To test one partner’s access to Facebook’s private data channels, The Times used a reporter’s Facebook account — with about 550 friends — and a 2013 BlackBerry device, monitoring what data the device requested and received. (More recent BlackBerry devices, which run Google’s Android operating system, do not use the same private channels, BlackBerry officials said.)
Immediately after the reporter connected the device to his Facebook account, it requested some of his profile data, including user ID, name, picture, “about” information, location, email and cellphone number. The device then retrieved the reporter’s private messages and the responses to them, along with the name and user ID of each person with whom he was communicating.
The Hub also requested — and received — data that Facebook’s policy appears to prohibit. Since 2015, Facebook has said that apps can request only the names of friends using the same app. But the BlackBerry app had access to all of the reporter’s Facebook friends and, for most of them, returned information such as user ID, birthday, work and education history and whether they were currently online.
The BlackBerry device was also able to retrieve identifying information for nearly 295,000 Facebook users. Most of them were second-degree Facebook friends of the reporter, or friends of friends.