Online and offline media are overflowing with thought-provoking questions following Facebook’s privacy mistakes. Questions like:
Who has your personal data? What private data on Facebook was shared with others without transparent permission? Was there a data breach?
How are your online actions being captured, bundled and used by third parties? Are "data broker" services combining data from multiple sources to create detailed profiles that go far beyond what any one social media company knows about a user?
Are third party application developers and others complying with privacy rules and regulations? Can data that is passed to them from an "anonymous source" be linked to specific individuals?
How are data sharing agreements being monitored for misuse? Will more whistleblowers come forward to reveal improper data access?
These are just a few of the hundreds of privacy-related questions that are swirling around the Internet right now.
But my big question is this: What companies or governments might be next?
Background: What Happened with Facebook Data to Cause This Privacy Uproar?
On March 20, 2018, The Guardian Newspaper (UK) described the routine (yet “utterly horrifying”) practice of covert data harvesting. Here’s an excerpt:
“Sandy Parakilas, the platform operations manager at Facebook responsible for policing data breaches by third-party software developers between 2011 and 2012, told the Guardian he warned senior executives at the company that its lax approach to data protection risked a major breach.
‘My concerns were that all of the data that left Facebook servers to developers could not be monitored by Facebook, so we had no idea what developers were doing with the data,’ he said.”
Several weeks back, a whistleblower named Christopher Wylie, revealed that his previous employer, a company named Cambridge Analytica, was able to get Facebook data from 50 million users to ‘change audience behavior’ regarding a variety of topics — including influencing online opinions regarding voting. In the YouTube video shown below, Wylie describes the process as a “full service propaganda machine.”
Further, the Chicago Tribune reported that Facebook users have been giving away their data for a decade, but most people did not (and do not) understand the extent to which their data was used and shared to influence them and their friends, beyond perhaps shopping for goods. Here’s an excerpt:
“Now, concerns about sharing every aspect of life on social media are coming to a head amid reports that a political consulting firm hired by President Donald Trump’s campaign allegedly used ill-gotten Facebook data in an effort to influence voter behavior. Users are weighing whether to quit the social media platform and calling for greater online privacy protection.
But experts say those concerns won’t be enough to change the behavior of the masses. Social media have become ubiquitous, and many users are either ambivalent toward data privacy or don’t understand what they’ve given up by agreeing to the terms of service in order to create an account. …”
In addition, Wired magazine offered this short history of Facebook’s privacy gaffes.
How have users responded to these revelations? The reaction has been mixed, but some users have urged others to delete their accounts. According to this USA Today report:
“In recent days, Facebook users have piled onto the hashtag #DeleteFacebook, threatening to desert their Facebook accounts to protest the social media giant's mishandling of their personal information.
Despite all the talk, it's unlikely a significant number of them will walk, even after allegations that the consulting firm Cambridge Analytica obtained and kept the data of tens of millions of users to help get Donald Trump elected, and Facebook didn't stop it.
Instead, some people are toying with a social media sabbatical or detox — or just using Facebook less. …”
What Does Facebook’s Response Reveal about the Future of Privacy?
In response to these reports, Facebook has vowed to make changes.
Facebook CEO Mark Zuckerberg admitted that mistakes were made with user data:
“On Wednesday, a contrite Zuckerberg revealed steps his company is taking to improve how it safeguards users’ data.
‘We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,’ Zuckerberg said in a 937-word post on his personal Facebook page. ‘I started Facebook, and at the end of the day I’m responsible for what happens on our platform.’”
However, Zuckerberg also pointed the finger at third party developers — claiming that they need to do the things that they legally certified they will do regarding the protection and use of data.
Facebook has committed to change several of their policies to try to restore trust, and to sever ties with data brokers. Facebook also adjusted the privacy settings on its service, giving users more control over their personal information with fewer taps.
In addition, Facebook announced a change to their bug bounty program that will pay you to report the misuse of data by third party application developers.
Two important indications that this situation is different than previous Facebook and wider tech industry privacy mishaps include the increased government scrutiny and the drop in Facebook’s stock price.
The Wall Street Journal reported that the Federal Trade Commission and state attorneys general are investigating Facebook: “Government officials ratcheted up pressure Monday on Facebook Inc. over its handling of user data, with federal regulators saying they are investigating the social-media giant’s privacy policies and 37 state attorneys general demanding explanations for its practices.”
Also, Mark Zuckerberg has agreed to testify before Congress, although the exact date is still unknown.
What Comes Next? Who Is Next?
It’s only April, but 2018 may go down as the year that online privacy strikes back.
In addition to this Facebook story, global press has widespread coverage of the hot topic of the European Union’s GDPR legislation taking affect in May.
While the current media focus is on Facebook’s privacy practices, and to a much lesser extent on the Google privacy policies, I think these same questions about data usage (and potential misuse) will eventually touch the wider technology industry and go beyond social media. Many of the same questions that started this article can (and should be) asked about user data from other public and private sector organizations.
Sure, Google and Facebook are the largest entities online to face current privacy scrutiny, but most governments have very little insight into how private-sector contractors and application developers are truly using their citizen and other user data that is legally handed over. Contracts may state privacy provisions, but how are these provisions being monitored and enforced?
Tough privacy questions will only grow with smart cities data and the growth of the Internet of Things (IoT).
Some of the excellent questions being asked to Facebook from state attorneys general include:
Were those terms of service clear and understandable, or buried in boilerplate where few users would even read them? How did Facebook monitor what these developers did with all the data that they collected? What type of controls did Facebook have over the data given to developers? Did Facebook have protective safeguards in place, including audits, to ensure developers were not misusing the Facebook user’s data? How many users in our respective states were impacted? When did Facebook learn of this breach of privacy protections? During this time frame, what other third party “research” applications were also able to access the data of unsuspecting Facebook users? Nevertheless, these same questions can (and will) be asked to other public- and private-sector organizations in the coming months and years ahead. Perhaps Amazon or another large online technology company with a similar business model to Facebook will struggle with enforcing privacy policies with partners.
Only time will tell if / when there will be another public backlash.
My Final Thoughts
The Pew Research Center offered this well-written summary of Americans’ complicated feelings about social media in an era of privacy concerns. Their charts show the dramatic growth of social media use over the past decade, and it is clear that the majority of Americans participate to some degree.
At the same time, there is widespread fear that personal data is being misused and that they have lost control over how their personal information is collected and used. People seemed willing to share data freely in exchange for Facebook features, as long as they were only targeted with ads about such things as Christmas presents. But when users found out that political opinions and/or other opinions about social causes were being manipulated, a revolt ensued.
Later this year, I will return to the topic of new trends regarding social media, which are articulated well in this piece about Facebook by Thomas L. Friedman. He believes that a new era may emerge for social media 2.0 that is more about users understanding their values and applying them to their online world. I agree with this, and I articulated a similar goal for "surfing your values" in my book, Virtual Integrity.
The current Facebook story is perhaps the tipping point for more global privacy protections at a time when the General Data Protection Regulations are also coming into effect in Europe.
Going further, I think these data protection questions will lead to more whistleblowers describing how various companies are misusing client data worldwide. Whether that data originates from government collections of data or separate private-sector efforts, the end-to-end monitoring of data control and data access is an ongoing problem.
We have seen a decade where unauthorized data breaches from hackers accessing databases have made headlines on an almost-weekly basis. However, much less emphasis has been placed on third party access to sensitive data by business partners.
Yes — data protection and privacy clauses are already in most technology outsourcing and application development contracts, but as Mark Zuckerberg articulated, assuming that these contract clauses are being followed is no longer good enough.
Bottom line: The tech industry is about to see an overhaul in expectations regarding what it means to “trust but verify” security and privacy protections of data collected.