Hey Mark Zuckerberg: Don't Lock Down Everyone's Data, Open It Up To Services That Give Your Users More Control Over Their Data

from the there-are-other-solutions dept

As we've been discussing all week, a lot of people are reacting to the wrong thing in the whole Facebook / Cambridge Analytica mess. The problem was not that Facebook had an open API -- but that its users were unaware of what was happening with their own data. Unfortunately, many, many people (including the press and politicians) are running with the narrative that Facebook failed to "protect" data. And, just as we warned, the coming "solutions" won't help matters, but will actually make them worse.

Case in point: when Mark Zuckerberg finally made his big press tour on Wednesday evening, he repeatedly told people that, the public has spoken and Facebook will lock down your data now.

I do think early on on the platform we had this very idealistic vision around how data portability would allow all these different new experiences, and I think the feedback that we’ve gotten from our community and from the world is that privacy and having the data locked down is more important to people than maybe making it easier to bring more data and have different kinds of experiences.

This is the wrong solution for two reasons: (1) It makes Facebook that much more central and dominant to online activities, making it that much more difficult for upstarts and competitors to compete and (2) it takes away power from the end users to do more with their own data. For all the people whining about Facebook having too much of your data, this is not the solution you want. This is effectively giving Facebook even more power over your data, not less.

If people were to take the time to actually understand the issue, then they wouldn't be pressuring Facebook to react this way. And there are better solutions: give people more access to their own data. That means, as Cory Doctorow suggested, the better way out is for Facebook to open itself up in a different way: to open itself up to third party app developers not to suck up data for marketing databases, but to give end users more control over their own data and how it is used.

People are so focused on Facebook sucking up their data, that they're responding by demanding Facebook be a better steward of their data... rather than demanding that they get to manage their own data.

Nearly a decade ago, EFF suggested a social media bill of rights that it hoped sites like Facebook would adopt. It included giving users transparency into who wants their data and who gets it, giving users full control over their data, and finally enabling them to export their data in a useable format to bring to other sites on their own terms. If we lived in such a world, then we wouldn't have to worry about the Cambridge Analytica situation, because users would know that some creepy personality test app was requesting their info, and they could deny it (or they could set filters that would automatically block it).

So, if Mark Zuckerberg really wants to respond to this crisis in a way that's helpful, he should be opening up his platform... to a different set of app developers. It shouldn't go to the developers who are siphoning up everyone's data, but to those who can provide tools for end users to have full transparency and control over their data.

Unfortunately, the political and media reality is that if Zuckerberg actually went down this path, he'd probably be slammed for "opening up" user data, rather than locking it down.

Filed Under: apis, competition, control, data, data portability, mark zuckerberg, ownership, transparency
Companies: cambridge analytica, facebook

Facebook Working With Comcast To Scuttle California Broadband Privacy Protections

from the watch-what-we-do,-not-what-we-say dept

Last year you might recall that the GOP and Trump administration rushed to not only kill net neutrality at ISP lobbyist behest, but also some pretty basic but important consumer privacy rules. The protections, which would have taken effect in March of 2017, simply required that ISPs be transparent about what personal data is collected and sold, while mandating that ISPs provide consumers with the ability to opt of said collection. But because informed and empowered consumers damper ad revenues, ISPs moved quickly to have the rules scuttled with the help of cash-compromised lawmakers.

When California lawmakers stepped in to then try and pass their own copy of those rules, ISPs worked in concert with Google and Facebook to scuttle those rules as well. As the EFF documented at the time, Google, Facebook, AT&T, Verizon and Comcast all collectively and repeatedly lied to state lawmakers, claiming the planned rules would harm children, increase internet popups, and somehow "embolden extremism" on the internet. The misleading lobbying effort was successful, and the proposal was quietly scuttled without too much fanfare in the tech press.

Obviously this behavior has some broader implications in the wake of the Cambridge Analytica scandal. Especially given Facebook's insistence this week that it's open to being regulated on privacy, and is "outraged" by "deception" as it tries (poorly) to mount a sensible PR response to the entire kerfuffle:

But last year's joint ISP and Silicon Valley assault on consumer privacy protections wasn't a one off.

California privacy advocates are again pushing a new privacy proposal, this time dubbed the California Consumer Privacy Act of 2018. Much like last year's effort the bill would require that companies be fully transparent about what data is being collected and sold (and to who), as well as mandating mandatory opt-out tools. And this proposal goes further than the FCC's discarded rules, in that it would ban ISPs from trying to charge consumers more for privacy, something that has already been implemented by AT&T (temporarily suspended as it chases merger approval) and considered by Comcast.

But privacy groups note that Facebook and Google are again working with major ISPs to kill the proposal, collectively funneling $1 million into a PAC custom built for that purpose:

Privacy advocates at Californians for Consumer Privacy also wrote a letter to Facebook this week expressing their lack of amusement at the effort in the wake of the Cambridge scandal:

"Something’s not adding up here,” Mactaggart writes. “It is time to be honest with Facebook users and shareholders about what information was collected, sold or breached in the Cambridge Analytica debacle; and to come clean about the true basis for your opposition to the California Consumer Privacy Act of 2018."

As we recently noted, however bad Facebook's mistakes have been on the privacy front, they're just a faint shadow of the anti-consumer behavior we've seen from the telecom sector on this front, suggesting that a disregard for privacy is a cross-industry norm, not an exemption. That said, while Google and Facebook love to portray themselves as the same kind of consumer allies they were a decade ago, their refusal to seriously protect net neutrality -- and their eagerness to work with loathed companies like Comcast to undermine consumer privacy -- consistently paints a decidedly different picture.

Filed Under: broadband, california, lobbying, privacy, transparency
Companies: at&t, cambridge analytica, comcast, facebook, google

Mark Zuckerberg Finally Speaks About Cambridge Analytica; It Won't Be Enough

from the more-to-be-done dept

It took way too long, but Mark Zuckerberg finally responded to the Cambridge Analytica mess on Wednesday afternoon. As we've discussed in a series of posts all week, this is a complex issue, where a lot of people are getting the details wrong, and thus most of the suggestions in response are likely to make the problem worse.

To be clear, Mark's statement on the issue is not bad. It's obviously been workshopped through a zillion high-priced PR people, and it avoids all the usual "I"m sorry if we upset you..." kind of tropes. Instead, it's direct, it takes responsibility, it admits error, does very little to try to "justify" what happened, and lists out concrete steps that the company is taking in response to the mess.

We have a responsibility to protect your data, and if we can't then we don't deserve to serve you. I've been working to understand exactly what happened and how to make sure this doesn't happen again. The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there's more to do, and we need to step up and do it.

It runs through the timeline, and appears to get it accurately based on everything we've seen (so no funny business with the dates). And, importantly, Zuckerberg notes that even if it was Cambridge Analytica that broke Facebook's terms of service on the API, that's not the larger issue -- the loss of trust on the platform is the issue.

This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.

The proactive steps that Facebook is taking are all reasonable steps as well: investigating all old apps prior to the closing of the old API to see who else sucked up what data, further restricting access to data, and finally giving more transparency and control to end users:

First, we will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity. We will ban any developer from our platform that does not agree to a thorough audit. And if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps. That includes people whose data Kogan misused here as well.

Second, we will restrict developers' data access even further to prevent other kinds of abuse. For example, we will remove developers' access to your data if you haven't used their app in 3 months. We will reduce the data you give an app when you sign in -- to only your name, profile photo, and email address. We'll require developers to not only get approval but also sign a contract in order to ask anyone for access to their posts or other private data. And we'll have more changes to share in the next few days.

Third, we want to make sure you understand which apps you've allowed to access your data. In the next month, we will show everyone a tool at the top of your News Feed with the apps you've used and an easy way to revoke those apps' permissions to your data. We already have a tool to do this in your privacy settings, and now we will put this tool at the top of your News Feed to make sure everyone sees it.

That's mostly good, though as I explained earlier, I do have some concerns about how the second issue -- locking down the data -- might also limit the ability of end users to export their data to other services.

Also, this does not tackle the better overall solution that we mentioned yesterday, originally pitched by Cory Doctorow to open up the platform not to third party apps that suck up data, but to third party apps that help users protect and control their own data. That part is missing and it's a big part.

If you already hated Zuckerberg and Facebook, this response isn't going to be enough for you (no response would be, short of shutting the whole thing down, as ridiculous as that idea is). If you already trusted him, then you'll probably find this to be okay. But a lot of people are going to fall in the middle and what Facebook actually does in the next few months is going to be watched closely and will be important. Unless and until the company also allows more end-user control of privacy, including by third party apps, it feels like this will fall short.

And, of course, it seems highly unlikely that these moves will satisfy the dozens of regulators around the world seeking their pound of flesh, nor the folks who are already filing lawsuits over this. Facebook has a lot of fixing to do. And Zuckerberg's statement is better than a bad statement, but that's probably not good enough.

Meanwhile, as soon as this response was posted, Zuckerberg went on a grand press tour, hitting (at least): CNN, Wired, the NY Times and Recode. It's entirely possible he did more interviews too, but that's enough for now.

There are some interesting tidbits in the various interviews, but most of what I said above stands. It's not going to be enough. And I'm not sure people will be happy with the results. In all of the interviews he does this sort of weird "Aw, shucks, I guess what people really want is to have us lock down their data, rather than being open" thing that is bothersome. Here's the Wired version:

I do think early on on the platform we had this very idealistic vision around how data portability would allow all these different new experiences, and I think the feedback that we’ve gotten from our community and from the world is that privacy and having the data locked down is more important to people than maybe making it easier to bring more data and have different kinds of experiences.

But, of course, as we pointed out yesterday (and above), all this really does is lock in Facebook, and make it that much harder for individuals to really control their own data. It also limits the ability of upstarts and competitors to challenge Facebook. In other words, the more Facebook locks down its data, the more Facebook locks itself in as the incumbent. Are we really sure that's a good idea? Indeed, when Wired pushes him on this, he basically shrugs and says "Well, the people have spoken, and they want us to control everything."

I think the feedback that we’ve gotten from people—not only in this episode but for years—is that people value having less access to their data above having the ability to more easily bring social experiences with their friends’ data to other places. And I don’t know, I mean, part of that might be philosophical, it may just be in practice what developers are able to build over the platform, and the practical value exchange, that’s certainly been a big one. And I agree. I think at the heart of a lot of these issues we face are tradeoffs between real values that people care about.

In the Recode interview, he repeats some of these lines, and even suggests (incorrectly) that there's a trade-off between data portability and privacy:

“I was maybe too idealistic on the side of data portability, that it would create more good experiences — and it created some — but I think what the clear feedback from our community was that people value privacy a lot more.”

But... that's only true in the situation where Facebook controls everything. If they actually gave users more control and transparency, then the user can decide how her data is shared, and you can have both portability and privacy.

One other interesting point he raises in that interview: we should not be letting Mark Zuckerberg make all the decisions about what is and what is not okay:

“What I would really like to do is find a way to get our policies set in a way that reflects the values of the community, so I am not the one making those decisions,” Zuckerberg said. “I feel fundamentally uncomfortable sitting here in California in an office making content policy decisions for people around the world.”

“[The] thing is like, ‘Where’s the line on hate speech?’ I mean, who chose me to be the person that did that?,” Zuckerberg said. “I guess I have to, because of [where we are] now, but I’d rather not.”

But, again, that's a choice that Facebook is making in becoming the data silo. If the end users had more control and more tools to control, then it's no longer Mark's choice. Open up the platform not for "apps" that suck up users data, but for tools that allow users to control their own data, and you get a very different result. But that's not where we're moving. At all.

So... so far this is moving in exactly the direction I feared when I wrote about this yesterday. "Solving" the problem isn't going to be solving the problem for real -- and it's just going to end up giving Facebook greater power over our data. That's an unfortunate result.

Oh. And for all of the apologizing and regrets that Zuckerberg raises in these interviews, he has yet to explain why if this is such a big deal, Facebook threatened to sue one of the journalists who broke this story. It seems like that's an important one for him to weigh in on.

Filed Under: damage control, data portability, dominance, mark zuckerberg, privacy, silos
Companies: cambridge analytica, facebook

How 'Regulating Facebook' Could Make Everyone's Concerns Worse, Not Better

from the it's-a-mess dept

In my last post, I described why it was wrong to focus on claims of Facebook "selling" your data as the "problem" that came out over the weekend concerning Cambridge Analytica and the data it had on 50 million Facebook users. As we described in detail in that post, that's not the problem at all. Instead, much of the problem has to do with Facebook's utter failure to be transparent in a way that matters -- specifically in a way that its users actually understand what's happening (or what may happen) to their data. Facebook would likely respond that it has tried to make that information clear (or, alternatively, it may say that it can't force users to understand what they don't take the time to understand). But I don't think that's a good answer. As we've learned, there's a lot more at stake here than I think even Facebook recognized, and providing much more real transparency (rather than superficial transparency) is what's necessary.

But that's not what most people are suggesting. For example, a bunch of people are calling for "Know Your Customer" type regulations similar to what's found in the financial space. Others seem to just be blindly demanding "oversight" without being able to clearly articulate what that even means. And some are bizarrely advocating "nationalizing Facebook", which would literally mean giving billions in taxpayer dollars to Mark Zuckerberg. But these "solutions" won't solve the actual issues. In that article about "KYC" rules, there's the following, for example:

“They should know who’s paying them,” said Vasant Dhar, a professor of information systems at New York University, “because the consequences are very serious.” In December, Dhar wrote an op-ed calling for social media regulation — specifically, something similar to the “know your customer” laws that apply to banks. “The US government and our regulators need to understand how digital platforms can be weaponized and misused against its citizens, and equally importantly, against democracy itself,” he wrote at the time.

Antonio García-Martinez, Facebook’s first targeted ads manager, thinks so too. “For certain classes of advertising, like politics, a random schmo with a credit card shouldn’t just be able to randomly run ads over the entire Facebook system,” he told me.

Except... that has literally nothing to do with what the Cambridge Analytica controversy is all about. And, anyway, as we've discussed before, the Russians bent over backwards to pretend to be Americans when buying ads, so it's not like KYC rules would really have helped for the ads. And the whole Cambridge Analytica may have involved some ads (and lots of other stuff), but Facebook knew who "the customer" was in that instance. And it knew how an "academic" was slurping up some data for "academic research." Knowing your customer wouldn't have made the slightest difference at all here.

Even Tim Berners-Lee, who recently stirred the pot by suggesting regulations for social media doesn't seem to have much concrete information that would have mattered here.

What’s more, the fact that power is concentrated among so few companies has made it possible to weaponise the web at scale. In recent years, we’ve seen conspiracy theories trend on social media platforms, fake Twitter and Facebook accounts stoke social tensions, external actors interfere in elections, and criminals steal troves of personal data.

We’ve looked to the platforms themselves for answers. Companies are aware of the problems and are making efforts to fix them — with each change they make affecting millions of people. The responsibility — and sometimes burden — of making these decisions falls on companies that have been built to maximise profit more than to maximise social good. A legal or regulatory framework that accounts for social objectives may help ease those tensions.

I don't think Tim is wrong per se in arguing that there are issues in how much power is concentrated between a small group of large companies -- but I'm not sure that "a legal or regulatory framework" actually fixes any of that. Indeed, it seems highly likely to do the reverse.

As Ben Thompson notes in his own post about this mess, most of the regulatory suggestions being proffered will lock in Facebook as an entrenched incumbent. That's because it will (a) create barriers that Facebook can deal with, but startups cannot and (b) focus on "cementing" Facebook's model (with safeguards) rather than letting the next wave of creative destruction take down Facebook.

It seems far more likely that Facebook will be directly regulated than Google; arguably this is already the case in Europe with the GDPR. What is worth noting, though, is that regulations like the GDPR entrench incumbents: protecting users from Facebook will, in all likelihood, lock in Facebook’s competitive position.

This episode is a perfect example: an unintended casualty of this weekend’s firestorm is the idea of data portability: I have argued that social networks like Facebook should make it trivial to export your network; it seems far more likely that most social networks will respond to this Cambridge Analytica scandal by locking down data even further. That may be good for privacy, but it’s not so good for competition. Everything is a trade-off.

Note that last bit? A good way to take away Facebook's dominance is to enable others to compete in the space. The best way to do that? Make it easy for people to switch from Facebook to upstart competitors. The best way to do that? Make it easier for Facebook users to export their data... and use it on another service. But as soon as you do that, you're actually right back into the risky zone. Why is Facebook in so much hot water right now? Because it made it too easy to export user data to third party platforms! And, any kind of GDPR-type solution is just going to lock down that data, rather than enabling them to help seed competition.

Cory Doctorow, over at EFF, has what I think is the most reasonable idea of all: enable third parties to build tools that help Facebook's (and every other platform's!) users better manager and understand their privacy settings and what's being done with their data. That's an actual solution to the problem we laid out in the previous post: Facebook's failed transparency. Doctorow compares the situation to ad-blockers. Ads became too intrusive, and users were able to make use of 3rd party services to stop the bad stuff. We should be able to do something similar with privacy and data controls. But, thanks to some pretty dumb laws and court rulings (including a key one that Facebook itself caused), that's really not possible:

This week, we made you a tutorial explaining the torturous process by which you can change your Facebook preferences to keep the company’s “partners” from seeing all your friends’ data. But what many folks would really like to do is give you a tool that does it for you: go through the tedious work of figuring out Facebook’s inscrutable privacy dashboard, and roll that expertise up in a self-executing recipe — a piece of computer code that autopiloted your browser to login to Facebook on your behalf and ticked all the right boxes for you, with no need for you to do the fiddly work.

But they can’t. Not without risking serious legal consequences, at least. A series of court decisions — often stemming from the online gaming world, sometimes about Facebook itself — has made fielding code that fights for the user into a legal risk that all too few programmers are willing to take.

That's a serious problem. Programmers can swiftly make tools that allow us to express our moral preferences, allowing us to push back against bad behavior long before any government official can be convinced to take an interest — and if your government never takes an interest, or if you are worried about the government's use of technology to interfere in your life, you can still push back, with the right code.

So if we really, truly, want to deal with the problem, then we need to push for more control by the end users. Let users control and export their data, and let people build tools that allow them to do so, and to control and transparently understand what others do with their data.

If someone comes up with a "regulatory regime" that does that, it would be fantastic. But so far, nearly every suggestion I've seen has gone in the other direction. They will do things like force Facebook to "lock down" its data even more, making it harder for users to extract it, or for third parties to provide users the tools they need to control their own data. They'll put useless, but onerous, Know Your Customer rules that Facebook will be able to throw money at to solve, but every smaller platform will find incredibly costly.

I'm not optimistic about how all of this works out. Even if you absolutely hate Facebook and think the company is evil, doesn't care one wit about your privacy, and is run by the most evil person on the planet, you should be especially worried with the regulatory suggestions that are coming. They're not going to help. They're going to entrench Facebook and lock down your data.

Filed Under: data, elections, know your customer, openness, platforms, regulations, social media, transparency
Companies: cambridge analytica, facebook

Facebook Has Many Sins To Atone For, But 'Selling Data' To Cambridge Analytica Is Not One Of Them

from the let's-at-least-be-accurate dept

Obviously, over the past few days there's been plenty of talk about the big mess concerning Cambridge Analytica using data on 50 million Facebook users. And, with that talk has come all sorts of hot takes and ideas and demands -- not all of which make sense. Indeed, it appears that there's such a rush to condemn bad behavior that many are not taking the time to figure out exactly what bad behavior is worth condemning. And that's a problem. Because if you don't understand the actual bad behavior, then your "solutions" will be misplaced. Indeed, they could make problems worse. And... because I know that some are going to read this post as a defense of Facebook, let me be clear (as the title of this post notes): Facebook has many problems, and has done a lot of bad things (some of which we'll discuss below). But if you mischaracterize those "bad" things, then your "solutions" will not actually solve them.

One theme that I've seen over and over again in discussions about what happened with Facebook and Cambridge Analytica is the idea that Facebook "sold" the data it had on users to Cambridge Analytica (alternatively that Cambridge Analytica "stole" that data). Neither is accurate, and I'm somewhat surprised to see people who are normally careful about these things -- such as Edward Snowden -- harping on the "selling data" concept. What Facebook actually does is sell access to individuals based on their data and, as part of that, open up the possibility for users to give some data to companies, but often unwittingly. There's a lot of nuance in that sentence, and many will argue that for all reasonable purposes "selling data" and my much longer version are the same thing. But they are not.

So before we dig into why they're so different, let's point out one thing that Facebook deserves to be yelled at over: it does not make this clear to users in any reasonable way. Now, perhaps that's because it's not easy to make this point, but, really, Facebook could at least do a better job of explaining how all of this works. Now, let's dig in a bit on why this is not selling data. And for that, we need to talk about three separate entities on Facebook. First are advertisers. Second are app developers. Third are users.

The users (all of us) supply a bunch of data to Facebook. Facebook, over the years, has done a piss poor job of explaining to users what data it actually keeps and what it does with that data. Despite some pretty horrendous practices on this front early on, the company has tried to improve greatly over the years. And, in some sense, it has succeeded -- in that users have a lot more granular control and ability to dig into what Facebook is doing with their data. But, it does take a fair bit of digging and it's not that easy to understand -- or to understand the consequences of blocking some aspects of it.

The advertisers don't (as is all too commonly believed) "buy" data from Facebook. Instead, the buy the ability to put ads into the feeds of users who match certain profiles. Again, some will argue this is the same thing. It is not. From merely buying ads, the advertiser gets no data in return about the users. It just knows what sort of profile info it asked for the ads to appear against, and it knows some very, very basic info about how many people saw or interacted with the ads. Now, if the ad includes some sort of call to action, the advertiser might then gain some information directly from the user, but that's still at the user's choice.

The app developer ecosystem is a bit more complicated. Back in April of 2010, Facebook introduced the Open Graph API, which allowed app developers to hook into the data that users were giving to Facebook. Here's where "things look different in retrospect" comes into play. The original Graph API allowed developers to access a ton of information. In retrospect, many will argue that this created a privacy nightmare (which, it kinda did!), but at the same time, it also allowed lots of others to build interesting apps and services, leveraging that data that users themselves were sharing (though, not always realizing they were sharing it). It was actually a move towards openness in a manner that many considered benefited the open web by allowing other services to build on top of the Facebook social graph.

There is one aspect of the original API that does still seem problematic -- and really should have been obviously problematic right from the beginning. And this is another thing that it's entirely appropriate to slam Facebook for not comprehending at the time. As part of the API, developers could not only get access to all this information about you... but also about your friends. Like... everything. From the original Facebook page, you can see all the "friend permissions" that were available. These are better summarized in the following chart from a recent paper analyzing the "collateral damage of Facebook apps."

If you can't read that... it's basically a ton of info from friends, including their likes, birthdays, activities, religion, status updates, interests, etc. You can kind of understand how Facebook ended up thinking this was a good idea. If an app developer was designing an app to provide you a better Facebook experience, it might be nice for that app to have access to all that information so it could display it to you as if you were using Facebook. But (1) that's not how this ever worked (and, indeed, Facebook went legal against services that tried to provide a better Facebook experience) and (2) none of this was made clear to end-users -- especially the idea that in sharing your data with your friends, they might cough up literally all of it to some shady dude pushing a silly "personality test" game.

But, of course, as I noted in my original post, in some cases, this set up was celebrated. When the Obama campaign used the app API this way to reach more and more people and collect all the same basic data, it was celebrated as being a clever "voter outreach" strategy. Of course, the transparency levels were different there. Users of the Obama app knew what they were supporting -- though didn't perhaps realize they were revealing a lot of friend data at the same time. Users of Cambridge Analytica's app... just thought they were taking a personality quiz.

And that brings us to the final point here: Cambridge Analytica, like many others, used this setup to suck up a ton of data, much of it from friends of people who agreed to install a personality test app (and, a bunch of those users were actually paid via Mechanical Turk to basically cough up all their friends' data). There are reasonable questions about why Facebook set up its API this way (though, as noted above, there were defensible, if short-sighted, reasons). There are reasonable questions about why Facebook wasn't more careful about watching what apps were doing with the data they had access to. And, most importantly, there are reasonable questions about how transparent Facebook was to its end users through all of this (hint: it was not at all transparent).

So there are plenty of things that Facebook clearly did wrong, but it wasn't about selling data to Cambridge Analytica and it wasn't Cambridge Analytica "stealing" data. The real problem was in how all of this was hidden. It comes back to transparency. Facebook could argue that this information was all "public" -- which, uh, okay, it was, but it was not public in a way that the average Facebook user (or even most "expert" Facebook users) truly understood. So if we're going to bash Facebook here, it should be for the fact that none of this was clear to users.

Indeed, even though Facebook shut down this API in April of 2015 (after deprecating it in April of 2014), most users still had no idea just how much information Facebook apps had about them and their friends. Today, the new API still coughs up a lot more info than people realize about themselves (and, again, that's bad and Facebook should improve that), but no longer your friends' data as well.

So slam Facebook all your want for failing to make this clear. Slam Facebook for not warning users about the data they were sharing -- or that their friends could share. Slam Facebook for not recognizing how apps were sucking up this data and the privacy implications related to that. But don't slam Facebook for "selling your data" to advertisers, because that's not what happened.

I was going to use this post to also discuss why this misconception is leading to bad policy prescriptions, but this one is long enough already, so stay tuned for that one next. Update: And here's that post.

Filed Under: apps, breach, data, selling data, social media, transparency, users
Companies: cambridge analytica, facebook

Both Facebook And Cambridge Analytica Threatened To Sue Journalists Over Stories On CA's Use Of Facebook Data

from the this-is-bad dept

I'm going to assume that you weren't living in an internet-proof cave this weekend, and caught at least some of the stories about Cambridge Analytica and Facebook. The news first kicked off with the announcement of a data protection lawsuit filed against Cambridge Analytica in the UK on Friday evening (we'll likely have more on that lawsuit soon), followed quickly by an attempt by Facebook to get out ahead of the coming tidal wave by announcing that it was suspending Cambridge Analytica and some associated parties from its platforms, claiming terms of service violations. This was quickly followed on Saturday with two explosive stories. The first, from Carole Cadwalladr at The Guardian, revealing a "whistleblower" from the very early days of Cambridge Analytica (who more or less set up how it works with data profiles) named Christopher Wylie. This was quickly followed up by another story at the NY Times, which was a bit more newsy, providing more details on how Cambridge Analytica got data on about 50 million people out of Facebook.

Admittedly -- much of this isn't actually new. The Intercept had reported something similar a year ago, though it only said it was 30 million Facebook users, rather than 50 million. And that story built on the work of a 2015 (yes, 2015) story in the Guardian discussing how Cambridge Analytica was using data from "tens of millions" of Facebook users "harvested without permission" in support of Ted Cruz's presidential campaign.

There's a lot of heat on this story right now, and a lot of accusations being thrown around, and I'll admit that I'm not entirely sure where I come down on the details yet. I assume people on basically both sides of this issue will scream at me and call me names over this, but there's too much going on to fully understand what happened here. I will note that, in that Guardian story in 2015, Cruz told the publication that this data collecting and targeting effort was "very much the Obama model." And political consultant Patrick Ruffini has a well worth reading Twitter thread arguing that people are overreacting to much of this, and that the 2012 Obama campaign did the exact same thing, and was celebrated for its creative use of data and targeting on the internet. Ad tech guy Jay Pinho makes the same point as well. Here's a Time article from 2012 excitedly talking up how the Obama campaign used Facebook in the same way:

That’s because the more than 1 million Obama backers who signed up for the app gave the campaign permission to look at their Facebook friend lists. In an instant, the campaign had a way to see the hidden young voters. Roughly 85% of those without a listed phone number could be found in the uploaded friend lists.

Of course, there is one major difference between the Obama one and the Cambridge Analytica one, which involves the level of transparency. With the Obama campaign, people knew they were giving their data (and friend's data) to the cause of re-electing Obama. Cambridge Analytica got its data by having a Cambridge academic (who the new Guardian story revealed for the first time is also appointed to a position at St. Petersburg University) set up an app that was used to collect much of this data, and misled Facebook by telling them it was purely for academic purposes, when the reality is that it was setup and directly paid for by Cambridge Analytica with the intent of sucking up that data for Cambridge Analytica's database. Is that enough to damn the whole thing? Perhaps.

As for the claims that this is just the same old Facebook model of selling everyone's data... that was not true and still is not accurate. Facebook doesn't sell your data. It sells access to its users via the data it has on you. That may not seem different, but it is different. But the lines do seem to get a bit blurry, as it appears that Cambridge Analytica, via its partnership with the professor Dr. Aleksander Kogan (who apparently briefly changed his name to -- I kid you not -- Dr. Spectre) and his "Global Science Research," basically paid people via Amazon's Mechanical Turk to do a "personality assessment" on Facebook that, as part of the process, exposed information about their entire social graph, which GSR apparently hoovered up and passed along to Cambridge Analytica.

At the very least, it can be said that Facebook should have recognized much earlier that this could and would be done, and to understand the potential privacy problems related to it. Facebook has a fairly long and painful history of not quite realizing how what it does impacts people's privacy, and this is one more example.

But, it's raising a bigger question, as well, and it's one that caused Facebook to do something that I'll definitively call as "incredibly stupid," which is that it threatened to sue the Guardian over its story, mainly because the Guardian story refers to this whole mess as a "data breach" for Facebook's data.

And, of course, Facebook wasn't the only one who threatened to sue. Cambridge Analytica did too:

The Observer also received the first of three letters from Cambridge Analytica threatening to sue Guardian News and Media for defamation.

There are issues of terminology here. Facebook, in its post, is adamant that what happened is not a "breach"

The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.

There are legal reasons why Facebook is so concerned about whether or not this is a "breach" and, let's face it, the company is about to face a million and a half lawsuits over this, not to mention government investigations (already Senator Amy Klobuchar has demanded Mark Zuckerberg's head on a platter testimony before the Senate and Massachusetts' Attorney General Maura Healey has announced the opening of an investigation, and there have also been rumblings out of the UK and the EU, as well as the FTC). But, there are also some fairly important legal obligations if this was a "breach" in the traditional sense, such as disclosing that to those impacted by the breach.

I'm not entirely sure where I come down on the breach question. It doesn't feel like a traditional breach. It wasn't that Facebook coughed up this info, it was its users coughed up the info... and Facebook just made it easy for this outside "academic" to hoover up all that info by paying a bunch of people to take dopey personality quizzes. However, as the Guardian's Alex Hern points out, how do you distinguish what Kogan/GSR/Cambridge Analytica did from social engineering to get information.

Of course, there is something of a difference: it still wasn't Facebook per se coughing up the info. It was Facebook's own users. And, you might even argue that if you believe that Facebook doesn't "own" all this data in the first place, that it was actually those Facebook users coughing up a bunch of their own data -- including lots of data about their friends. Needless to say, this is a mess where a lot more transparency might help, and that transparency is going to be forced upon Facebook with a sledgehammer in the near near future.

But, regardless of where you come down on all of this, Facebook threatening defamation against the Guardian for calling this a data breach is ludicrous and Facebook should be ashamed and apologize. Even as it clearly disagrees with how the Guardian characterized much of the story, that's no excuse to whip out defamation threats. Not only is it incredibly stupid from a Facebook PR perspective (and makes the company look like a giant bully), it suggests that the company still has absolutely no fucking clue how to communicate with the press and the public about how its own platform works.

It's actually quite incredible to recognize just how big Facebook has gotten in the face of how little it seems to understand about what its own platform does.

Filed Under: aleksander kogan, christopher wylie, data, data breach, data sharing, elections, transparency
Companies: cambridge analytica, facebook, global science research