(CNN Money) — A Russian internet company with links to the Kremlin could have had access to the Facebook data of millions of people in the US without their knowledge, CNN has learned.
Through a long list of Facebook applications, Russian technology conglomerate Mail.Ru Group had the ability to access to information including users’ names as well as their genders, birthdays, locations, and likes” on Facebook, a source briefed on the investigation into the misuse of Facebook data told CNN.
Facebook told CNN on Tuesday that apps developed by the Mail.Ru Group were being looked at as part of the company’s wider investigation into the misuse of Facebook user data in light of the Cambridge Analytica scandal.
Mail.Ru Group developed hundreds of Facebook apps, some of which were test apps that were not made public, Facebook said.
Prior to 2015, in some cases, when Facebook users interacted with apps built by third-party developers on Facebook, the developer not only received data about that user, but also about the users’ friends.
Mail.Ru said less than 10% of its Facebook app users were in the US. However, because of how Facebook apps worked prior to 2015, users of the apps outside the US could have also exposed the Facebook details of their Facebook friends in the US.
Michael Carpenter, a former U.S. deputy assistant secretary of defense with responsibility for Russia, told CNN that the information Mail.Ru collected on Americans could then have been scooped up by Russia’s domestic spy agency, the FSB, which can get access to information held by Russian Internet and communications companies, including Mail.Ru.
“What this means is that all data that Facebook users shared through this agreement with Mail.Ru is now available to the Russian intelligence services. All of it. And that is incredibly troubling,” Carpenter said.
“Mail.Ru is a large Russian company. It has to abide by Russia’s laws. It has to do what the intelligence services demand of it, and in this case they demand that they provide access to all of their data.”
Sandy Parakilas, a former Facebook employee who now works at the Center for Humane Technology told CNN, “Unfortunately there is no way for Facebook to know what happened to the data once it left its servers, so there’s no way for them to know if there was any misuse of not.” Facebook told CNN it has not found any evidence of misuse of Mail.ru’s data.
Mail.Ru told CNN on Wednesday that “User data was neither shared with nor made accessible to any Russian government agency,” and that “Sharing of that user data was not required and there were no such requests from the authorities.”
Mail.Ru also said that it never harvested any data including users’ friends. “Friends of users … have been used to power an app’s functionality (e.g. to share game results with a friend, to invite a friend to join the game etc). It is and was done by any app of any app developer globally,” Mail.Ru said.
The company also said that it could not provide an exact number for how many users it had in the US but claimed it was only in the tens of thousands.
Mail.Ru told CNN Wednesday that it is cooperating with Facebook for its investigation.
In 2014 Facebook announced that it would restrict developers’ access to data on app users’ friends by May 2015.
However, Facebook told CNN it granted two Mail.Ru apps an extension of two weeks beyond that deadline.
The Russian company’s use of Facebook apps came under scrutiny after Facebook told Congress two weeks ago that it had granted an extension of less than six months on access to data to 61 companies, including Mail.Ru, beyond May 2015.
Facebook did not disclose who was responsible for granting Mail.Ru an extension.
Facebook would not say on Tuesday how much user data the Mail.Ru Group obtained or if any data was obtained about Americans.
In a written statement provided to CNN after an interview on Tuesday, Facebook Vice President of Partnerships Ime Archibong said, “Facebook is a global company with users all over the world so we work with developers globally to bring our services to people everywhere — as long as those developers adhere to our platform policies. Mail.ru, one of the top five largest internet companies in the world, has built apps for the Facebook platform and for other major platforms, including iOS and Android for years. We’ve found no indication of misuse with Mail.ru. If we find misuse, we ban the developers.”
Mail.Ru Group is controlled by USM Holdings, a company founded by Alisher Usmanov, who was included on a list the U.S. Treasury Department published in January of Russian billionaires with ties to the Kremlin.
It denied to CNN the suggestion that it is linked to the Kremlin, noting that it is a publicly traded company, and adding “putting our business in a political context has nothing to do with reality.”
Facebook CEO Mark Zuckerberg ordered an investigation into potential misuse of Facebook user data gathered through third-party apps a few days after the Cambridge Analytica story broke in March.
“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you. I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again,” Zuckerberg said in a Facebook post at the time.
An app developer working for Cambridge Analytica in 2014 built an online survey that gathered data on tens of millions of Americans, most of whom had never downloaded or taken the survey. Cambridge Analytica went on to work on Donald Trump’s 2016 presidential campaign.
© Copyright 2018 CNN. All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed.