The article you just read was brought to you by a few thousand dedicated readers. Will you join them?

Thanks for coming by The Tyee and reading one of many original articles we’ll post today. Our team works hard to publish in-depth stories on topics that matter on a daily basis. Our motto is: No junk. Just good journalism.

Just as we care about the quality of our reporting, we care about making our stories accessible to all who want to read them and provide a pleasant reading experience. No intrusive ads to distract you. No paywall locking you out of an article you want to read. No clickbait to trick you into reading a sensational article.

There’s a reason why our site is unique and why we don’t have to rely on those tactics — our Tyee Builders program. Tyee Builders are readers who chip in a bit of money each month (or one-time) to our editorial budget. This amazing program allows us to pay our writers fairly, keep our focus on quality over quantity of articles, and provide a pleasant reading experience for those who visit our site.

In the past year, we’ve been able to double our staff team and boost our reporting. We invest all of the revenue we receive into producing more and better journalism. We want to keep growing, but we need your support to do it.

Fewer than 1 in 100 of our average monthly readers are signed up to Tyee Builders. If we reach 1% of our readers signing up to be Tyee Builders, we could continue to grow and do even more.

If you appreciate what The Tyee publishes and want to help us do more, please sign up to be a Tyee Builder today. You pick the amount, and you can cancel any time.

Support our growing independent newsroom and join Tyee Builders today.
Before you click away, we have something to ask you…

Do you value independent journalism that focuses on the issues that matter? Do you think Canada needs more in-depth, fact-based reporting? So do we. If you’d like to be part of the solution, we’d love it if you joined us in working on it.

The Tyee is an independent, paywall-free, reader-funded publication. While many other newsrooms are getting smaller or shutting down altogether, we’re bucking the trend and growing, while still keeping our articles free and open for everyone to read.

The reason why we’re able to grow and do more, and focus on quality reporting, is because our readers support us in doing that. Over 5,000 Tyee readers chip in to fund our newsroom on a monthly basis, and that supports our rockstar team of dedicated journalists.

Join a community of people who are helping to build a better journalism ecosystem. You pick the amount you’d like to contribute on a monthly basis, and you can cancel any time.

Help us make Canadian media better by joining Tyee Builders today.
We value: Our readers.
Our independence. Our region.
The power of real journalism.
We're reader supported.
Get our newsletter free.
Help pay for our reporting.
Rights + Justice

Yes, RBC Could Read Private Messages, Says Facebook

Facebook’s statement raises serious questions if true, says MP Angus.

By Bryan Carney 30 Jan 2019 |

Bryan Carney reports for The Tyee and is director of web production.

When the New York Times reported in December that three major corporations had obtained the ability to read all private messages of any Facebook users that connected to their accounts, Netflix and Spotify admitted they were granted that power by Facebook, but claimed they didn’t use it.

The other company, Royal Bank of Canada, was alone in denying that it ever had any such access. It would repeat its denial in coverage of the report by the Globe and Mail and CBC.

Now The Tyee has been told by a Facebook spokesperson that RBC did in fact have the power to read, write and delete private messages by Facebook members using RBC’s banking app, as the New York Times reported.

RBC repeated its denial to The Tyee.

If Facebook is correct it raises serious questions, says Charlie Angus, an MP and member of the Parliament’s Standing Committee on Access to Information, Privacy and Ethics that questioned Facebook in April 2018, after revelations of Facebook’s data sharing practices.

“My question is why did RBC want to have this capacity? And if they did obtain private messages, that would be very, very serious. They’ve said they haven’t so I have to take them at their word. But I would like clarification on why they would have wanted access,” Angus told The Tyee.

RBC began allowing customers to connect to Facebook in 2013 in order to send money transfers over the social media network, and shut down the service quietly in 2015.

If RBC had the abilities Facebook says it was granted, the bank could read every message its customers ever sent or received via Facebook, not just send or receive e-transfer notifications as RBC claims.

Though RBC customers had to approve Facebook’s connection, access to messages on Facebook’s platform typically included those the customer sent and received from other Facebook users who did not use RBC or consent.

“That was the whole [kind of] breach that allowed Aleksandr Kogan to end up with 67 million people’s personal information. Those loopholes were enormous. It’s hard to trust that those loopholes weren’t abused. I think it’s incumbent on a company like RBC to be very clear,” said Angus.

“This was at a time when there was very much a Wild West attitude about personal data and information — if you could get it you took it. So they would need to be able to explain very clearly that they did not.”

Among the questions left hanging, given the contradictory statements by RBC and Facebook are these:

1. Why do RBC and Facebook’s stories differ?

Did RBC merely misunderstand the abilities it obtained from Facebook or plan messaging features it didn’t use? If so why does it continue to double down when Facebook itself has confirmed the abilities?

2. Why would RBC want to read messages and why did Facebook grant it?

RBC says its app needed to “uniquely identify the recipient of funds” and notify these recipients via Facebook when it launched a payment service in 2013. It didn’t need to read previous Facebook messages of the sender, an ability Facebook says the bank acquired.

Documents released by U.K. Parliament show Facebook scrutinizing and denying Vancouver-based Hootsuite’s request for the ability to read mailboxes.

Why was RBC among a handful of companies granted that ability?

RBC was already on the defensive in 2013 about extensive permissions its app requested from users, the Globe and Mail then reported. The bank said then it would create a website to explain to consumers precisely which permissions it asked for and why.

3. How many RBC customers connected their accounts to Facebook?

Neither Facebook nor RBC disclosed how many RBC clients connected their bank accounts to the social network.

Facebook’s permission scheme required first that companies approve their apps for mailbox reading from Facebook. Next, the companies had to request permission from each customer of an app in turn when they installed the app.

Over 60 per cent of Canadian consumers in 2014 used mobile banking apps. That number grew to over 80 per cent by 2016, according to Statista. RBC is Canada’s largest bank, with 16 million clients.

Over 13 million Canadians used “over-the-top” messaging — online alternatives to text messages provided by phones — by 2015, the year RBC claimed it decommissioned its Facebook-connected services. Facebook boasted 700 million users of its messaging service the same year, and is now the top messaging service in Canada, also according to Statista.

Messaging apps, including Facebook Messenger in 2013, offered to take over internal text messaging on phones, making the networks the primary text communication route between some users.

4. Did RBC ever read any customer’s Facebook mailboxes?

Facebook said RBC did not make use of the mailbox-reading abilities it acquired in its app.

But Facebook did not answer if it could definitively determine the bank never read any mailboxes in testing or external to the features of the app once it acquired permissions to do so. The Facebook spokesperson instead referred The Tyee to RBC, who denied having the ability in the first place.

5. What does Facebook mean that data can’t be used for ‘independent purposes’?

Facebook’s claim may give the impression that companies are limited in uses of the data by some kind of technical restriction.

However, once data is downloaded from its “Application Programming Interface” — the live database used by software developers — it could be stored externally and manipulated or applied for any purpose without Facebook’s knowledge.

Political consulting firm Cambridge Analytica acquired data extracted from a Facebook app to influence elections, contrary to Facebook’s terms of use. The revelation caused a major scandal, partly because data obtained by the app included information about app users’ friends without their consent or awareness.

The data was collected by a separate app developer and provided to Cambridge Analytica. This was also against Facebook’s rules, but impossible to prevent by the nature of data in Facebook’s API.  [Tyee]

Read more: Rights + Justice, Media

Share this article

The Tyee is supported by readers like you

Join us and grow independent media in Canada

Facts matter. Get The Tyee's in-depth journalism delivered to your inbox for free

Tyee Commenting Guidelines

Do not:

  •  Use sexist, classist, racist or homophobic language
  • Libel or defame
  • Bully, threaten, name-call or troll
  • Troll patrol. Instead, downvote, or flag suspect activity
  • Attempt to guess other commenters’ real-life identities


  • Verify facts, debunk rumours
  • Add context and background
  • Spot typos and logical fallacies
  • Highlight reporting blind spots
  • Ignore trolls and flag violations
  • Treat all with respect and curiosity
  • Stay on topic
  • Connect with each other


The Barometer

Tyee Poll: Are You Preparing for the Next Climate Disaster?

Take this week's poll