Facebook's woes mounted Wednesday as it faced a lawsuit alleging privacy violations related to data leaked to a consultancy working on Donald Trump's 2016 campaign, and as a new report suggested it shared more data with partners than it has acknowledged.
Facebook shares already sagging under the weight of the social network's troubles ended the trading day down 7.25 percent to $133.24 and slipped even lower in after-market trades.
The suit filed by the attorney general for the US capital Washington is likely the first by an official US body that could impose consequences on the world's leading social network for data misuse.
"Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used," said Attorney General Karl Racine in a statement.
"Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users' permission."
The suit filed in Superior Court in Washington seeks an injunction to make sure Facebook puts in place safeguards to monitor users' data and makes it easier for users to control privacy settings, and demands restitution for consumers.
Facebook said it was reviewing the complaint and looked forward to continuing discussions with attorneys general in DC "and elsewhere."
The social network has admitted that up to 87 million users may have had their data hijacked by Cambridge Analytica, which shut down weeks after the news emerged on its handling of private user information.
A whistleblower at the consultancy, which worked on Trump's presidential campaign, said it used Facebook data to develop profiles of users who were targeted with personalized messages that could have played on their fears.
The scandal has triggered a series of investigations and broad review by Facebook on how it shares user data with third parties.
- Sharing with 150 partners -
The New York Times reported that some 150 companies -- including powerful partners like Amazon, Microsoft, Netflix and Spotify -- could access detailed information about Facebook users, including data about their friends.
According to documents seen by the Times, Facebook allowed Microsoft's Bing search engine to see names of Facebook users' friends without consent and gave Netflix and Spotify the ability to read private messages.
The report said Amazon was able to obtain user names and contact information through their friends, and Yahoo could view streams of friends' posts.
While some of the deals date back as far as 2010, the Times said they remained active as late as 2017 -- and some were still in effect this year.
Facebook late Wednesday pushed back against critics, saying it had carefully negotiated deals with select partners to explore features such as friends sharing what they were listening to on Spotify or watching on Netflix.
"In the past day, we've been accused of disclosing people's private messages to partners without their knowledge," Facebook vice president of product partnerships Ime Archibong said in a blog post.
"That's not true."
To exchange messages or complete tasks such as sharing files or sending money, apps being used require the relevant technical access.
"Why did the messaging partners have read/write/delete messaging access?" Archibong asked rhetorically.
"That was the point of this feature."
The experiences at issue were publicly discussed, and only available when people used Facebook to log into services, according to the social network.
"No third party was reading your private messages, or writing messages to your friends without your permission," Archibong said.
Facebook's head of developer platforms and programs, Konstantinos Papamiltiadis noted most of the features are now gone.
- Netflix, Spotify deny reading messages
Netflix said that the feature was used to make the streaming service "more social" by allowing users to make recommendations to friends, but that it stopped using it in 2015.
"At no time did we access people's private messages on Facebook or ask for the ability to do so," Netflix said in a statement.
Spotify offered a similar response, indicating the music service "cannot read users' private Facebook inbox messages across any of our current integrations."
The Canadian bank RBC, also cited in The New York Times, said the deal with Facebook "was limited to the development of a service that enabled clients to facilitate payment transactions to their Facebook friends," and that it was discontinued in 2015.
Democratic Senator Brian Schatz said the latest revelations highlight a need for tougher controls on how tech companies handle user data.
"It has never been more clear," Schatz tweeted. "We need a federal privacy law. They are never going to volunteer to do the right thing."