A Tough Month for Facebook

Written by

As the Cambridge Analytica scandal unfolds, Danny Bradbury takes a closer look at Facebook’s track record as it pertains to data and privacy

In April 2018, Facebook CEO Mark Zuckerberg sat in a room filled with more politicians than you’d expect at a Congressional hearing. Almost half of the US Senate followed the next day whilst members of the House gathered to ask him just what Facebook thought it was doing. Zuckerberg’s handlers had carefully prepped him for the event, which punctuated the biggest scandal in the social network giant’s history.

The world had found out how Cambridge Analytica – run by hedge fund billionaire Robert Mercer and headed by Steve Bannon – gathered information on 87 million Facebook users via a quiz called thisisyourdigitallife. It was a Facebook app written by Cambridge University researcher and St Petersburg associate professor Aleksandr Kogan, who collaborated with Cambridge Analytica’s parent firm SCL through his company, Global Science Research.

The quiz gathered information from the profiles of the people that filled it out (known as seeders), but it also mined their friends’ data too, giving Cambridge Analytica access to raw data on almost a fifth of the US population, and on over a million UK residents.

The data that Cambridge Analytica harvested covered those points you might expect, such as age and gender, but also delved into other, more nuanced characteristics. These included openness, conscientiousness, life satisfaction, IQ and political views. The firm – which worked with the Trump campaign and with the pro-Brexit Vote Leave organization – had unprecedented insights into how millions of people thought and felt.

Facebook knew about this infraction as far back as 2015 but reportedly didn’t address the problem with Cambridge Analytica until 2016, when its lawyers sent the firm’s research director Christopher Wylie a letter asking him to destroy all information collected by GSR.

Wylie has said that Facebook failed to follow up on its request, while Facebook has stated that Wylie and others certified that it had been deleted. In fact, there were still unencrypted copies of the data, which Wylie revealed in March when he blew the whistle on Cambridge Analytica’s massive data harvesting campaign.

The story caused Facebook to panic and the social network made public apologies via newspaper advertisements and Zuckerberg’s statements to Congress.

It isn’t enough, warns Ann Cavoukian, former privacy commissioner of Ontario, Canada and now leader of the Privacy by Design Centre of Excellence at Ryerson University. “All around the world, regulators are investigating, and there’s simply no trust in Facebook or what they say,” she warns.

“All around the world, regulators are investigating, and there’s simply no trust in Facebook or what they say”

Cavalier Attitude Towards Privacy

Since then, other infractions have come to light. People have been shocked at how much data the firm was collecting on their texts via its messenger app, for example. The company also admitted that thanks to a feature that enabled people to search profiles via phone numbers or email addresses, most of its users’ profiles may have been scraped by online bots.

The thing is, Facebook has been making privacy slip-ups for years. The phone search feature had been reported as far back as 2012. The ACLU warned about permissive information gathering via quizzes back in 2009.

In 2006, Zuckerberg apologized for not building proper privacy controls into its news feed service, admitting that the company “really messed this one up.” In 2007, it launched Beacon, which shared what users are doing on other websites with their friends. It only enabled people to turn it off after complaints. “I know we can do better,” said Zuckerberg.

In 2009, the Canadian Privacy Commissioner found privacy flaws in Facebook, including a lack of transparency for users.

In 2011, the Federal Trade Commission reached a consent decree with Facebook after finding more privacy infractions, including making users’ friend lists public even if they had set them to private, and failing to verify the security of apps on a ‘verified apps’ list. “I’m the first to admit that we’ve made a bunch of mistakes,” said Zuckerberg at the time.

There are plenty of other examples of Facebook’s consistently cavalier attitude towards privacy. In 2012, regulators in Europe highlighted one, when they banned the company’s facial recognition technology which enables it to automatically find people in photographs.

Justin Cappos, associate professor of computer science and engineering at New York University’s Tandon School of Engineering, frets about ‘shadow profiles’ that Facebook builds by harvesting ancillary information about people. The information can come from sources including other sites that they surf containing Facebook’s trackers, along with other people’s contact lists.

These shadow profiles exist for those that have never even signed up for Facebook, warns Cappos, adding that Zuckerberg was vague about it in his Congressional testimony.

“He steered the answers back to getting people to think about the data that they put into Facebook’s website,” said Cappos. “That isn’t the most concerning data that Facebook has.”

The question is, will Facebook change?

Opaque Facebook

In early April, the social networking giant did vow to make some changes. It restricted third-party apps’ access to information about events, groups, pages and select personal data.

While app authors can still apply to access information such as photos, posts and likes, Facebook said that it has also tightened its review process for these requests.

Additionally, it reduced the call and text information gathered by its Messenger or Facebook Lite apps and is also introducing an app control feature so that they can see what apps they’re using at the top of their news feed.

Finally, the firm is preventing the searching of profiles using email or phone data.

One thing that could force more changes is the Honest Ads act, a bill currently before both Houses on the hill. The legislation mandates strict public documentation of advertising purchases to support political campaigns.

With GDPR about to place the most stringent privacy protections in history onto companies holding data on EU citizens, the social network may be forced to take even more severe action. However, Zuckerberg has been equivocating about whether Facebook will extend its GDPR-compliance further, both to news agencies and to Congress, saying that the company would look at doing it ‘in spirit.’ In the meantime, it is already creating controversy by testing that previously-banned facial recognition technology on European users.

That is perhaps the biggest problem with Facebook. Despite the company’s consistent apologies and promises to do better, it is difficult to see what it is doing behind the scenes.

Cappos warns that it is difficult to trust a company that is often opaque.

“It’s important to have enough transparency to understand what’s happening, why and how. The fact that this isn’t available makes it frightening and risky because you frankly don’t know what they’re doing,” he says. “By the way, what they say they’re going to do and what they actually do is not the same thing either.”

Underlining this point, the FTC is now investigating Facebook to see whether it violated the 2011 consent decree. If the FTC finds that it has, the fines could run into billions of dollars.

To truly change its privacy stance, Facebook may need to change its underlying business model. Virtual reality pioneer Jaron Lanier has called for alternatives to the free model on which the likes of Facebook have grown. After all, if Netflix could do it for TV, then why couldn’t we do it for other online services, he asks?

Cappos is sceptical that companies like Facebook will make the fundamental change necessary to foreground privacy.

“Now it’s difficult because you have these massive companies with a strong vested interest in having users with very little privacy,” he says. “On the side of those that want privacy, you have people like the ACLU, the Electronic Frontier Foundation and some researchers. I don’t think we have the lobbying power that these big organizations do.”

Neither do they have the money. While Zuckerberg smirked his way through the congressional hearings, telling one in three senators that he’d have his team get back to them with answers, the markets reacted positively, sending the firm’s stock soaring over 4.5%. During that time, Zuckerberg’s worth increased by around $3bn. That’s not bad for two days’ work.

What’s hot on Infosecurity Magazine?