The Royal Bank of Canada quietly stopped allowing online transactions through Facebook in 2015 after Facebook changed its network’s privacy settings, a bank spokesman said Wednesday after a British parliamentary committee released internal Facebook emails about the partnership.
Canadian MPs travelled to Britain last month to participate in a parliamentary inquiry into “disinformation and fake news,” helping grill Facebook representatives about the firm’s role in the Cambridge Analytica scandal.
The committee seized the Facebook emails—part of a sealed record in an American legal dispute—after Facebook CEO Mark Zuckerberg declined to testify. The emails were disclosed as part of a lawsuit by American software developer Six4Three, which once ran a bikini photo application on Facebook.
In the email chains Facebook executives debate providing user data to big corporate customers like Royal Bank, Netflix, Lyft and Airbnb—“whitelisting” them in Facebook parlance—if they met an advertising spending target of $250,000 a year.
But Bank spokesman AJ Goodman said in an emailed statement on Wednesday that it “never had a minimum marketing spend or target agreement with Facebook.”
The company announced a partnership with Facebook in 2013 to allow users to send Interac e-transfers through the social network’s Messenger app. “We are excited to bring this new capability—the first of its kind in North America—to Canada and to our clients, who we know are avid Facebook users,” executive Dave McKay said in a news release at the time. The bank did not issue a release when it shut the service down.
Changes that Facebook made to its APIs (or application program interface) in 2015 led the bank to shut down the service, because the changes were making it impossible to authenticate individual user identities to guard against fraudulent transfers.
“As part of our security and fraud protocols, we needed to uniquely identify the recipient of funds and payments to securely process the transaction and deliver the notification,” Goodman wrote in an emailed statement. “We learned about the change in APIs in 2015. Shortly afterwards, we began the process of discontinuing this service and continued access granted by Facebook ensured it could be wound down without compromising our clients’ transactions and information.”
In the internal Facebook emails released by the British committee, executives warned that restricting the data access by the bank could undermine the partnership. “Without the ability to access non-app friends, the Messages API becomes drastically less useful,” executive Sachin Monga wrote in 2013. “It will also be impossible to build P2P payments within the RBC app, which would have dire consequences for our partnership with them.”
Facebook did not respond to questions about its abandoned partnership with the bank but pointed to a statement online from Zuckerberg, who said that the changes to the network in 2014 were made “to prevent abusive apps.”
In the same statement, he pushed back at the idea that Facebook was selling data. “Other ideas we considered but decided against included charging developers for usage of our platform, similar to how developers pay to use Amazon AWS or Google Cloud. To be clear, that’s different from selling people’s data. We’ve never sold anyone’s data.”
Facebook has been widely criticized for a data breach that allowed Canadian app developers working with Cambridge Analytica to use Facebook users’ personal data to target voters to aid in the election of Donald Trump and the Brexit referendum.
NDP MP Charlie Angus, who has been critical of Facebook’s privacy protections, said Thursday that he is “very skeptical” of the public explanation of the data that Facebook shared with the bank. Angus said he is concerned that the bank may have had access to Facebook friends lists and other data that might raise privacy questions.
“My understanding of what these are is that it was wide open for people to use the platform and be able to scrape data of friends of friends,” he said in an interview Thursday. “And the court case is about them deciding who to limit access to in order to crank up the financial returns to Facebook. So what was RBC doing with that? To simply verify the person themselves, they could do that through Facebook now.”
The bank did not respond to queries about whether it was accessing customer’s friend lists, pointing instead to its need for data to verify the identity of customers.
It is hard to know what kind of data the bank might have collected from Facebook, said University of Ottawa law professor David Fewer, the director of the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic. “We know that Facebook collects all kinds of information on its platform. We also know that it collects information about Facebook users from data brokers.” Fewer said Canadian banks have a much better track record of protecting client privacy than Facebook does. “I would think almost any business right now is scared of falling into a privacy scandal involving Facebook.”
In March, the Privacy Commissioner of Canada opened an investigation into Facebook and third-party applications. On Thursday spokesman Corey Larocque said in an email that “the investigation is well advanced but we’re not in a position to offer comments at this point in time.”