• Facebook shares fell following a New York Times investigation that revealed previously unreported data sharing practices by the company.
  • Through a review of internal documents, the Times found Facebook shared even more data than previously thought with companies it considered “partners.”
  • The data reportedly included access to users private messages.

The social-media giant just can’t seem to guard users’ privacy, as it has repeatedly promised to do.

Documents acquired by The New York Times show that Facebook allowed more than 150 companies to see the names of virtually all Facebook users’ friends and other personal data without consent — generally in exchange for Facebook getting access to its “partners’ ” own collections of data.

Buried deep in the Times’ story is the news that the paper itself got this privileged access.

Some firms — Netflix and Spotify — even gained the ability to read Facebook users’ private messages.

As the Times also reports, the data exchange “was intended to benefit everyone”: Facebook got more users and ad revenue; its partners improved their products, and Facebook users supposedly gained a superior social-media experience.

The allegations, some of which are as recent as this year, could put Facebook in jeopardy of being found in violation of its 2011 agreement with the Federal Trade Commission. The agreement required Facebook make clearer how it shared data with third-parties and banned it from sharing friends’ data without their consent. Facebook reportedly considers its “partners” to be extensions of its core business, rather than third-parties.

The FTC declined to comment on the Times investigation for an earlier story, but the commission has previously confirmed it was looking into Facebook’s privacy practices following the Cambridge Analytica scandal.

In a blog post responding to the article, Facebook said, “To be clear: none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC.”

The news was followed by an announcement Wednesday morning that the attorney general’s office of Washington, D.C., would sue the company for “failing to protect its users’ data”.