Federal Privacy Commissioner Quietly Closed Investigation of RBC

An investigation into allegations that select companies — including RBC, Canada’s largest bank — were given access to the private Facebook messages of people using their apps has been shut down by Canada’s privacy watchdog.

The Tyee first broke the news that Canada’s Office of the Privacy Commissioner was investigating RBC in February 2019, following a 2018 New York Times exposé on Facebook “partners” that were exempted, or “whitelisted,” from tighter data rules implemented in 2014-2015 in the wake of privacy scandals at Facebook.

These special “partners” — such as RBC, Netflix, Amazon, Spotify and others — were given access to every private message sent or received using Messenger, Facebook’s popular messaging platform, when users of the partner company apps linked them to their Facebook profiles.

Because the data made available to these partners consisted of private messages, it was potentially more revealing and violated more privacy expectations than the data infamously acquired in the Facebook-Cambridge Analytica data scandal, which allowed outside developers to gather data such as likes and friend lists on not only app users, but their friends.

The whitelisting deal involved access up to a decade’s worth of private messages sent to or received from friends of app users with an expectation of privacy.

Although the full extent of exposure through whitelisting remains unknown, there is the potential for the same kind of multiplier effect seen in the Cambridge Analytica case, in which 87 million Facebook profiles were harvested based on the responses of just 270,000 people who unwittingly allowed access to their friends’ Facebook activities by downloading an app.

This is because each app user who connected to Messenger will have exposed their messages to Facebook partners from every person who ever messaged them — whether those other parties had installed the app or not.

In 2018, when news broke about special agreements allowing some companies’ continued access to Facebook data — internally known as “whitelists” — Spotify and Netflix admitted they had the extra abilities, but claimed they weren’t aware or didn’t use them.

RBC was also named and had the same privileges — as shown in leaked Facebook emails detailed in the New York Times — but denied it ever had access.

Facebook confirmed directly to The Tyee that the bank had access to read, write and delete its app users’ private Facebook messages. Facebook declined to say if or how many times those privileges were used by the bank.

The Office of the Privacy Commissioner has confirmed to The Tyee that it shut down its two-year-long investigation of RBC five months ago, without any announcement. The office wouldn’t provide any information on its findings. It pointed instead at ongoing legal proceedings, targeting Facebook only, as the best course of action.

The end of the investigation may mean that Canadians and lawmakers, as MP Charlie Angus put it in a Jan. 31, 2019 meeting of Parliament’s Standing Committee on Access to Information, Privacy and Ethics — will have to “take RBC’s word for it” that the data wasn’t accessed, stored or misused.

Privacy Commissioner Daniel Therrien confirmed earlier that there had been several complaints “on whether or not the Royal Bank was violating PIPEDA [Personal Information Protection and Electronic Documents Act]” and that “RBC's alleged role in receiving information from Facebook” was the subject of an investigation.

Angus did not reply to The Tyee by publication time when asked for comment on the investigation’s closure.

The ticket to the whitelist

RBC, Canada’s largest bank with 16 million clients, was no small player on Facebook’s platform.

Facebook allowed RBC to keep special friend and message permissions in part due to the bank’s commitment to run “one of the biggest [mobile platform] campaigns ever run in Canada” by 2013, internal Facebook emails show.

RBC’s campaign used Facebook’s “custom audience” tool, which allowed RBC to locate and target ads for its upcoming app to existing customers who were browsing Facebook’s platform.

Leaked Facebook emails reviewed in the British Parliament in 2019 show RBC was one of only two companies outside of Facebook known to have had access to Facebook’s “Messages API” back in 2013. (API stands for “application programming interface,” which allows apps to communicate with Facebook’s internal data).

“There are only a handful of partners who have access to the Messages API (as far as I know only Dropbox, RBC, and our own first party apps?),” wrote Sachin Monga, then a Canadian Facebook employee working to “help the market use Facebook's platform to its maximum potential,” according to his job description on LinkedIn.

RBC was then developing its app’s ability to send electronic transfers, commonly done over email, via the popular Facebook messaging platform, which already had millions of users in Canada. Facebook was in a race with rival WhatsApp to dominate mobile messaging — a race in which Facebook was perceived to have admitted defeat when it bought WhatsApp a year later.

By 2013, RBC already had 1.3 million app users and Facebook emails show the company was making a big move to gain more.

RBC told The Tyee that it decommissioned the email money transferring feature in 2015 and “did not have the ability to see users’ messages.” But the New York Times reported that ability came bundled with partners’ access to the messaging platform.

The New York Times also reported that the permissions obtained by partners, including RBC, were far beyond what was needed to integrate Facebook features into company apps.

In the RBC case, the company only needed to access messages specific to email money transfers to deliver the service. However, RBC obtained the ability to read, write and delete every message sent if a user paired RBC’s app with Facebook, the New York Times reported and Facebook confirmed.

Exposed data potentially the most invasive yet

The kind of data that could have been gleaned by partners such as RBC from more than a decade’s worth of private Facebook messages potentially goes far beyond the invasion of privacy that powered insights by Cambridge Analytica.

Facebook Messenger is a main online communication tool for millions of users. Access to the contents of private messages would be regarded by most users as far more revealing than the information obtained and used by Cambridge Analytica, which tracked the Facebook activities of people who downloaded apps and their friends.

The list of those who have messaged someone is likely to be smaller than their “friends” list. But the number of those potentially affected are subject to the same kind of multiplier effect seen in the Cambridge Analytica breach.

Cambridge Analytica obtained access to profiles of all the friends of those who installed an app, not just those who installed it. The multiplier effect moved the dataset from 270,000 app users to 87 million profiles via friend lists that average in the hundreds.

According to Facebook, partners like RBC would have had access not just to the contents of messages written by those who installed the app and the names of who they were sent to, but also to messages from others sent to the app user.

How many RBC customers linked the app to Messenger is unknown — as is the number of messages sent or received by Facebook users. This kind of calculation would need to be done by an investigation like that shuttered by Canada’s privacy commissioner.

The ripple effect could be far-reaching. Data and privacy experts, for example, worry about whether banks acquiring information on individuals, including their friends, could impact decisions like loan approvals.

While discussing lower loan pre-approvals given to women who earn the same compared to those given a male spouse, Maura Grossman, director of Women in Computer Science at the University of Waterloo, told Global News in 2019 that it was likely banks were using machine learning to determine whether someone is worthy of credit.

Watchdog defers to legal action

Despite these and other concerns, Canada’s Office of the Privacy Commissioner holds the view that issues raised by its closed investigation can be best addressed by ongoing legal proceedings against Facebook, senior communications advisor Vito Pilieci told The Tyee.

An 18-month-old Federal Court action against Facebook for providing data does not target partners or RBC for obtaining data.

The investigation, referred to in a July email by the OPC as the “Facebook partners” investigation, continued for two years. No updates were provided when The Tyee previously contacted the OPC, since it said it had to conduct its investigations in secret.

When The Tyee asked again about the status in July, Pilieci confirmed the OPC had terminated the investigation in March.

Whether to release findings or conclusions of an investigation is “decided by the Commissioner on a case-by-base basis,” Pilieci wrote in an email reply to Tyee questions.

Canada’s privacy law also “gives the Commissioner the authority to discontinue an investigation, under certain circumstances,” wrote Pilieci.

Facebook confirmed that it had wound down all of its messaging partnerships by April 2020 and that while the OPC has ongoing concerns, they can “more appropriately be dealt with through the ongoing legal proceeding against Facebook currently before the Federal Court of Canada,” Pilieci wrote.

“If granted, the relief our office is seeking in court could potentially ensure that Facebook obtains meaningful consent from its users for the sharing of personal information with third parties generally, whether via apps, partnerships or other business models,” wrote Pilieci.

RBC leaned on OPC

Previous communications obtained by The Tyee show that the privacy commissioner’s office has faced pressure from RBC over its disclosure of the investigation.

When The Tyee reported on the new investigation by the office, Bloomberg and Postmedia papers syndicating Bloomberg quickly picked up the story, citing The Tyee and running a headline backed up by Privacy Commissioner Therrien’s statement to MP Angus: "RBC Faces Canadian Privacy Investigation over Facebook Access.”

A subsequent federal access to information request revealed that staff at the privacy watchdog had received word from RBC it didn’t like the headline.

"The Bloomberg headline is problematic from RBC’s perspective,” said an OPC employee via email. "Hopefully they will update based on my email," said another staff member. Soon after publication, the headline was changed to instead cite the investigation of Facebook.