The past year has been nightmare for Facebook, breaking a decade-long streak of seemingly boundless growth that placed the internet giant at the center of social, political and commercial activities of billions of people around the globe. Facebook began its precipitous downhill turn in March when a whistleblower uncovered Facebook’s role in helping political consultancy Cambridge Analytica harvest and use the personal data of tens of millions of users without their permission.
The company was rocked by a scandal or controversy every month thereafter, not all of which were privacy related. Emerging from these scandals was a portrait of a company with a voracious appetite for monetizing users’ detailed data and sloppy management in protecting the privacy and security of that data. How the company and its regulators react to these events could have a lasting impact on how all companies manage and protect consumer data.
Facebook’s data protection fails
In June, Facebook confirmed it had data-sharing arrangements with over 60 device makers, including Chinese manufacturers Huawei, Lenovo and Oppo, giving special API access to the companies at a time when intel agencies around the world were ringing the alarm bells about the security threats Chinese tech companies pose.
In September, Facebook announced a security weakness related to user access tokens that could have exposed tens of millions of users’ personal information, including email addresses, phone numbers, genders, locations, birth dates and recent search histories. In early December, Facebook disclosed a bug that may have exposed the photos of up to 6.8 million users to developers for a 12-day period in September.
The year ended with another bombshell that may might shake users’ faith in Facebook to protect its data. According to hundreds of pages of documents obtained by the New York Times, Facebook gave more than 150 tech companies, including Amazon, Microsoft and Netflix, more intrusive access to users’ personal data than it ever disclosed. The data sharing arrangements were so egregious that it’s possible Facebook violated a 2012 consent agreement with the Federal Trade Commission that barred the social network from sharing user data without explicit permission.
Facebook has vowed time and again to take customers’ privacy seriously but in early December British lawmakers released internal Facebook emails and documents that depict the company as aggressively aware of the axiom that “data is the new oil,” enriching itself and handpicked partners while punishing competitors by acting as a gatekeeper of invaluable detailed data on billions of users.
Potential privacy and data protection fallout from Facebook
Few fast solutions to the Facebook problem are on the horizon, but as 2019 gets underway, stay alert for stepped-up activity in any or all of the following areas. All could have direct or indirect effect on security and privacy teams at companies that process consumer data.
Privacy legislation
In the wake of the EU’s adoption of a General Data Privacy Regulation (GDPR), which was enacted in May, 2018, and California’s adoption a month later of a surprisingly strict data privacy law, the momentum in the U.S. Congress to enact data privacy and security legislation is gaining steam. In mid-December, a group of 15 Democratic senators, led by Brian Schatz (D-HI) introduced the Data Care Act, a bill requiring companies that collect personal data from users to take reasonable steps to safeguard the information and preventing them from using personal data in ways that harms consumers.
Schatz’s bill, which has the backing of internet and tech companies, is only one of a handful of Congressional measures aimed at tackling data privacy. Most notable among the bills floated last Congress is one introduced by Senator Ron Wyden (D-OR), the Consumer Data Protection Act, carries stiff financial penalties for companies that violate privacy and even includes jail time for CEOs who lie to the Federal Trade Commission (FTC) in annual reports that the bill would make mandatory.
FTC privacy enforcement actions
The FTC, which is already investigating Facebook for the Cambridge Analytica scandal, can bring enforcement actions against Facebook if it deems the most recent revelations to indeed be in violation of the company’s 2012 consent decree. The agency also has consent agreements with Google and Twitter stemming from alleged privacy violations, so it has broad ability to clamp down on a wide swath of Silicon Valley titans if they too are revealed to have been careless in protecting users’ data.
As was the case with Facebook’s consent decree, however, it’s not always easy to get results from FTC actions. Under Facebook’s decree, the social media network introduced a “comprehensive privacy program” overseen by two chief privacy officers and PricewaterhouseCoopers. But many of the data partnerships Facebook forged with other tech companies weren’t reportedly put through privacy reviews.
Privacy litigation
In the wake of the Cambridge Analytica scandal, Facebook has been hit with dozens of lawsuits that seek damages for users and investors on grounds of negligence, invasion of privacy, violation of state-level consumer protection laws and violation of federal laws such as the Stored Communications Act. On December 19, Karl Racine, the attorney general of the District of Columbia, sued Facebook, mainly for its Cambridge Analytica violations, arguing that Facebook violated the district's Consumer Protection Procedures Act. Other state attorneys general say they’re eyeing lawsuits against Facebook, raising the prospect of a multi-state lawsuit.
Deletion of Facebook accounts
The latest revelation of Facebook’s privacy violations may have reached the tipping point for users who were already on the fence, prompting public deletions of Facebook accounts and sparking speculation that Facebook will quickly become the MySpace of our time if it doesn’t mend its ways. Former WSJ tech guru and co-founder of Recode Walt Mossberg typifies this late-2018 trend.
Mossberg tweeted that he was deleting his Facebook account (and Facebook-owned Instagram, Messenger and WhatsApp accounts) because his “own values and the policies and actions of Facebook have diverged to the point where I’m no longer comfortable there.” Although Mossberg isn’t taking any interviews about his high-profile decision, he directed me to a series of follow-up tweets in which he advocates a federal law requiring social media companies to ask first and offer to pay for it if need be before sharing any highly personal information with third parties.
Despite Facebook account deletions by notable figures such as Mossberg (and celebrities including Cher), the social media platform has likely become too embedded in most users’ lives, making appreciable disconnects unlikely. A study released by Tufts University that used a series of auctions in which people were actually paid to close their Facebook accounts found that Facebook users would require an average of more than $1,000 to deactivate their account for one year.
Stay tuned. Given what appears to be an accelerating pace of disclosures about Facebook’s cavalier attitude toward protecting consumer data, 2019 is going to be a busy year on the data privacy and security front. The battering that Facebook took in 2018 is spearheading developments that could radically realign the rules of the road for security and privacy professionals.