Donie O’Sullivan, Drew Griffin and Curt Devine* say a Russian internet company with links to the Kremlin was among the companies Facebook allowed to collect users’ data without their knowledge.
A Russian internet company with links to the Kremlin was among the firms to which Facebook gave an extension that allowed them to collect data on unknowing users of the social network after a policy change supposedly stopped such collection.
Facebook told CNN last week that apps developed by the Russian technology conglomerate Mail.Ru Group, were being looked at as part of the company’s wider investigation into the misuse of Facebook user data.
It said the Mail.Ru Group developed hundreds of Facebook apps, some of which were test apps that were not made public.
Only two apps were granted an extension, lasting two weeks, that would have allowed them to collect friend data beyond the cut-off date, Facebook said.
US Senator Mark Warner, the top Democrat on the Senate Intelligence Committee, said in a statement to CNN that Facebook’s relationship with Mail.Ru deserved further scrutiny.
“In the last six months we’ve learned that Facebook had few controls in place to control the collection and use of user data by third parties,” Warner said.
“Now we learn that the largest technology company in Russia, whose executives boast close ties to Vladimir Putin, had potentially hundreds of apps integrated with Facebook, collecting user data.”
“If this is accurate, we need to determine what user information was shared with Mail.Ru and what may have been done with the captured data.”
Prior to 2015, in some cases, when Facebook users interacted with the apps built by third-party developers on Facebook, the developer not only received data about that user, but also about the users’ friends — including name, gender, birthdate, location, photos, and what they “liked” on Facebook.
In 2014 Facebook announced it was changing the policy and would restrict developers’ access to data on app users’ friends by May 2015.
But two weeks ago, Facebook told the US Congress that it gave 61 companies, including Mail.Ru, an extension on access to the data beyond May 2015.
The admission came in a list of written answers Facebook provided to the House Energy and Commerce Committee.
Ime Archibong, Facebook’s vice president of partnerships, told CNN last week that Facebook had not found any evidence that the Mail.Ru Group had misused Facebook user data, but acknowledged that the investigation is continuing and would not answer if Facebook even has the ability to determine how the Russian company used data derived from Facebook.
Facebook would not say how much user data the Mail.Ru Group obtained or if any data was obtained about American citizens.
The company declined to elaborate on its methods for determining how Mail.Ru may have used personal data, citing confidentiality between Facebook and developers.
Archibong said that Facebook was devoting significant resources to investigating app developers, but he wouldn’t say if Russian-built apps were being prioritised for investigation over others.
He said, “Facebook is a global company with users all over the world so we work with developers globally to bring our services to people everywhere — as long as those developers adhere to our platform policies.”
“Mail.Ru, one of the top five largest internet companies in the world, has built apps for the Facebook platform and for other major platforms, including iOS and Android for years.”
“We’ve found no indication of misuse with Mail.Ru.”
“If we find misuse, we ban the developers.”
Mail.Ru told CNN that it had not been contacted by Facebook about its investigation into the misuse of user data.
Facebook told CNN it had contacted Mail.Ru about the investigation, but didn’t say when it first reached out.
Mail.Ru Group is controlled by USM Holdings, a company founded by Alisher Usmanov, who was included on a list the US Treasury Department published in January of Russian billionaires with ties to the Kremlin.
Russian investor Yuri Milner was the chairman of Mail.Ru Group until he stepped down in 2012.
He served as a member of then-Russian President Dmitry Medvedev’s Innovation Commission from 2009 to 2011.
The New York Times reported last year that Milner invested in Facebook and Twitter with hundreds of millions of dollars from Russian state institutions.
In interviews for that report, Milner said such money was no different from other international investments.
Mail.Ru’s large portfolio of companies includes an online gaming division, which has launched approximately 20 Facebook games.
The company said it acted in accordance with Facebook’s terms and conditions and it had not collected data on Facebook users, including Americans.
Facebook CEO, Mark Zuckerberg ordered an investigation into potential misuse of Facebook user data gathered through third-party apps a few days after the Cambridge Analytica story broke in March.
The revelations came a few months after it emerged that the Internet Research Agency (IRA), a Russian Government-linked troll group, posed as American activists on social media, including Facebook, in the run-up to the 2016 US Presidential election and after.
In April of this year, Facebook removed pages it said the IRA ran targeting Russian speakers, but similar pages are still active on Vkontakte, a Russian social media network owned by the Mail.Ru Group.
Despite Zuckerberg’s pledge, Facebook’s ability to determine how data on its users may have been stored is limited.
Sandy Parakilas, a former Facebook employee who now works at the Center for Humane Technology, told CNN, “Unfortunately there is no way for Facebook to know what happened to the data once it left its servers, so there’s no way for them to know if there was any misuse or not.”
* Donie O’Sullivan is a reporter for CNN. He tweets at @donie.
Drew Griffin is CNN Special Investigations Unit Reporter. He tweets at @DrewGriffinCNN.
Curt Devine is Producer for CNN Investigates. He tweets at @CurtDevine.
This article first appeared at money.cnn.com.