Yes, that is possible too. Facebook has issued more user data without our permission, according to research by the NYT. This time around 60 phone and tablet manufacturers including Samsung, Apple, Amazon and Blackberry. They had special agreements with Facebook that gave them access to user data without asking for permission. After the Cambridge Analytica scandal Facebook indicated that the changes they had made in 2014 would prevent this from happening again, but now it appears that the agreements with the hardware makers are excluded from those changes.
Tested in 2018
The Times used an older Blackberry device with the Hub App that you can use to log in to Facebook. After that it was very easy to get specific data from the friends of the user, including religious conviction, relationship status and events they wanted to visit. Not only that, also from the friends of the friends (almost 300,000 people), data could be viewed, albeit less specifically. Mind you: this could be independent of the privacy settings of all those people, because that is not what this app looked at. Even the data of people who had everything locked up was passed on.
There are apparently different rules for large companies that make smartphones. Facebook says that these companies can be trusted and that there are clear agreements about what can and can not be done with that data. That may be true, but that does not change the fact that the user data was handled very loosely without the consent of the users. If it was still about data that was available in the past and now was not something to say for it: smartphone makers ruin themselves when someone finds out that they have passed on data, so that is not worth it. The fact that it is still possible now is very bad.
Facebook finds it all exaggerated. They say they are not aware of abuse by a manufacturer and they also consider the smartphone makers as special partners, so in the eyes of Facebook the data never went ‘out’. That while they also just say that some hardware makers also have data on their own servers. It is a major privacy problem and even after Cambridge Analytica Facebook has not yet closed for 100% (so far only one third of the partnerships have been terminated) is too bizarre for words.
In the US it could also give them some additional problems. In FTC there was already agreed with watchdog FTC in 2011 that data should only be shared by users after explicit consent so that all these ‘exception cases’ have gone through and are still doing so. Again, this is not the same story as with Cambridge Analytica: there is no demonstrable loss of user data and what is left with hardware manufacturers will really be safe and (if this becomes a bit of a thing) probably very quickly removed. It is all about the principle here: while Mark Zuckerberg can proclaim that it really is not possible anymore, it is still possible for some parties. Facebook not only has a data problem but above all a transparency problem. And then you ask yourself: what do not we all know yet?