriously because if people don’t have the tools they need to feel
comfortable using your apps, that’s bad for them and that’s bad for you.”
But despite Facebook’s public focus on privacy, staff member
emails described confusion over the way third-party apps could override
users’ privacy settings.
Even if users locked down their account so that their photos and
other data were visible to “only me,” those photos could still be
transferred to third parties, according to the documents.
In April 2015, Connie Yang, a product designer, told her
colleagues that she’d discovered apps collecting profile data she had
marked as “only me” and displaying it to “both you and *other people*
using that app.”
“While ‘whoa how did you start working at Casterly Rock’ is a
fun opener,” she wrote, referring to the ancestral stronghold of the most
fearsome family in “Game of Thrones,” “isn’t this directly violating what
we tell users is ‘only me’?”
Yang did not respond to requests for comment.
Facebook said this was another example of cherry-picked emails.
THE DOCUMENTS’ LEGACY
Even though Facebook eventually decided not to charge developers
directly for access to user data, the extensive discussions around its
monetary value, shown in the leaked documents, could create lasting
problems for the company, privacy and policy experts say.
The biggest threat Facebook faces now is not competition but
antitrust regulation, which is designed to promote fair competition among
companies for the benefit of consumers, using fines or restrictions on
mergers and acquisitions.
Regulators have typically struggled to build robust antitrust
cases against technology companies that offer services to users for free.
If the product is free, then it’s harder to argue that the consumer is
being harmed by a monopoly.
But if regulators can show that users were paying for access to
Facebook with their personal data, and that Facebook valued that data as
leverage against competitors, that could expose Facebook to an antitrust
complaint, said Jason Kint, CEO of Digital Content Next, a trade
association representing digital publishers.
“These emails clearly establish the value of consumer data to
Facebook,” Kint said. “It shows that it is not free.”
Facebook said that the service has always been free for users
In February, the Federal Trade Commission announced a task force
to monitor anti-competitive behavior in the tech industry to, in the words
of FTC chair Joseph Simons, “ensure consumers benefit from free and
Policymakers have called for the FTC to investigate Facebook
specifically for violating antitrust laws.
The company “appears to have used its dominance to cripple other
competitive threats by cutting them off from its massive network,” Rep.
David Cicilline, D-R.I., chairman of the House Judiciary antitrust
subcommittee, wrote in a New
York Times op-ed last month.
Facebook appears to be preparing for the inevitable, with
Zuckerberg writing his own op-ed in The Washington
Post in March calling for regulation in areas including harmful
content and election integrity, but not antitrust. Facebook watchers saw
this show of willingness as an attempt by Zuckerberg to curry favor with
policymakers at a time when many are baying for the company’s blood.
Ashkan Soltani, a privacy expert and former FTC chief
technologist, said that Zuckerberg is approaching the looming threat of
regulation with “bravado” and trying to “leverage things for his benefit.”
Carroll, a professor at the New School, who pursued legal claims in
the U.K. in the wake of the Cambridge Analytica data scandal, says
Zuckerberg is “bracing for impact.”
“When the penalty hits they can be like, ‘Yeah, we agree, we
deserve this fine.’ It positions them to be conciliatory,” Carroll said.