How Facebook’s ‘Switcheroo’ plan concealed scheme to kill popular apps
Leaked documents reveal how Facebook used and abused app developers, cut off data to competitors, gave privileged access to its friends and used privacy as a cover story
A congressional committee investigating anti-competitive behaviour in digital technology has been provided with key documents that show how Facebook used its dominant position to shut down or damage app developers it considered to be rivals.
The House Judiciary Subcommittee on Antitrust, Commercial and Administrative Law has been sent thousands of pages of documents, previously obtained by Computer Weekly, after Facebook ignored requests from the committee for the documents.
The cache of 7,000 confidential internal emails demonstrates how Facebook cut some companies’ access to its application programming interfaces (APIs), gave other companies preferential access to its data, and tried to force developers to buy advertising or hand over data in return for continued access to Facebook users’ friends data.
Starting eight weeks ago, the judiciary’s antitrust committee began asking Facebook to hand over internal correspondence relating to the social media firm’s decision to cut competing app developers’ access to Facebook data and to require others to buy advertising to maintain access to its APIs.
Computer Weekly has used its unique access to the Six4Three documents – all of which can be downloaded – to show examples of Facebook’s behaviour that are likely to raise questions from regulators and law makers conducting antitrust inquiries.
The documents, placed under seal in a Californian court, are likely to feature prominently in the committee’s inquiries. They were disclosed as part of a legal action brought by Six4Three, a now defunct application developer that claims Facebook forced it, and other app developers, out of business.
The US has three federal antitrust laws. They prohibit organisations from unreasonably abusing monopoly power, ban unfair methods of competition and unfair or deceptive acts and practices, and prohibit mergers and acquisitions that would substantially lessen competition (see box: US antitrust laws explained).
The laws were designed in an age where companies sold goods and services for a price, and anti-competitive behaviour was likely to lead to consumers paying higher prices. However, Microsoft’s legal battle over bundling its free Internet Explorer web browser into the Windows operating system offers a potential precedent for how lawmakers have targeted tech companies using the existing legislation (see box: Microsoft’s browser battle).
US antitrust laws explained
Sherman Act 1890
The Sherman Act was the first antitrust law passed in the US. Its aim is to preserve free and unfettered competition. The act outlaws every “contract, combination, or conspiracy in restraint of trade” and any “monopolisation, attempted monopolisation, or conspiracy or combination to monopolise”, but only if the actions are deemed “unreasonable”. Under section 2 of the Sherman Act, it is illegal for a company with monopoly power to engage in exclusionary conduct to maintain or enhance power.
Most enforcement actions are brought under civil law, however the US Department of Justice can also bring criminal prosecutions. Civil penalties can be up to $100m for a corporation and $1m for an individual, plus up to 10 years in prison.
The Federal Trade Commission Act 1914
Actions under this act can only be brought by the US Federal Trade Commission. The act bans “unfair methods of competition” and “unfair or deceptive acts or practices”. The Federal Trade Commission can also bring actions for violations under the Sherman Act.
Clayton Act 1914
The Clayton Act addresses mergers and acquisitions and other competition issues that are not covered by the Sherman Act. Section 7 of the act prohibits mergers and acquisitions where the effect may be to “substantially lessen competition” or to “create a monopoly”. An amendment in 1976 requires companies planning large mergers or acquisitions to notify the government of their plans in advance. The act allows private parties to sue for triple damages when they have been harmed by conduct that violates the Sherman or Clayton Act.
State laws
Most states have antitrust laws that are enforced by state attorneys general or through private court actions.
Source: US Federal Trade Commission, Congressional Research Service Antitrust and Big Tech.
Now regulators are attempting to work out how antitrust laws can be applied to internet companies such as Facebook, which provide free services, and are turning their attention to how anti-competitive behaviour could affect the privacy of people who use free digital services.
Bill Dillon, an attorney with 20 years’ experience in antitrust investigations at the US Department of Justice, argues that US law is ill-equipped to regulate big technology companies such as Facebook.
The European Union (EU), Dillon argues, is now better equipped than the US to enforce competition in big tech.
“If you go back two decades, the US Department of Justice antitrust division was the global leader in antitrust enforcement,” he says, adding that now the EU’s antitrust enforcement “far surpasses the US in terms of dollars and markets effectively regulated”.
In theory, app developers could take legal action under the Sherman Act if they believe they have been unfairly forced to spend money on advertisements to secure access to data. “The advertising volume, because it’s measurable in money, is much more susceptible to being addressed,” said Dillon.
In practice, few organisations can afford to take legal action against a company with the resources of Facebook, as Six4Three’s legal action, which is languishing in a state court in San Mateo, California, demonstrates. Facebook has denied all allegations.
Microsoft’s browser battle
Microsoft faced long-running battles on both sides of the Atlantic in the 2000s after it bundled a web browser into the Microsoft Windows operating system, harming companies that developed competitive browsers.
Microsoft’s behaviour prompted allegations that it had abused its position in the market by stifling competition, leading to investigations in the EU and the US.
In the US, Microsoft agreed a settlement with the US Department of Justice in November 2001. The settlement prevented Microsoft from entering exclusive distribution agreements or offering selective price cuts to computer manufacturers, and required it to disclose information about its operating systems to help competitors design their own products.
The company came to a settlement agreement with the EU in 2010, after promising to give users the option of choosing different web browsers. The EU fined Microsoft €560m after the software firm failed to honour the rights of consumers to have a choice in a later Windows update.
What the Six4Three documents reveal
The Six4Three documents, which were obtained by investigative journalist Duncan Campbell and shared with Computer Weekly, NBC News and other news organisations, raise new questions about Facebook’s behaviour and the effectiveness of existing antitrust laws.
Last week, Campbell supplied the documents to congressman David Cicilline, chairman of the US Congress House Judiciary Subcommittee on Antitrust, Commercial and Administrative Law, after Facebook did not respond to the committee’s request – first reported by AP – to supply them.
Some of the documents were previously obtained by the UK Parliament’s Digital, Culture, Media and Sport (DCMS) Committee in November 2018 as part of its investigation into “fake news”. The committee has published more than 250 pages.
The Six4Three cache, which contains hundreds of pages marked “highly confidential”, shows that Facebook executives decided to cut off access to vital data to harm third-party developers that the social media firm worried would compete with Facebook.
What follows are the key highlights from the Six4Three documents that are likely to prompt further questions from congressional investigators.
They show how Facebook executives created blacklists to prevent competitors from accessing Facebook’s data, and closed down applications even though they were not breaching Facebook’s policies.
The documents reveal how app developers were forced out of business after Facebook incorporated similar functions into Facebook’s own platform and threatened to steal data from rivals using “hacky scrapers” if they refused to share data about their users with Facebook.
In one of the most extreme examples, Facebook proposed that developers would lose access to Facebook’s valuable data feeds unless they spent at least £250,000 a year advertising their apps on Facebook’s mobile advertising platform.
Facebook said in a statement that Six4Three had “cherry-picked” the documents as part of a lawsuit attempting to force Facebook to share information on friends of the app’s users.
Paul Grewall, vice-president and deputy general counsel at Facebook, said: “The set of documents by design tells only one side of the story and omits important context. We still stand by the platform changes we made in 2014/2015 to prevent people from sharing their friends’ information with developers like the creators of Pikinis.”
Facebook leaked documents in full
- Declaration by David Godkin producing 212 sealed exhibits – 16 May 2018.
- Declaration by David Godkin with 218 exhibits – 17 May 2018.
- Memorandum of points and authorities by David Godkin (with highlights) – 20 May 2018.
- Notes and summaries of Facebook discovered documents (with multiple colour highlights) – undated.
The rise and fall of iLike
The Six4Three documents include allegations that Facebook used its dominant position to put pressure on third-party software developers that had agreed to build applications on Facebook’s platform.
iLike, for example, ran a popular website that was widely used by musicians, such as US singer Tom Petty, to promote their work.
iLike’s CEO, Ali Partovi, was a regular visitor to Facebook’s headquarters in Menlo Park, California, and was on first-name terms with many of Facebook’s senior executives.
“We were very excited about what the Facebook platform could do, not only for business, but for the web in general,” he said in a deposition.
Partovi’s iLike app attracted tens of millions of people, who used it to play music clips, share details of concerts they planned to go to, and take part in music quizzes.
At the time, Facebook had a problem with apps that were bombarding users with unwanted spam, according to Partovi. He urged Facebook to take enforcement action against them.
Instead, according to Partovi, who later became an adviser and angel investor in Facebook, the company tried to develop algorithms to block spam and modify or disable the application programming interfaces (APIs) that supplied data to the spammy apps – and to legitimate apps.
Partovi claimed that iLike found that it could no longer communicate with its customers on Facebook. It could no longer alert people to concerts they might be interested in and revenue from concert promoters dried up.
When Partovi’s business partner and brother, Hadi Partovi, complained that Facebook was giving its own apps preferential treatment, allowing them to post to Facebook’s newsfeed, Facebook staff agreed that he had a point.
“Hadi has a right to be mad,” wrote Ruchi Sangvhi, a product manager responsible for Facebook’s newsfeed. “We talked about NF [newsfeed] parity in 2006, but over time have gone back on that goal and have not been as open in our communications that platform apps will not have parity with Facebook apps.”
What irked Partovi, he said, was that Facebook was no longer competing with app developers on the “level playing field” that Facebook had promised when it encouraged developers to build applications on its site.
iLike was now rapidly losing money and customers, so in 2009, Partovi met with a director of Facebook to discuss whether it might be interested in acquiring his company.
He claims the director, who has now left Facebook, told him, “You know we [meaning Facebook] could acquire you, but not for very much”, Partovi said in the deposition and emails disclosed in court.
“I remember asking, ‘Why not for very much?’ and him saying, ‘Because we could just shut you down’.”
Faced with declining revenues, and users, Partovi did eventually sell his business – not to Facebook, but to rival social network Myspace – for around $20m.
Later, in an August 2017, Hadi Partovi sent an email to Six4Three’s lawyer discussing Six4Three’s legal case.
“It was a very emotional and trying experience to bet our company on the Facebook Platform, only to see the platform turn into quicksand and see our investment lose its value overnight,” he said.
“Given our personal relationships with Sheryl Sandberg and Mark Zuckerberg, I’m not sure we’d want to be part of a formal litigation effort. We’d have much more to lose than to gain.”
Facebook, its former director and Ali Partovi did not immediately respond to Computer Weekly’s requests for comments.
The Facebook platform
The outlook for iLike and other app developers looked very different earlier in 2007. Then, inspired by Apple’s Mac operating system, Google Maps and Salesforce, Facebook transformed itself into a platform that would allow third-party companies to build software applications on the Facebook “operating system”.
The message to third-party software companies was compelling: “We’re encouraging interested developers everywhere to create Facebook applications.” Even if those applications competed with Facebook itself.
“Platform is key to our strategy because we believe there will be a lot of different social applications and ways that people communicate and share information and we believe we can’t develop them all ourselves,” Zuckerberg told his fellow executives.
The company ran “world hack events” in Moscow and other cities to encourage developers to build applications on its Facebook platform. It created training videos and sent its “developer advocates” to software companies to show them how to create apps for Facebook.
Facebook was describing itself as a “global growth machine” and promising developers that, with a Facebook app, they could grow their audiences hugely.
By building apps on Facebook, app developers could not only download information about the people who signed up for the apps, but also users’ friends by accessing Facebook’s APIs.
For Facebook, the move was strategic. It would allow the company to win millions of new users on the back of infrastructure and ideas created by independent developers.
Facebook’s enthusiasm for developers cools
From 2007 to 2011, Facebook grew its user base from 60 million active monthly users to well over 800 million.
Having grown significantly, the company’s enthusiasm for third-party developers was beginning to cool.
For example, Javier Olivan, Facebook’s vice-president for growth, complained that 19 out of the top 20 apps on Facebook were encouraging people to make friends with people they would not befriend in real life.
He put pressure on fellow executives to shut down an app, called Games Friend Finder, that helped people to find partners to play online games with, despite protestations from other Facebook staff that the app was not in breach of Facebook’s policies.
Months later, Facebook’s own staff felt that the company had overstepped the mark when it ordered a bulk shutdown of apps that were writing too much “spam” to Facebook.
Mike Vernal, vice-president for product and engineering, told his fellow executives that the company had gone too far.
“I have seen a little bit of cheerleading about the aggressiveness of the action on Thursday/Friday – it’s not really appropriate,” he said. “Some of these apps were malicious, but a lot of them were developers trying to build apps within the rules we set out.”
Facebook only had one tool – a shotgun to fire at developers, said Vernal, “and we give you warning when we are going to shoot you in the head”.
Mike Vernal, vice-president for product and engineering, Facebook
That was fine when Facebook had to deal with some really bad apps, but over time, he said, it had begun using the shotgun against well-intentioned companies.
“All the apps we disabled on Thursday night/Friday were somewhat spammy,” he said. “But I think the general consensus is that disabling them was an over-reaction.”
Twitter and YouTube blacklisted
Another area that is likely to attract the attention of investigators is Facebook’s treatment of app developers that it considered to be potential rivals.
The Six4Three documents show that Facebook executives often flew into a panic over fears that competitive social media apps might be using Facebook customers’ data.
When Peter Stern, chief executive of the URL shortening service Bitly, got in touch in 2011, for example, it sparked a major incident.
Stern had suggested that Facebook should take action over Twitter’s use of short URLs on Facebook by “unwrapping” them.
Facebook’s business clients were seeing a large volume of traffic coming from Twitter, he said, unaware that it was actually driven by Facebook.
Stern’s intervention prompted Matt Wyndowe, then a product manager for Facebook games, to ask Facebook’s engineering team to make sure it had blacklisted Twitter from accessing the API that gave developers access to users’ friends’ data.
The engineer was baffled. “I have never heard of us blacklisting certain APIs, so I am not sure where to start,” he said.
Wyndowe was certain that, a year previously, Facebook engineers had spoken about restricting Twitter from accessing users’ friends’ data and their updates, but the restrictions appeared not to have been put in place. “Did this somehow get broken?” he said. “Seems like Twitter is now getting all friend info, which is obviously bad and not the intention.”
An investigation revealed that Facebook had barred YouTube from accessing users’ friends, but had failed to implement the ban for Twitter. Managers urged the engineering team to repurpose the YouTube block for Twitter.
Zuckerberg turns up the pressure
Congressional investigators are seeking further details of Facebook’s “reciprocity” scheme, which required third-party developers to share data about their users with Facebook, in return for continued access to Facebook’s APIs.
The documents reveal that by 2012, Zuckerberg had concluded that the only way for Facebook to grow at scale, and make serious money, was to build a business based on having more and better data than other social networks.
He began putting pressure on app developers – starting with Twitter, Instagram, Pinterest and FourSquare – to share their users’ data with Facebook if they wanted to be able to access data on users’ friends.
Zuckerberg’s message was uncompromising.
“If any developer doesn’t want to work with us on this but still wants to be able to pull friends and data from us, we should be clear that reciprocity is important to us,” he told his top executives. “Pinterest, FourSquare and others should understand this.”
Facebook managers put together a wishlist of apps that it wanted to supply Facebook with valuable data.
This strategy was backed by threats – if app developers did not play ball, Facebook would develop “hacky scrapers” to collect their users’ data. Executives also put in a task request to the engineering section to blacklist apps from accessing friends’ data.
Fair and Square?
Other documents show that Facebook executives were reluctant to offer guarantees to app developers that it would not use their data to set up competing services, raising further potential questions for congressional investigators.
FourSquare, for example, a mobile phone app that allowed people to find nearby friends when they visited restaurants, museums or other attractions, had reservations about handing its users’ data over to Facebook.
Its founders were worried that if FourSquare shared data back to Facebook, the social media company could use it to “bootstrap” a competing service. Facebook, they feared, could use FourSquare’s data to deliver location-based adverts and services to its own users.
“They have a doomsday scenario about us putting them out of business,” Rose Yao, group product manager for Facebook’s open graph, told fellow executives.
But Yao felt unable to give FourSquare the comfort it wanted: “My instinct is to keep it general and basically say that if, at any point, we start trying to monetise local, we will come up with some type of revshare [revenue share] agreement when we use FourSquare data.”
Others thought even this was going too far. One software engineer chipped in: “I think we should be as vague as we possibly can and not commit to anything. I’m pretty wary of guaranteeing (even verbally) revshare if we monetise local as we are clearly going to do this.”
Facebook’s tense relationship with developers
Facebook’s relationship with developers was, by its executives’ own admission, often fraught.
There was no clear way for Facebook or app developers to work out whether either side was getting value from the relationship. That could lead to “tense” relationships with developers that Facebook believed, rightly or wrongly, were competitive.
Such was the tension that Facebook’s approval rate from developers was a negative number. Developers awarded a Net Promoter Score of -7.
Facebook’s treatment of competitive app developers is likely to be a particular area of scrutiny for regulators.
Facebook’s executives had a particular paranoia about gifting apps, which they regarded as a particular threat to Facebook’s own gifting service.
For example, Sam Lessin, director of product management, discovered that his cousin’s long-term boyfriend had created a gifting app company called Rang, which used Facebook’s data to alert people when their friends were having a birthday.
“It is super unclear to me why this is good, why we should be allowing this,” said Lessin. “What terms are they violating? And how can we signal in the future that this is not OK – and, incidentally, can someone reach out to tell them to stop it.”
The problem was that Rang was not actually breaking any of Facebook’s rules. “The concept itself is not violating any existing policy that I can see,” wrote Doug Purdy, director of engineering.
“We could say they were a competitive social network, however, or if they got really big invoke the size clause,” he said.
But different rules applied to Amazon, which had launched its own gifting app.
“Amazon is a different story because they have scale,” said Vernal. “We just need to negotiate an overall Facebook/Amazon relationship that would cover this.”
Amazon deforested
Other documents show that, at other times, Facebook’s executives did view Amazon’s gifting apps as a serious competitive threat.
Facebook planned a change to its APIs that would limit Amazon’s ability to obtain data, including about users’ friends’ birthdays.
“This should significantly stymie Amazon’s ability to grow the gifting app beyond users immediately connected,” wrote Jackie Chang, a strategic partner manager for the developer platform.
Jackie Chang, a strategic partner manager, Facebook
In another incident, a social media executive at Amazon opened his email in February 2013 to find an enforcement notice from Facebook waiting for him. Chang told him that Amazon’s Facebook “canvas” apps, designed for Facebook’s desktop website, were in breach of Facebook’s policies.
Amazon’s social media executive was perplexed. He emailed Chang. “Jackie – has the policy changed?” he asked. “No,” she told him. “This policy has always existed. We now have technology to detect this.”
Amazon’s social media manager objected. “All our integrations were reviewed by you and approved,” he said.
“Our policy superseded the approval,” Chang replied.
Amazon’s gifting app, a social saving app and an app for students could redirect users from Facebook to Amazon’s own website – and Facebook wanted to put a stop to it.
Amazon escalated the case to a more senior manager. “This will break three of our live integrations,” he told Chang.
Zuckerberg: Facebook needs to be stricter about identifying competitors
In October 2012, Zuckerberg endorsed a tougher strategy against competitors. He told Lessin: “I agree we shouldn’t help our competitors whenever possible. I think the right solution here is just to be a lot stricter about enforcing our policies and identifying companies as competitors.”
An internal presentation revealed that Zuckerberg personally reviewed strategic competitors. “Apps produced by companies on this list are subject to a number of restrictions,” it said. “Any usage beyond that specified is not permitted without Mark-level sign-off.”
Vernal, then vice-president of product and engineering at Facebook, briefed senior staff about radical changes planned for the Facebook Platform in August 2012. Facebook would “dramatically reduce” the data it shared with app developers.
“I agree we shouldn’t help our competitors whenever possible”
Mark Zuckerberg, Facebook
The most radical proposal was to limit the ability of apps to read data for the all the friends of each user that signed up. In future, they would only receive data about a user’s friends who had already signed up to the same app.
Facebook planned to make life tough for apps that it viewed as competitive – they would only be allowed to use Facebook’s platform if they signed a formal deal.
And all app developers, competitive or not, would have to agree to share back the equivalent data on their users with Facebook.
By November that year, Vernal was gearing up to make a public announcement about the proposed changes to developers. He proposed a name for the project: Platform 3.0.
“It seems like we’re going to have just a major set of changes that we’re going to want to announce soon-ish and it seems like we should probably be bundling all these changes together, giving it a name, and letting developers know that this is the next iteration of the platform,” he told colleagues.
But Zuckerberg intervened, telling Vernal to put any public announcement on hold, leaving developers in the dark about Facebook’s intentions.
By 2013, internal documents show that Facebook had grown significantly on the back of app developers, and that it no longer needed third-party apps in the way it had done before.
Many apps were using people’s personal data on Facebook to offer services that competed with Facebook.
“When we started the Facebook platform, we were small and wanted to make sure we were an essential part of the internet,” wrote Vernal. “We’ve done that – we are now the biggest service on Earth.
“When we were small, apps helped drive our ubiquity. Now that we are big, many apps are looking to siphon off our users to competitive services. We need to be more thoughtful about what integrations we allow.”
Yahoo gets special treatment
Facebook gave some application developers special access to data about its users, while denying access to others.
Marissa Mayer, CEO of Yahoo, phoned Facebook’s chief operating officer (COO), Sheryl Sandberg, asking for her help with the company’s launch of a personalised web page which drew in data from Facebook’s users.
The phone call took Sandberg by surprise. “We were a bit surprised to learn from your team today about the Facebook integration,” she told Mayer in an email. “With all of our other partners, we collaborate early on big integrations to make sure we stay aligned.”
“We collaborate early on big integrations to make sure we stay aligned”
Sheryl Sandberg, Facebook
Sandberg’s senior executives wanted to know exactly why Facebook had agreed to give Yahoo access to users’ newsfeed posts, when it had refused to hand over the same information to Apple.
Chris Daniels, Facebook’s vice-president of partnerships, wrote: “I thought we had only given the API to a few select partners (Windows Phone for their app, Flipboard and maybe a couple of others).”
Facebook appeared to have no coherent plan. Dan Rose, another vice-president of partnerships at Facebook, fired off an email: “I am worried we are executing Platform 3.0 via piecemeal changes,” he wrote.
“I think we should clarify our strategy so that people understand how all of these changes fit together. My suggestion is that we communicate this internally first via a platform all-hands, then communicate externally to developers. The sooner we do this, the less thrash we will cause for partners.”
Buying up competitors
One tactic Facebook considered as a way of eliminating competitive companies was to buy them up and give their employees jobs at Facebook – a move known in Silicon Valley as acqui-hire.
For example, the company bought WhatsApp, regarded internally as a competitive threat to Facebook’s Messenger service in 2014, but small developers also attracted Facebook’s interest.
Facebook’s executives were worried about another up-and-coming app – Refresh, founded by entrepreneur Bhavin Shah in 2011 – which was designed to give users instant briefings on people they were about to meet or do business with. It pulled in information from LinkedIn, Twitter, Facebook and other sites to give users a detailed briefing on their contacts.
By 2013, Refresh’s Facebook app had grown to 1.6 million monthly average users, and Facebook executives were worried. Internally, they considered Refresh as an app that “we don’t want to share data with”.
And executives were asking what they could get in return – either in advertising spend or in data – for allowing Refresh on Facebook’s platform.
Facebook’s vice-president for partnerships, Ime Archibong, met the Refresh team to work out some sort of deal. He came back disappointed.
“To be frank, together we struggled (and I still struggle) to identify any value they could provide to Facebook that would ever be sufficient to equate a reciprocal value exchange,” he told his fellow executives. “They are taking a tonne of data from us.”
There were only two options. One was to buy out Refresh, close down the app and hire its talented team to work at Facebook. The other was to restrict its access to Facebook’s data.
Facebook was working on what it called a platform simplification project, which would ultimately restrict the data supply to Refresh – but Facebook staff wanted to kill it off quickly.
In September that year, Facebook’s director of partnerships, Konstantinos Papamiltiadis – known as KP – asked for help to take action against Refresh and similar apps with more urgency.
He wrote to Ellen Silver, global head of developer support, in an email entitled “Proactive and reactive removal of permissions” to discuss cutting off the permissions that allowed app developers access to Facebook’s user data.
“You are right to say that we could theoretically kill two birds with one stone when we roll out platform simplification, but at this stage I wanted to ask for your help and support to uncover any potential threat and, if significant, enforce sooner,” Papamiltiadis wrote.
Shah ultimately sold Refresh not to Facebook, but to the rival business-focused social network LinkedIn, in 2015.
Academic research stopped
Facebook’s decision to revoke developers’ access to user data also affected legitimate academic research.
Bernard Hogan, an academic at Oxford University, has written extensively on Facebook, including a major study called Social media giveth, social media taketh away; Facebook friendships and APIs.
Hogan developed two Facebook apps for use in his research work. Friends Connect aimed to help college students find friends who attend other schools or hold jobs that they are considering. Another app, NameGenWeb online, helped people understand how many people they know and which people were most important.
Facebook’s changes to application permissions meant Hogan was unable to continue his existing research beyond April 2015. When he met a colleague who worked for Facebook shortly afterwards, he asked why his apps had broken. “I am sorry, she said,” Hogan said in a deposition in court papers.
Facebook offered Hogan the chance to come into Facebook’s offices in Menlo Park to look at the data, but for Hogan, that was not the point. The apps were designed for academic research, and that meant they needed access to Facebook’s friends data.
Hogan noticed, however, that not all app developers were treated equally. For a time, he was single and used Tinder. He realised that Tinder was still taking friends data from Facebook, which it was using to help people identify friends they had in common. It was clearly getting special treatment.
Hogan said he had to change direction in his academic research, looking at the best ways to visualise social networks, after his apps ceased to function.
“I had pretty strong understandings that social network data would be consistently available for a long period of time, and I certainly acted under the expectations that such core functionality – so core that it is in the basic permissions – would still be available for a long time,” he said.
Facebook staff object to treatment of developers
Some of Facebook’s senior staff objected to the way the company was treating developers. Ilya Sukhar and Kevin Lacker had joined Facebook when it bought Parse, a specialist software company, in 2013. Lacker was the chief technology officer (CTO) at Parse, and Sukhar its CEO, who went on to become Facebook’s head of developer products. They were in despair when they heard of Facebook’s plans to cut developers’ access to friends data.
“The friends API is getting totally fucked,” said Sukhar. “They are making it so that apps can’t see any of your friends who aren’t also on the app. Everyone’s information flow is just a dead man walking.”
Ilya Sukhar, head of developer products, Facebook
Lacker added: “Yeah, it sounds like developers would hate us. They are just ratcheting down the openness of the platform.”
In a series of private conversations, Sukhar and Lacker complained that the “V3” platform simplification project was a “real mess”. Facebook was deprecating APIs, but the attempt to find suitable replacement APIs for developers was “half-hearted”.
“All the concern is around messaging, when messaging is not really as important as having a good product at the end of the day,” said Lacker.
“There are so many people proposing shit,” he said, referring to one of Facebook’s position documents. “This doc is so schizo. ‘Our philosophy is that data should only be shared with an app when the user wants to share it.’ You mean our philosophy of right now – not for the past seven years, when it was different,” Lacker told Sukhar.
Facebook software engineer Bryan Klimt had had enough. He gave Sukhar and Lacker an ultimatum. He had written a blog post and was planning to post it that day unless he heard a “really compelling reason not to”.
Removing the API that lets app developers access friends information was so ridiculous, said Klimt, that he could not “think of an example more ridiculous to parody it with”.
“I have heard some rumours floating around about why we are doing this,” he wrote. “But many of them are clearly pablum designed to make engineers think this decision has solid technical reasons. It does not.
“The only reason I’ve heard that makes any sense is that we are worried about people ‘stealing the graph’. We are doing this in a protectionist grab to make sure no one else can make a competing social network by bootstrapping our social graph.”
Bryan Klimt, software engineer, Facebook
Lacker agreed, saying: “Stealing the graph is precisely the reason. The concern is specially Google and WeChat [a messaging service] and the various WeChat-like competitors will manage to scrape the graph of friend connections.
“The internal deal that made it possible for the platform to exist in the first place was that the social networking product could demand the revocation of any feature at any time, even if it sucks for developers.”
That was partly true. Later, it emerged that Facebook intended to use the data deprecations as leverage to persuade developers to buy ads on its platform.
No news is good news
Facebook’s handling of access to its newsfeed again shows that it gave some developers favoured treatment, while restricting access to the news feed to other developers – an issue that is likely to raise further questions for congressional investigators.
By August 2013, Facebook was pushing through plans to cut off developers’ access to Facebook’s newsfeed API.
Not all app developers would be treated equally, however. Chris Daniels, director of business development, wrote up a list of exemptions, which included hardware manufacturers such as BlackBerry, which had built Facebook apps into its phone.
The biggest users included telephone handset manufacturers that had integrated Facebook into their hardware, including BlackBerry, which had 58 million monthly active users, HTC, Nokia, Sony and Motorola. Twitter, Microsoft’s Bing and gaming apps also featured among Facebook apps.
Companies that had an existing business relationship with Facebook would also be exempt, as would apps that could raise public relations problems if they were closed down, such as Flipboard, a popular news reading service.
Facebook agreed deals with selected developers to access APIs that were otherwise unavailable, by adding them to whitelists. By November 2013, 5,200 apps had been whitelisted.
In late August that year, Facebook’s engineering staff were discussing a draft presentation for Zuckerberg on the future of APIs. Sukhar asked whether Facebook could offer a single core set of data permissions that developers could use even if they were considered competitors. “I think it would play well in the press,” he said.
But senior executives such as Javier Olivan would not support it, said Doug Purdy, Facebook director of engineering. “Javi hates that we even give profile pics to competitive apps,” he said. “The truth is we are going to be under pressure to pull more and more user data from competitors over time.”
Facebook audits competitive apps
The documents showed that Facebook audited tens of thousands of apps to identify which posed a significant competitive threat.
Ime Archibong, vice-president for partnerships, asked Simon Cross and Papamiltiadis, both responsible for strategic partnerships, to audit all third-party apps that would be impacted by Platform 3.0, and Facebook’s plans to restrict access to data about users’ friends and newsfeed posts.
He asked the pair to put the apps into different groups. These included apps that were delivering value to Facebook, such as BlackBerry’s Facebook app, and those that were not delivering value but “could cause a PR storm if we turned them off”.
KP pulled together a list of 40,000 apps that used the friends permission. They included competitors such as Myspace, a rival social network, Twitter and YouTube. The top apps accessing friends’ data included communications apps, which were not spending on advertising or sharing data back to Facebook.
“We need to take a hard stand,” he wrote. Facebook should also remove access to friends’ data from photo sharing, astrology, media, music, books and fitness apps, he argued.
As the audit progressed, KP pressed for Facebook to act more quickly against apps that posed a threat to the company. Contacts apps and dating apps “present a significant overlap with our product roadmap”, he said. “They access sensitive data from the graph without reciprocating, and last but not least, a few of them are competitive in nature, like LinkedIn.”
Those apps would lose access to data when Facebook rolled out its platform simplification programme, but KP urged his colleagues to help him uncover any potential competitive threat and take action sooner.
He found support from Allison Hendrix, who was responsible for the Facebook platform and was pressing for the company to take early enforcement action against contact apps.
Identifier dashboard used to spot promising apps
Facebook kept a close eye on apps that contained features that it could potentially incorporate into Facebook. It had set up an earlier identifier dashboard to highlight promising apps. One alert in September 2013 identified apps that Facebook was “currently investigating or pursuing”. They included a contacts manager, dating apps and gifting apps, all of which were on Facebook’s radar as potential Facebook services.
Facebook executives were alarmed by a sophisticated contact manager app that appeared to be performing exceptionally well – Sync.me, an Israeli app with more than 1.1 million monthly average users.
“It is asking for a huge number of permissions – public profile, friends list, newsfeed, birthday, work history,” said Chris Daniels, vice-president for partnerships. “This feels like too much.”
He said the app was in danger of “undoing all the good work” that Facebook had undertaken to ensure people could not add contacts from Facebook onto their mobile phone contacts list, and it might be in danger of “supplanting Facebook’s functionality”.
Facebook puts pressure on apps to spend money on ads
One of the most astonishing disclosures in the Six4Three documents was Facebook’s leverage of developers to spend money on advertising in return for access to its data.
Facebook had developed an advertising service called Neko, which allowed developers to advertise installations of their app, for a fee.
KP proposed that developers must spend at least $250,000 on advertising on Neko and those that did not buy advertising would be told that their data permissions would be revoked.
Meanwhile, Facebook would identify apps such as Refresh that it did not want to share data with and find out how much money they were spending on Neko.
“Should we make Neko a prerequisite for access to permissions?” he asked. “Are we at risk of alienating developers and creating a platform that favours the guys with deep pockets?”
In December 2012, KP sent round a flow chart that proposed cutting off access to developers that did not spend money on Neko ads.
Within a year, Neko had grown from nothing to making $1.75m a day. “That is $600m business in less than a year. That is insane!,” wrote Mike Vernal.
The Switcheroo plan
Congressional regulators are expected ask to questions about Facebook’s “Switcheroo” strategy and what exactly it meant.
Facebook had planned to announce its removal of developers’ access to data about Facebook friends and other APIs at its F8 developer conference in 2014.
But as the day approached, executives grew increasingly worried that the announcement could create unwelcome publicity that would overshadow Zuckerberg’s public speech.
Ilya Sukhar came up with what he called a Switcheroo plan that would save Zuckerberg from having to make an announcement that could court bad publicity at Facebook’s major conference of the year.
Under the plan, Zuckerberg would give an upbeat message, and Facebook would then announce its unpopular plans to close down APIs – known as “psn12” – at a later date.
“Hey, I put a plan for F8 that everyone finally agrees on,” Sukhar wrote to colleagues. “The big difference is we are going to hold all the ‘bad stuff’ of psn12 until after.”
By February 2014, Sukhar had worked with Zuckerberg to refine the Switcheroo plan. Under the new plan there would be no follow-up announcement.
Instead, Zuckerberg would give a positive speech making the theme of F8 about improving user trust, an umbrella term that Facebook could later use to explain why it was “deprecating” developers’ access to critical data, particularly users’ friends.
“After discussing a bunch with Zuck, we landed on making user trust a core theme of F8 and rolling things out simultaneously. After all, this is a big change to put power in the hands of people and we need to do it the justice of a thorough announcement,” Sukhar told the Platform team. “Who better to do it than Zuck?”
That wouldn’t mean it would be “enumerating specific deprecations on stage”, he said. Instead, there would probably be a workshop later in the day to explain the changes to developers.
Developers left in the dark
As F8 drew near, Simon Cross queried why there were no sessions planned to explain to developers the changes that were happening. It was “insane”, said Cross, that Facebook was planning to spend 45 minutes talking about some obscure aspects of Facebook, when there was no space in the schedule to talk about changes “which affect every single app on the platform”.
“I pretty strongly feel we need a place to explain to those devs – at a code level and a database level – what they need to move to the new model,” he wrote.
“I think we need a high-level description and a title that isn’t totally negative,” said Sukhar.
“We actually have a lot of positive stuff to talk about that developers will actually love and make the transition actually OK – currently we don’t have space to talk about those,” Cross replied.
Changes announced – but quietly
Facebook published its announcement on 30 April 2014, during the F8 developer conference under the title “The New Facebook Login and Graph API 2.0”.
It focused almost entirely on Facebook’s new login service. Five pages down from the top of the announcement, Facebook hinted at its plans to turn off its data to developers. It was easy to miss.
“In addition to the above, we are removing several rarely used endpoints; visit our change log for details,” it said.
Although they were described as “rarely used”, the APIs included some of the most popular data streams used by developers, an internal email suggests.
Netflix “clusterfuck”
In August 2013, a partner manager at Facebook caused a storm by advising Netflix in an email that it might not be good idea to continue building a sharing feature using Facebook’s messaging API.
The email appeared to have mistakenly disclosed Facebook’s plans to cut off developers’ access to that data.
“The whole Netflix thing seems completely fucked up,” said Purdy.
Vernal agreed. “That threat was a complete clusterfuck,” he said.
Vernal was forced to write a letter apologising to Cameron Johnson, Netflix’s director of social product innovation.
“If we do change the mechanics of invitations, we will work with you guys to make the transition easy and on a schedule that works,” he told Johnson.
“I don’t like having to send apology emails to partners,” Vernal told Purdy.
By now, Purdy was on the verge of quitting Facebook. “I am just tired of fighting on the developer front for the company,” he told Vernal.
Vernal warned him not to drop any hints about leaving. “Mark is sensitive about this,” he said.
Are we killing off one-third of the traffic feed?
One of the key attractions for app developers to work with Facebook was the social network’s ability to publicise their apps to other Facebook users.
This “feed distribution”, as it was known internally, was an important selling point for third-party app developers, particularly those that had integrated their apps into Facebook’s desktop website.
They could use Facebook’s network of links between friends – through Facebook’s map of connections, known as the Open Graph – to encourage other people to take up their apps.
By January 2014, Facebook’s senior managers had decided to significantly limit app developers’ ability to advertise their apps in this way.
Facebook engineers felt it was risky. It could lead to a revenue loss for Facebook of $160m in fees. “You are OK with killing one-third of the traffic feed?” one asked.
Worse, no one had told Facebook’s partner managers that they shouldn’t be selling distribution to app developers.
Carrots and sticks: Facebook’s strategy to cut off app developers’ data
Sticks
- Remove access to data about a user’s friends of Facebook.
- Remove access to the Facebook newsfeed, Facebook timeline notifications and APIs to manage friends lists.
- Apps no longer have access to the Facebook ID of each user.
Carrots
- Social context API will give apps information.
- Invites API will allow developers to promote across apps.
- Privatised APIs.
- Facebook will make key APIs available to developers that have a contract with Facebook by placing them on a whitelist. They will be unavailable to other developers.
Casualties
- Good apps will be casualties, such as Venmo, a mobile wallet.
- Slower growth for messaging apps.
- Slower growth for contact sync apps.
- Slower growth for gifting apps.
- Slower growth for horoscope apps.
- Named apps affected: Klout (social influence), Wrapp (gifting), Lulu (controversial social app), Branchout (finding jobs).
Total number of apps impacted
- 27,000
Login app review
- Apps will go through a review before they can use Facebook login to access data.
- Heavy review for access to high-value data, for example photos.
- Light review for basic data, such as user’s current city.
- 110,000 apps need to go through login app review in next six months.
Source: Draft Facebook presentation, 26 January 2014
George Lee, director of product management for games, was concerned that Facebook was continuing to encourage developers to integrate their apps into Facebook’s graph.
“You have to remember that our partner managers are still selling products that we ask them to sell,” he said. “So while we may have decided among ourselves that this is no longer the future, we don’t have anything to sell current developers.
“I think we are also missing the impact on developer sentiment… I get emails frequently (and sat down with some important and unhappy devs this week) about how feed distribution is drying up.”
Ilya Sukhar told a colleague in one email discussion that he would like to ask Zuckerberg: “Is he comfortable killing the prospects of a lot of startups… some of which are good, like Venmo and Tinder?”
Facebook was ruthless in cutting off access to friends’ data to developers, but it was less effective at explaining its actions to developers. In 2013, Katie Faul, a business development manager, pointed out that its best practices guide for developers actively encouraged them to take full advantage of the same data.
The guide read: “When a player grants you basic read permissions, you have full access to their list of friends. Take immediate advantage of this and make it easier for them to connect their friends within the game. Don’t force people to recreate existing friendships within your game. Instead, display their friends connections right away.”
Faul told fellow executives: “I realised that the language in here about friends permissions is very counter to our upcoming platform simplification efforts and what we are doing about user trust. Should we get this updated? It feels against the spirit of where we are headed.”
Backlash
Facebook eventually cut off friends, news feed and other data access to developers on 30 April 2015.
Facebook had hired a PR company, the OutCast Agency, to manage any bad publicity. The agency had put contingency plans in place to manage press coverage.
“In preparation of backlash from developers who are negatively impacted by the change, recommend having a few positive/happy developers… in our back pocket who can neutralise this for us in the media,” Facebook’s account supervisor wrote just before the announcement.
OutCast had prepared a “reactive statement” that would keep a close eye on coverage in the press and social media, for any backlash bubbling up, the supervisor told Facebook
It often took developers months, and multiple emails, to find out exactly how they would be affected. Facebook’s answers were often confusing and contradictory.
For example, a company called Airbiquity had developed an application that was used by car manufacturers to allow drivers to access their Facebook account through text-reading software. “Millions of Nissan drivers were using the app and we believe they want to continue doing so,” a product manager at Airbiquity told KP.
Facebook held out hope that it would approve its access to Facebook’s APIs for in-car apps that used voice recognition. It took four months for Airbiquity to establish that most of the features in its app would no longer work under the new rules. KP eventually told Airbiquity: “Ultimately, we think the experience of the in-car integrations vs what people can experience using the main Facebook is sub-optimal.”
Ticketmaster
Ticketmaster had used Facebook friends’ data to create an interactive seating plan for people attending concerts. The idea was that they could find and tag their friends on Facebook who were also attending the concert.
Ticketmaster complained in an email that Facebook’s upgrade would mean Ticketmaster customers would only be able to see their friends who had signed up to the Ticketmaster app.
“Limiting to only friends who have accepted the app is not a good user experience for the ticket purchase,” she said. Jon Park, a strategic partner manager and her Facebook contact, asked KP whether there was a case for whitelisting Ticketmaster.
KP drafted a non-committal reply for him to send. “Interesting use case, we would like to consider this use case in the near future,” the message began. But KP told Park: “Feel free to wordsmith this as you like, but certainly let them know they are not going to be whitelisted.”
Facebook did, however, begin a renewed programme of whitelisting at the beginning of 2015, to allow selected apps to continue to gain access to data.
KP told taxi-hailing app Lyft that it had been whitelisted to have access to details of all of the mutual friends of users on the app – data that had been denied to other app developers. “The API is currently only available to a handful of partners,” he wrote.
In February that year, Facebook whitelisted Netflix and Walgreens, and seven unnamed dating apps. Others given privileged access to APIs in early 2015 included Microsoft, Hootsuite and GoDaddy. Ticketmaster and Nissan were also added to whitelists to preserve some of the functions of their apps.
The question of antitrust
Congressional investigators and regulators must be wondering how much more Facebook will be forced to pay out in fines to settle allegations of antitrust behaviour..
Facebook has already faced regulatory action in the US, and was fined a record $5bn by the US Federal Trade Commission in July 2019. Under the controversial settlement, Facebook agreed to pay the fine without any admission of liability. The settlement controversially removes any liability for Facebook, its officers and directors for breaches before June 2019. A further FTC antitrust investigation into the company is yet to conclude.
Facebook’s actions, as revealed in the Six4Three documents, which have now been passed on to congressional investigators, show a pattern of behaviour that is likely to lead to further questions.
Whether effective regulation of competition in big tech companies ultimately emerges from the US or Europe is something that remains to be seen.
Facebook’s vice-president and deputy general counsel, Paul Grewal, said in a statement that the Six4Three documents were selectively leaked as “part of what the court found was evidence of a crime or fraud to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we’ve never sold people’s data”.
The developers that bit the dust
In late 2012, Facebook had decided to begin taking action against developers it deemed to be competitive threats, using section 10 of its then platform policy as justification for the decision.
The policy prohibited apps from replicating the “core functionality” of Facebook. It read: “You may not use Facebook Platform to promote, or to export user data to, a product or service that replicates a core Facebook product or service without our permission.”
However, there was ambiguity about what exactly Facebook meant by “core functionality”.
Voxer
One example is the case of Voxer, a walkie-talkie-style voice messaging app.
Two weeks after Facebook added a new voice messaging feature to Facebook Messenger in January 2013, Facebook removed Voxer’s access to the “Find Friends” functionality.
CEO Tom Katis told TechCrunch at the time that Facebook viewed Voxer, which had tens of millions of users, as a “competitive social network”.
MessageMe
Another example is MessageMe, an instant messaging app that was close to reaching one million users when Facebook cut off its access to data.
Like Voxer, MessageMe’s integration ceased to function, TechCrunch reported, when Facebook restricted its “Find Friends ” functionality.
Throughout the documents seen by Computer Weekly, both Voxer and MessageMe are referred to as “noisy” developers that could create trouble in the press.
Social Fixer
Social Fixer, a browser plug-in that allowed users to customise the interface and appearance of Facebook, was another “noisy developer”.
It was a one-man operation run by web developer Matt Kruse in his spare time who, in September 2013, wrote a blog post about his plug-in being shut down.
“I’ve spent four years and countless hours building up a community around my software: my Page had 338,050 Likes, my Support Group had 13,360 members, and my Interest List had 1.47 million followers,” he said. “But all of that work was wiped out in an instant when Facebook decided to shut it down without notice.
“I have never been given any details about what ‘community standards’ I was apparently violating (because I wasn’t). This is a case of Facebook choosing to shut down someone’s business just because they want to, not because they were doing anything wrong.”
Speaking to Computer Weekly, Kruse said that although his page was not down for long, Facebook also demanded that some of Social Fixer’s features be changed or removed.
“Having my Facebook page shut down didn’t affect me much, but removing the core features that a lot of users came to the product for made them go away – ‘well, if I can’t track my friends and I can’t hide ads, I don’t need it anymore’ – so I lost hundreds of thousands of users because they just couldn’t use it anymore,” he said.
Kruse added that during the entire episode, he was never able to speak to, or even get in touch with, anyone at Facebook about the decision.
“Facebook want to control everything and don’t like having their product manipulated, so I can see they would be really annoyed by any developers trying to go around the things they have in place,” said Kruse.
“I wanted to enable people to use Facebook in a way that’s best for the user, and not allow them to manipulate users as the product. That being said, they built the platform that a lot of other people have built their fortunes on, so I do acknowledge the fact that they have a difficult job and a lot of other people depend on them.”
Phhhoto
Facebook’s behaviour, however, was not limited to that platform alone and was extended to acquisitions such as Instagram, as shown by the case of Phhhoto.
The app let users shoot animated GIFs but was cut off from Instagram’s social graph in April 2015, soon after it reached one million users.
Six months later, Instagram launched its Phhhoto clone, Boomerang.
Champ Bennett, co-founder of Phhhoto, told TechCrunch. “We watched [Instagram co-founder, Kevin] Systrom and his product team quietly using Phhhoto almost a year before Boomerang was released – so it wasn’t a surprise at all.
“You have to give massive respect to anyone at their scale, but I’m not sure Instagram has a creative bone in their entire body. That’s a weakness we tried to exploit.”