After the Facebook Privacy Debacle, It’s Time for Clear Steps to Protect Users

We learned last weekend that a trove of personal information from 50 million people — one in three U.S. Facebook users — was harvested for an influence and propaganda operation led by Cambridge Analytica, a company later used by the Trump campaign. Was Facebook hacked? Nope. All of this personal information was accessed through the Facebook “app gap,” a major privacy hole in Facebook’s app platform that the ACLU had been challenging since 2009, when we showed how Facebook quizzes posed this threat.

On Wednesday, Facebook promised to make more changes to prevent this from happening again. But there is still more it — and our government — can do to protect our privacy.

First, let’s understand what really happened. An organization called Global Science Research (GSR), run by researchers in the U.K., released an online personality quiz app on Facebook. The app collected personal data not only about the 270,000 people who were paid to use the app and agreed to share information, but also about all their Facebook friends without those friends’ knowledge.

At the end of the day, the app ended up with data on 50 million U.S. Facebook users, including sensitive information about the articles, posts, and pages “liked” by those users. GSR then handed that data to Cambridge Analytica, which used the data to build detailed psychological profiles of the users for political purposes, and whose customers included the presidential campaigns of Sen. Ted Cruz (R-Texas) and Donald Trump.

There’s been some debate over whether this is a “data breach,” but for the most part that is a red herring. If anything, this is arguably worse than the result of an inadvertent technical failure. Instead, it was a predictable outcome of the choices that Facebook has made to prioritize the bottom line over user privacy and safety.

Whatever you call it, misuse of data by app developers was hardly an unknown threat. In 2009, the ACLU wrote:

Even if your Facebook profile is “private,” when you take a quiz, an unknown quiz developer could be accessing almost everything in your profile: your religion, sexual orientation, political affiliation, pictures, and groups. Facebook quizzes also have access to most of the info on your friends’ profiles. This means that if your friend takes a quiz, they could be giving away your personal information too.

In 2016, the ACLU in California also discovered through a public records investigation that social media surveillance companies like Geofeedia were improperly exploiting Facebook developer data access to monitor Black Lives Matter and other activists. We again sounded the alarm to Facebook, publicly calling on the company to strengthen its data privacy policies and “institute human and technical auditing mechanisms” to both prevent violations and take swift action against developers for misuse.

Facebook has modified its policies and practices over the years to address some of these issues. Its current app platform prevents apps from accessing formerly-available data about a user’s friends. And, after months of advocacy by the ACLU along with the Center for Media Justice and Color of Change, Facebook prohibited use of its data for surveillance tools.

But Facebook’s response to the Cambridge Analytica debacle demonstrates that the company still has significant issues to resolve. It knew about the data misuse  back in December 2015 but did not block the company’s access to Facebook until hours before the current story broke. And  its initial public response was to hide behind the assertion that “everyone involved gave their consent,” with executives conspicuously silent about the issue. It wasn’t until Wednesday that Mark Zuckerberg surfaced and acknowledged that this was a “breach of trust between Facebook and the people who share their data with us and expect us to protect it” and promised to take steps to repair that trust and prevent incidents like this from occurring again.

Zuckerberg is absolutely right that Facebook needs to act. In fact, it should have acted long ago. Here are a few steps that Facebook could have taken — and, in some cases, still should take — to prevent or address this incident:

1. Put users completely in control over sharing with apps

Facebook users should have complete control over whether any of their information is shared with apps. Right now, that’s not the case, and it does not appear that the planned changes will fix that.

Facebook has declared some types of information, including users’ name and profile picture, “publicly available” — and has made all of that information available to each user’s friends’ apps as well. The only way to prevent this data sharing is to exercise the “nuclear option” of turning off all app functionality. As a stern warning from Facebook explains, this prevents you from using Facebook for a whole list of purposes, including logging into other websites or applications.

Facebook Platform Setting Screenshot

As a practical matter, this gives privacy-concerned users two lousy options. They can either forego using any apps they personally select and trust or allow any app installed by their friends to access information about them. Facebook should give users a meaningful ability to opt out of sharing all information, including “public information,” with “apps others use” without disabling apps entirely.

2. Enhance app privacy settings

Facebook needs to ensure that users truly understand and control how it shares data with apps. The company has promised to do so, but of course the devil is in the details.

One positive step that Facebook is taking is making sure that app permissions expire. Until now, Facebook has granted apps access to information about any user who has EVER accessed the app; now, the company states that it will cut off access if a user does not use the app for three months. In addition, Facebook needs to clarify and redesign its app settings, particularly the “apps others use” settings that, frankly, we don’t understand at all. Whatever those settings do, they should protect privacy by default.

3. Notify users of any misuse of their data

Facebook has promised that it will make sure that users are fully notified of any misuse of their data, past or present. This is a major improvement over the company’s history, including their initial handling of this incident.

Because Facebook claimed that the Cambridge Analytica incident was not a “data breach” in the legal sense, it has not provided notice to users whose data was accessed; the company has promised to change that and notify all affected users. This is the correct policy. Whether data was inappropriately obtained or misused through a hack, a contractual violation, or some other mechanism is a distinction without a difference from the perspective of a Facebook user. And Facebook should continue to develop and improve tools to help users understand which third parties access their data at all.

4. Build stronger auditing and enforcement to ensure that its developer policies are followed

If Facebook is going to rely on its developer policies to prevent harmful outcomes, it needs to ensure that those policies are actually followed. Facebook has again promised to take steps in this direction, but the company needs to follow through this time.

First and foremost, Facebook needs to invest resources and effort into identifying violations. This is not the first time that a developer has violated Facebook’s policies, as reports of developers abusing Facebook apps first surfaced years ago. But far too often, these abuses seem to be detected through whistleblowers or external research rather than by Facebook itself. As we noted to The Washington Post  in 2016, the “ACLU shouldn’t have to tell Facebook … what their own developers are doing.” Mr. Zuckerberg has stated that Facebook will “investigate all apps that had access to large amounts of information” and “conduct a full audit of any app with suspicious activity,” which sounds promising but will only be effective with the technical tools and personnel to carry that out. In addition, if Facebook learns of an abuse or violation, it has pledged to ban the offender. This is a much better approach than their response to Cambridge Analytica, which continued to have access to the Facebook Platform until last week.

If Facebook had put these protections into place years ago, the personal information of 50 million Facebook users may never have been exploited. Instead the company is staring down government investigations, its stock price has plummeted, and users are clamoring to #deleteFacebook. Facebook’s promised changes are a good start, though there is more they could do voluntarily. But we also need to ensure that government agencies like the Federal Trade Commission hold companies accountable (especially companies like Facebook who are already subject to a settlement agreement based on previous privacy violations), and we need Congress and other lawmakers to strengthen privacy protections. We hope that other companies will take this opportunity to learn from Facebook’s privacy missteps and avoid making the same mistakes.

For real-life case studies and tips for businesses on privacy and speech, see this ACLU primer.  

View comments (6)
Read the Terms of Use

Dr. Timothy Leary

Facebook, like many things, is for suckers. Are you a sucker ?

Anonymous

Does the ACLU still collect and share/sell member information? Is it opt-in sharing or opt-out? Can I control which organizations receive my ACLU information?

Anonymous

The entire business model needs to change. Profits need to "incentivize" privacy protections. Facebook and other social media sites should be set-up similar to cable television.

For example: In cable television, although excellent shows, shows like "C-Span" or "The Weather Channel" would never receive sufficient funding to exist unless they are part of the entire cable package. The consumer pays the cable provider for a certain number of channels and those shows receive funding. If it were totally a-la-carte, there wouldn't be enough funding for some cable channels.

In this case, an email provider maybe could allow a certain number of online hours every month to subscribers and part of those hours could include Facebook or any other site. Facebook could be paid directly by the cable providers based on the number of clicks or FB hours. In this model Facebook wouldn't need to sell customers' private information and still make money.

Anonymous

There also needs to be a focus on record retention. Apparently 100% of all online communications, tweets, text messages, cell-phone records, faxes, etc. are stored for 3-8 years (depending on the service provider). Strong circumstantial evidence indicates the federal government and partner nations want to store 100% of all communications for more than 8 years.

What that really means: even if Congress or your state legislature enacts excellent privacy protections in 2018, a future Congress or state legislature could undo all of it. Some event could happen in 2025 (within the 8 year window) and render the 2018 privacy laws meaningless. Any record from 2018 could still be obtained in 2025.

For example: maybe a farmer buying fertilizer or truck driver hauling hazardous waste in 2018 may be totally safe for his or her perfectly legal activities. An event happens in 2025 and unaccountable bureaucrats deem you guilty and destroy your life for what you said or did in 2018 - without charge, without indictment, without judge, without jury and without guilty verdict.

This isn't theory, this is how it works. Bush AG John Ashcroft did exactly this to totally innocent Americans exploiting the federal "Material Witness Statute". A federal appeals court has documented proof that Ashcroft secretly went to a target's employer and forced them to fire blacklisted employees. The employer couldn't tell them why they were fired. These blacklisted Americans were then quasi-imprisoned and abused for more than 5000 consecutive days - without charge, without indictment, without judge, without jury and without guilty verdict. This is still happening today.

The truth is social media and online communications may never be made safe for very long - buy a good old fashioned paper newspaper!

Anonymous

Or maybe Facebook should just give a common sense quiz that people have to pass if they want an account.

Anonymous

Is the U.S. government really going to take any legal recourse against Facebook, Cambridge Analytica, GSR etc.? Our government politicians have money invested in Facebook stock. Are our politicians really going to do anything that is going to affect monies coming in there own pocket books?Is the government really interested in resolving this huge problem with the companies listed above or are they pretending to be concerned because that is what politics say they should do.

Stay Informed