Among Facebook’s Woes, EU’s Strict Privacy Laws May Loom Largest
In a continuing effort to regain the trust of its disillusioned users, Facebook on Wednesday announced new privacy controls where settings can be made from a central menu, rather than by tunneling through as many as 20 screens.
As Facebook unveiled the sweeping revisions, though, it also made a striking admission: The company knew it hadn’t been making it easy for users to figure out how to shield their personal data from prying strangers, Facebook advertisers, and the outside apps that, we all learned this month, could be exploited to download millions of Facebook profiles.
“We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed,” said Facebook chief privacy officer Erin Egan and deputy general counsel Ashlie Beringer in a written statement about the latest round of modifications.
However, Facebook was ordered by the Federal Trade Commission back in 2012 to make sure its messages to users about their privacy control options were unambiguous, and written in readily understandable words. The social media giant agreed to the FTC order to settle the agency’s complaint in 2011 that Facebook’s privacy practices were deceptive, complex, and hard to navigate.
The FTC is now investigating Facebook’s compliance with that 2012 order, in a probe the agency revived after March 17 reports by The New York Times and The Observer of London, that political data firm Cambridge Analytica had gained access through an outside app to 50 million Facebook profiles by or before 2015. Cambridge Analytica used the personal data to develop psychological profiles of individual Facebook members that could be used to micro-target election-related messages to people most likely to be receptive to them, the Observer reported.
The FTC investigation, which could lead to substantial fines, is one of the most significant legal challenges Facebook (NASDAQ: FB) now confronts, as it also deals with Congressional demands for testimony from CEO Mark Zuckerberg, the potential for stricter regulation, lawsuits from users and shareholders, the #deleteFacebook movement, and sinking share prices that have lopped more than $90 billion from its market capitalization, as of Wednesday.
Those concerns aren’t confined to this side of the ocean. Jeopardy also looms from powerful regulatory bodies in Europe, where privacy laws are significantly stronger than they are in the United States. So strong, in fact, that violations of an E.U. person’s individual privacy can be punished with fines of as much as 4 percent of a company’s global annual revenue. Enforcement of the European Union’s General Data Protection Regulation (GDPR) is set to begin May 25, and big tech companies handling international data sets of personal information were always in the gunsights of the E.U. regulators.
Their scrutiny of Facebook is likely to be even more intense after the wave of news reports that connect the global social media giant to Cambridge Analytica, which allegedly transformed the targeted messaging techniques widely used by Facebook advertisers into a means for influencing voter opinion in the U.S. presidential election in 2016. While Facebook maintains that its 50 million profiles were shared with Cambridge Analytica through a policy violation by an outside app, and not a security breach, the data loss still places Facebook in the E.U. hotseat, says Greg Sparrow, a data and security policy expert.
“They’ve really put themselves in the center of the bullseye,” says Sparrow, general manager at Duluth, GA-based CompliancePoint, which helps businesses comply with U.S. privacy laws as well as the GDPR.
To gauge Facebook’s vulnerability under E.U. regulations, Sparrow says, one key question has yet to be answered: Did any of the 50 million profiles obtained by Cambridge Analytica belong to E.U. residents? (The GDPR does not protect U.S. citizens.)
Sparrow says he wouldn’t be surprised if profiles of E.U. individuals had been scooped up by Cambridge Analytica, or by other companies taking advantage of the Facebook privacy controls existing in 2013, which created broad openings for outside apps to harvest the profiles not only of the app’s users, but also all of their friends’. Facebook has acknowledged that a number of other companies may have amassed such data troves and misused them, and says it is trying to track them down. But Facebook hasn’t said whether Europeans’ profiles were collected.
“If E.U. data subjects (are involved), I think they have a huge problem,” Sparrow says.
The United Kingdom Information Commissioner’s Office conducted a seven-hour search of Cambridge Analytica’s offices starting on the evening of March 23, and is now analyzing evidence collected under a search warrant.
In March of 2017, the U.K. office started looking into the data privacy risks raised by the use of data analytics, and in May it launched a formal investigation of the use of these tools for political purposes.
“This will involve deepening our current activity to explore practices deployed during the U.K.’s EU Referendum campaign (the “Brexit” vote) but potentially also in other campaigns,” information commissioner Elizabeth Denham said in a written statement. “Given the transnational nature of data the investigation will involve exploring how companies operating internationally deploy such practices with impact or handling of data in the U.K.”
The U.K. agency is looking into the process by which Facebook data came into the hands of researcher Aleksandr Kogan, who collaborated with Cambridge Analytica to use a personality quiz app to induce Facebook users, perhaps unwittingly, to permit the app to access their own data as well as their friends’ profiles, the Observer reported.
Denham said the U.K. will cooperate with other countries in the probe.
While the U.K. commission is ferreting through Cambridge Analytica’s files, the FTC will be examining Facebook’s privacy practices in the years following the FTC’s 2012 order. Those related investigations, as well as the parallel press scrutiny, may inevitably spill over into the U.S. examination of Russian involvement in the presidential election of 2016, in which Cambridge Analytica reportedly assisted candidate Donald Trump.
Facebook was credited with providing aid to special counsel Robert Mueller’s probe of Russian election interference when the Department of Justice last month announced the indictment of 13 Russians and three companies for allegedly conspiring to thwart federal election laws and other federal statutes by spreading false and divisive messages through social media channels. (Federal law forbids foreign nationals from influencing U.S. elections.) Facebook revealed in September that it had traced 3,000 ads, bought from Facebook for $100,000, to hundreds of fake accounts it concluded were probably operated from Russia. But The New York Times reported last week that those disclosures had been delayed by an internal debate among Facebook leaders on how much they should reveal about Russians’ misuse of the social media network.
Along with the Cambridge Analytica revelations, facts are now surfacing that place Facebook amid a web of links and contacts that may mean nothing, but have become part of a connect-the-dots exercise shared by everyone struggling to understand recent election events.
—While Kogan, a Cambridge University researcher born in Russia, was working with Cambridge Analytica, he was also an associate professor at St. Petersburg State University, and received grants from the Russian government to study social media, the Observer found. Cambridge Analytica also made a presentation on its techniques for micro-targeting social media users to Russian oil company Lukoil.
—Facebook recently told CNN that one of its researchers, Joseph Chancellor, was a director of Kogan’s company Global Science Research, which had cooperated with Cambridge Analytica. Facebook said it was looking into the issue.
—One or more employees of defense contractor Palantir Technologies, co-founded by Facebook board member and Trump supporter Peter Thiel, allegedly helped Cambridge Analytica conceive its strategy for mining Facebook profiles, The New York Times reported Tuesday.
Facebook’s stance is that it had no part in Cambridge Analytica’s use of member profiles to influence voters, and that the data firm and Kogan had flouted its limits on accessing user data.
But Andrew Keane Woods, an assistant professor at the University of Kentucky College of Law, says that Facebook could still be under an existential threat in the E.U. and elsewhere, by holding that it did nothing wrong by openly making it possible for app developers to extract personal information from the profiles of users and their friends while it offered users some options to refuse consent. Writing in a Lawfare blogpost March 20, (before Facebook made recent changes to its privacy settings) Woods said:
“If users and regulators decide that the firm did not do anything out of the ordinary—that this is just the way Facebook works—they may reasonably conclude that the firm itself is unacceptable.”