How private is Facebook (FB  ) really? A few months ago, reports revealed that political firm Cambridge Analytica harvested the private information of over 50 million Facebook users without their permission in 2014. Now, a report from The New York Times has revealed that over the past decade, Facebook shared user data with several major device makers.

Facebook said that the data access Cambridge Analytica exploited in 2014 came to an end in 2015, when Facebook banned developers from collecting information about user's friend networks. But Facebook did not make clear that device makers were exempted from this prohibition.

Third parties like app developers can request and access certain information about users through public data channels, known as application programming interfaces, or APIs. This includes information available on the user's profile page, such as relationship and employment status, political leanings, and interest in upcoming events.

But since 2007, Facebook has not considered device makers to be third parties, instead classifying them as "service providers."

As such, device makers are allowed to gather even more information through private data channels, including information about a user's Facebook friends. In some instances, companies have been able to access data from users' friends even when these friends had opted to restrict data sharing in their personal settings.

Over the years, Facebook has forged data-sharing partnerships with nearly 60 phone companies and other device makers, including Apple (AAPL  ), Amazon (AMZN  ), BlackBerry (BB  ), Microsoft (MSFT  ), and Samsung (KRX: 005930).

Facebook has said that they made these partnerships only to allow companies to provide the "Facebook experience" by adding popular Facebook features, such as "like" buttons and messaging, to their devices. Apple, for instance, acknowledged that it used the private access to create a feature that let users post photos to Facebook directly, without opening the Facebook app. Several of Facebook's hardware partners have said that they chose to protect, rather than monetize, user data, and that the data was used solely to enhance user experience. No particular instance of data misuse by any device partner has been identified, Facebook was keen to point out.

Still, this sharing of user information may be a violation of 2011 Federal Trade Commission consent decree, which prevented Facebook from overriding user privacy settings without the consent of the user. The FTC is already investigating Facebook over the Cambridge Analytica case. Facebook has argued that its policies towards hardware partners does not violate the consent decree, as service providers are not covered by it.

Many of these partnerships are still in effect, though Facebook quietly began ending some of them in April 2018 after an internal review of privacy practices in the wake of Cambridge Analytica. About 22 have ended thus far.