“The future is private” says Zuckerberg; not with him, judging by new investigations of Facebook for data protection failures

Posted on May 10, 2019 by Glyn Moody

Another week, another declaration from Mark Zuckerberg that he’s really serious about putting privacy at the heart of Facebook. During his keynote speech at the Facebook Developer Conference F8, he said: “I know that we don’t exactly have the strongest reputation on privacy right now, to put it lightly. But I’m committed to doing this well, and starting a new chapter for our products.” What followed was not announcements of concrete privacy initiatives, but a rather unambitious re-statement of the nebulous plans Zuckerberg outlined in his essay on ths topic, discussed on this blog back in March.

Even Facebook’s press release on his speech, usually an opportunity for the company to hype up amazing products and plans, is dull and unexciting. Although not framed in those terms, it essentially confirms that Zuckerberg wants to turn Facebook into the Western version of China’s messaging, social media and mobile payment app WeChat, with a new emphasis on groups (like WeChat): “Today we’re making changes that put Groups at the center of Facebook and sharing new ways Facebook can help bring people together offline.” As expected, there is also an important turn towards e-commerce. Here, at least, were some new details about what that would mean for users of all of Facebook’s services:

“In the months ahead people will be able to see a business catalog right within WhatsApp when chatting with a business.

People will soon be able to ship Marketplace items anywhere in the continental US and pay for their purchases directly on Facebook.

Starting next week, you can shop inspiring looks from the creators you love without leaving Instagram. Instead of taking a screenshot or asking for product details in comments or Direct, you can simply tap to see exactly what your favorite creators are wearing and buy it on the spot.

That’s pretty feeble stuff compared to WeChat’s immense business ecosystem, which underpins most of people’s lives in China. But it’s a start, and suggests that this is one area where Facebook really is starting a new chapter. Once the basic e-commerce infrastructure is in place – for example making purchase options an integral part of any Facebook page – it will just be a matter of engineering for Facebook to scale that up. It make take some time to roll out an entire business platform as WeChat has done, but there’s no reason to doubt that companies will flock to use it just as they have done in China.

However, for all the attempts to create a feel-good experience at the Facebook Developer Conference, there was no sense that Zuckerberg is really grappling with the deeper privacy issues that lie at the heart of Facebook’s problems. Just how bad those are is shown by the fact that recently multiple jurisdictions have opened yet more investigations into Facebook’s alleged privacy failures. That’s in addition to the FTC investigation, which Facebook has already warned may cost it $5 billion in fines.

The New York attorney general’s office is investigating how Facebook gained access to the email address books of more than 1.5 million users without their permission. The privacy damage here is much greater than that already-large number suggests. Since people typically have hundreds of email contacts in their address books, Facebook is likely to have secretly harvested hundreds of millions of email addresses in this way. The company’s claim that it was “unintentional” is hardly credible: nobody “accidentally” scoops up hundreds of millions of items of personal data.

Canada’s privacy authority is taking Facebook to court after it found that the company’s lax privacy practices allowed personal information to be used for political purposes. In a striking demonstration of the company’s arrogance, Facebook has not only rejected the Canadian Privacy Commissioner’s findings as “mere opinions”, it has also refused to implement recommendations to address deficiencies. This is hardly the behavior of a company that is starting a “new chapter” on privacy.

On the other side of the Atlantic, the Irish Data Protection Commission has opened a statutory inquiry into Facebook after the company notified it about a “security lapse” that left hundreds of millions of user passwords accessible by 20,000 Facebook employees. According to Reuters, Ireland’s privacy watchdog has seven statutory inquiries into Facebook and three more into Instagram and WhatsApp. The latest Irish investigation is significant, because it is to “determine whether Facebook has complied with its obligations under relevant provisions of the GDPR”. If Facebook is found in breach of the GDPR, it faces fines up to 4% of its global turnover, although it is unlikely to be hit with such a large penalty at this stage.

Leaving aside security blunders, there are two central problems that Facebook is failing to address. The first is the huge quantity of information that it routinely gathers and holds about all its users – and billions of people who don’t use it, through the creation of shadow profiles. The shift to encrypted chats will reduce the amount of data Facebook holds, but by no means eliminate it. Moreover, the long-promised “clear history” tool has been delayed yet again. Designed to allow users to wipe all the personal data that Facebook holds on them, it was originally due to be delivered last year. Then it was coming early this year, and now has slipped to the end of 2019. That’s in contrast to Google, which continues to roll out tools giving greater control over what data the company stores about its users.

Facebook’s continuing failure to do the same raises questions. Is it that Facebook engineers are unable to delete all the data because it is spread around the company’s databases so widely? Or is it the business side clinging on to all this information because of the power it gives them? If the latter, then the other major problem will be harder to solve. As this blog has noted, Facebook’s main business model is selling access to its billions of users. In particular, it draws on its database to allow micro-targeting of unprecedented specificity. It is that ability to send highly-customised messages to users that has made Facebook popular with advertisers, but also so dangerous when the system is abused, as seems to have happened.

Until Facebook addresses these core problems, it will be hard to take Zuckerberg’s endlessly repeated promises to “do better” seriously. The motto of the Facebook Developer Conference may have been “The future is private”, but it certainly won’t be while Facebook insists on creating immense databases that track its users’ most intimate thoughts and details, and then sells access to them to anyone willing to pay for the privilege.

Featured image by Facebook.