Why Facebook’s new Libra cryptocurrency will be a privacy disaster

Posted on Jul 5, 2019 by Glyn Moody

Facebook has been appearing on this blog with increasing frequency. In one way, that’s natural. A social network, by definition, is about people and their personal information, and so is likely to be of interest to readers of this site. But Facebook is frequently cavalier in how with how it uses that information, despite repeated claims that it values the privacy of its users – hence the numerous posts about its misdeeds.

This post is about an important new Facebook project that is likely to have a major impact on privacy in the online world. Mark Zuckerberg has announced that Facebook will be launching its own cryptocurrency, Libra, with roll-out planned for 2020. A useful white paper outlining the main features of the new project has a good definition. Libra is:

A stable currency built on a secure and stable open-source blockchain, backed by a reserve of real assets, and governed by an independent association.

Libra differs from better-known cryptocurrencies in at least two important respects. It is designed to be “stable”: that is, the value of a Libra unit will be kept roughly constant. That’s unlike other cryptocurrencies, which are often launched with the promise or assumption that each unit will gain in value over time. Libra is also radically different in that every unit of Libra is backed by real assets, represented by holdings in other currencies.

Essentially, this means that Libra is designed to be a means of exchange, rather than a speculative instrument. Indeed, its initial use will be to enable safe and very low-cost international transfers of funds. They will typically be sent using the kind of low-end mobile phones that hundreds of millions of people use today. Such remittances are a vital part of many emerging economies, where people who work overseas send back funds to their families at home. The World Bank estimates that annual remittance flows to low- and middle-income countries reached $529 billion in 2018. Currently it is often relatively expensive to send money, particularly for people who do not have bank accounts. A UNESCO report says that on average remittance transaction costs eat up 7% of the sum sent. A secure but simple system based around Libra, with very low transaction costs, could be a real boon for many people around the world.

As the white paper definition quoted above notes, Libra is run by an independent, not-for-profit Libra Association, based in Switzerland. Facebook is just one member of the governing Libra Association Council. Other big names that have already joined include payment companies like Mastercard, PayPal, PayU, Stripe and Visa, online service companies like Booking, eBay, Farfetch, Lyft, Spotify and Uber, and non-profits. Each member of the Council has one vote, and operates one of the nodes of the Libra network that defines the public blockchain record. Unlike Bitcoin and other cryptocurrencies, Libra is a permissioned network, where only authorized nodes can participate. Transactions are pseudonymous, not anonymous, and are potentially vulnerable to government demands for details about who sent funds to whom, and when. There are vague plans to move to a fully decentralized, permissionless network, although this raises questions about whether it could cope with the scale that is envisaged for the Libra system.

Libra was designed by Facebook, but the company has gone out of its way to relinquish direct control, using an open-source design, and the independent Libra Association, which controls the cryptocurrency, the currency reserves and infrastructure. This is a shrewd move. As well as helping somewhat to assuage fears that Facebook will be controlling a globe-spanning cryptocurrency, making Libra open will encourage other major players to adopt it, and speed its uptake. But there is another element of the Libra cryptocurrency network that Facebook does control: Calibra. A Facebook press release explains:

Today we’re sharing plans for Calibra, a newly formed Facebook subsidiary whose goal is to provide financial services that will let people access and participate in the Libra network. The first product Calibra will introduce is a digital wallet for Libra, a new global currency powered by blockchain technology. The wallet will be available in Messenger, WhatsApp and as a standalone app – and we expect to launch in 2020.

As that notes, a Libra digital wallet will be built in to Messenger and WhatsApp. This will allow funds to be sent effortlessly to family and friends using those services. But the key phrase there is “a newly formed Facebook subsidiary whose goal is to provide financial services”. Calibra seems to be the start of Facebook’s long-awaited move into e-commerce that Privacy News Online has discussed before. A core requirement for e-commerce is a trustworthy and easy-to-use online payment system, which is precisely what Libra will provide.

With these announcements, we can begin to see how Facebook hopes to emulate the Chinese social media leader Tencent, and become not just an e-commerce giant, but the very foundation for most everyday e-commerce transactions online, at least in the West.

Libra will begin as a remittance service. Once it has been established that the basic system works well for these kind of “pure” financial transactions, and the user base builds up, companies will start to let customers use Libra to pay for goods and services, along the lines of PayPal. Facebook will doubtless extend the use of digital wallet to the main, public-facing Facebook service. Doing so would mean that companies will be able to sell directly to Facebook users, who can pay for things simply by clicking on a “buy now” button. The money will flow invisibly from the Calibra wallet to the vendor, and goods can be shipped to a default address, or elsewhere.

The question then becomes: what about all the personal data that this generates? Facebook explicitly states: “Calibra customers’ account information and financial data will not be used to improve ad targeting on the Facebook family of products”. However, a Calibra white paper on “customer commitment” reveals:

Calibra will use Facebook, Inc. data to comply with the law, secure customers’ accounts, mitigate risk, and prevent criminal activity. Beyond these cases, if a Calibra product feature can be personalized or improved with data from Facebook, we will first obtain customers’ consent to share the relevant data with Calibra.

For example, people may choose to import their Facebook friend list into Calibra to make sending money easier. This import will not be automatic – we will obtain in-product customer consent.

This is where things start to get murky. As we already know from past experience, not least with the GDPR, when an annoying pop-up appears asking a user for “consent”, most people just click on “yes” without bothering to see what exactly they are agreeing to. And Facebook may not even need to ask permission to glean important information about buying habits. If purchases via Libra take place on the Facebook site, or on a third-party site with Facebook tracking, then the company already knows exactly which products people are looking at. If they go on to buy something using the Libra currency, the mere fact that a payment has been made on that particular product page tells Facebook everything it needs to know about the transaction. It could then add this information to its main user database without breaking its promise not to draw directly on customer data held by Calibra.

There’s another troubling possibility. As the white paper explains:

Essential to the spirit of Libra, in both its permissioned and permissionless state, the Libra Blockchain will be open to everyone: any consumer, developer, or business can use the Libra network, build products on top of it, and add value through their services.

Calibra’s head of product Kevin Weil told TechCrunch: “There are no plans for the Libra Association to take a role in actively vetting [developers]”. This is the same recipe for disaster that produced the Cambridge Analytica fiasco. With Libra, it will not only be highly-sensitive personal information that is obtained, but possibly Libra holdings too. Ironically, the stronger and better-known the Libra brand becomes, the more likely it is that naive users will assume that any product using it is safe – and the more likely that fraudsters will rush to exploit that.

Although the idea of a very low-cost remittance system is welcome, the more complex applications of the Libra cryptocurrency are unlikely to be so readily accepted. Already, a host of regulatory issues have been raised in the US and in the EU. Many people are naturally alarmed by the prospect of Facebook extending its power even further by becoming one of the world’s main e-commerce platforms – perhaps as dominant in the West as the ubiquitous WeChat is in China. Now would be a good time to worry seriously about the harms that Libra is likely to cause to online privacy, and to try to minimize them before it is too late.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Featured image by Libra Association.