����vlog����

The views expressed below are those of the author and do not necessarily reflect those of the Carr Center for Human Rights Policy or Harvard Kennedy School. These perspectives have been presented to encourage debate on important public policy challenges. 

One of the most impactful chapters of Sarah Wynn-Williams recent exposé on Meta, “Careless People: A Cautionary Tale of Power, Greed, and Lost Idealism”, is chapter 46 on Myanmar, where the author lays out the ways in which Facebook (at the time) contributed to the Rohingya genocide. Only the more technically aware will recognize the mechanics that contributed to the devastation: the third-party use of either Facebook’s software development kits (SDKs) or application programming interfaces (APIs) to allow third-party app developers to read and write directly to Facebook servers.[1] In other words, Facebook’s own software products (SDKs or APIs) were being used in the manner for which they were designed, but apparently bypassing any content moderation guardrails instituted by Facebook. The situation raises several questions:

1. Why were Facebook posts supplied via SDK in third-party apps excepted from Facebook moderation channels? Presumably these posts were still stored on Facebook-owned servers.
2. The author reports that the app was unavailable for download in June 2015, but earlier, Wynn-Williams indicates that the “official” app was widely preloaded (and its data use zero-rated) on mobile phones in Myanmar, where “if you’re on the internet, you’re on Facebook because of this.” This must mean that only legacy mobiles [pre-Facebook preload] were the ones installing “unofficial versions of the app”. Surely there must have been numerous objectionable posts coming in on phones with the official preloaded Facebook App?
3. Why did it take a year for Facebook’s head of global public policy to understand the nature of Facebook’s technologies and the propagative effect of SDKs?

What are SDKs?

Mobile SDKs are like LEGO building blocks for mobile apps: they perform key functionality that makes no economic or practical sense for the developer to redevelop themselves.

SDKs are a well-known growth, monetization, and engagement tactic; SDKs and APIs are at the heart of ecosystem and network-effect creation. There is no “platform” without the means for third parties to develop apps for it; there is no “platform” without SDKs and APIs. Developers of all stripes are particularly motivated to develop mobile SDKs to perform ongoing personal data collection (especially location).

Every social media platform leverages the power of providing mobile SDKs to foster adoption, subscriber growth, and overall use of the platform, especially ads. There are typically four key functionalities provided by social media platform SDKs.

1. Login SDK: This SDK allows 3^rd party apps to permit users to sign into social media platforms using their social media credentials[2]. This then allows the apps to access information from the user’s Facebook account.
2. Share SDK: This SDK allows 3^rd party apps to permit users to share content from the 3^rd party apps to their Facebook network.
3. Display Content SDK: This SDK allows 3^rd party apps to read and display content from the user’s Facebook account. Quite often Share and Display are bundled into a single SDK.
4. Ads/Ad Network SDK: This SDK allows 3^rd party apps to display mobile ads from the social media platform. This is vital for app monetization.[3]

It is important to note that SDKs are integrated directly into the app source code and therefore have access to all the permissions to native resources that the app has, such as precise location, camera, or microphone, to name a few.

Facebook SDKs Allow for Hundreds of Thousands “Feeder” Apps

What distinguishes social media platforms from other apps is that their SDKs are extremely widely adopted—especially when they are successful platforms like Facebook. At the time of this writing, Facebook SDKs are integrated into 414,204 mobile apps worldwide. Today, there are nearly 270,000 non-Facebook apps that allow users to share via Facebook. Was this content ever moderated, even before Meta’s recent reversal of their obligations for content moderation?

Source: AppFigures (accessed on 3/17/25)

Social Media Platform Responsibilities

The Facebook Myanmar case makes clear the need for greater internal and external oversight for social media platforms, as well as better technical guardrails in SDKs themselves.

The following passage from “Careless People” describes how the authentic Facebook app was blocked in Myanmar, but that the proliferation of “unofficial versions of the app” was responsible for the absence of content moderation:

“And then, the kicker in June 2015: while trying to help groups and activists report abusive content on Facebook, my team starts noticing that users appear to be using unofficial Facebook apps that don’t offer a reporting function. This is something that civil society had been trying to tell us, but it seemed so preposterous that we didn’t believe them initially. Then we learn that the official Facebook app is still unavailable for download in Myanmar and, as a result, unofficial versions of the app get shared through friends and at mobile shops….This explains why we’ve had a steady flow of complaints from the junta, civil society, activists, and others all complaining about fake news, hacked accounts, and racist, violent, threatening content on the site. They said it’s impossible to report these posts, and in the few cases they managed to get a report through, no one took action. They clicked on a button and nothing happened. It also explains why the content team confidently assured me throughout 2014 that users in Myanmar weren’t filing reports about questionable content. Of course they weren’t filing reports. Of course we took no action. Our users weren’t using apps capable of any of that.”pp350-351

How is it that millions of posts got stored on Facebook servers without passing through content moderation? 

The language of the last sentence is telling in its attempt to distance Facebook from accountability. No, Facebook’s users weren’t using apps capable of content moderation, but they were using Facebook’s SDK products. Why did it take a highly technical company like Facebook a year to realize that “unofficial versions of the app”—i.e. apps using SDKs provided by Facebook—were creating problems? The racist, inflammatory, and harmful posts from the “unofficial versions of the app” must have resided on Facebook servers. How is it that millions of posts got stored on Facebook servers without passing through content moderation? Further, what should the responsibilities of social media platform SDK owners be with respect to their SDKs and APIs, given potentially tragic outcomes, such as in Myanmar?

SDK integration is often achieved by a clickthrough developer agreement, or even less. Facebook’s current SDK integration is nearly frictionless: the source code is freely available via GitHub and the Terms of Use is a contract of adhesion as can be seen from the screen grab below.

Source:  Accessed 3/17/25

This comes as no surprise given the “damn the torpedoes” upper management attitude towards growth at all costs painted by Wynn-Williams.

While the recent trend of increased scrutiny of social media platforms is welcome, particularly looking into addictive user interface behaviors, there are other fronts that need additional scrutiny, such as SDKs and APIs. Assessment of the overall riskiness of a social media platform and company must include assessing all products related to the ecosystem, including SDKs, APIs, and arguably the entire constellation of the hundreds of thousands of apps built using SDKs and APIs. Similarly, there must be greater corporate oversight and governance around behaviors of third party apps built using the company’s SDKs and APIs. A model of “publish and punt” for SDKs is no longer acceptable.

In January 2025, the US began banning TikTok apps. But which apps exactly? Currently, there are 44,097[4] apps available in the US that include TikTok SDKs. Does the ban equally apply to those apps?  Should it?

To keep humans and societies safe, we need far greater participation and coordination between corporate public policy heads, lawmakers, and technology experts. 

A final observation: if we are to believe the shockingly large blind spot in Facebook’s global public policy team regarding the breadth of Facebook’s technology product portfolio (i.e. that it includes SDKs and APIs), it speaks to a troubling schism between technical and non-technical functions within the company. This kind of disconnect is not unusual. However, to keep humans and societies safe, we need far greater participation and coordination between corporate public policy heads, lawmakers, and technology experts. Technology is rapidly eclipsing our ability to understand and monitor it, and loss of life is too high a price to pay because non-technical policy personnel didn’t recognize that their own SDKs and APIs could result in the building of Facebook clone apps.     

 Lisa LeVasseur, Founder, Executive Director, and Research Director of Internet Safety Labs (ISL); Technology and Human Rights Fellow, Carr Center