In early June, Facebook finally delivered what U.S. legislators had been promised for nearly two months: detailed and comprehensive responses to over 2,000 questions stemming from CEO Mark Zuckerberg’s congressional testimony to both the U.S. House and Senate in April. Obviously, while Mr. Zuckerberg might have shared a lot of information during his two days in Washington, there was a lot that was left unclear and unanswered.
In a 229-page document, Facebook attempted to provide some clarity for each of these questions. While many of the official responses were similar to what you might expect to read on a Facebook FAQ (such as questions about how the Facebook pixel works), there were certainly some responses that might raise a few eyebrows for anyone who is concerned about social media privacy and the use and abuse of data.
#1: Over 200 Facebook apps have already been suspended for improper use of data
The list of Facebook responses starts off with an answer to a question on the minds of many people and not just U.S. lawmakers: How many other apps are out there that have been using Facebook user data without their permission? After the dramatic Washington testimony by CEO Mark Zuckerberg, the company promised to do a thorough review and investigation of all apps, and then immediately suspend any apps that were found guilty of using data without the permission of Facebook users.
The goal, quite simply, was to find any other apps out there similar to the infamous “quiz app” used by Cambridge Analytica to get its hands on user data from 87 million people. And, according to Facebook, the company has already investigated “thousands of apps” and suspended over 200 of them.
If you read between the lines, though, it looks like Facebook initially targeted for review only those apps related in any way to the prime suspects in the Cambridge Analytica scandal. The company then suspended them (even if they were still in a “test” phase), just to be on the safe side. As Facebook itself notes, almost all of the 200 apps are from just a handful of developers, all of them related in some way to Cambridge Analytica (e.g. the Cambridge Psychometrics Center).
The big takeaway from all this is that Facebook really doesn’t know how many apps might be using your data without your permission, even as it pledges to provide regular updates on this. The company is basically trying to limit its liability right now, and trying to rid itself of any association with Cambridge Analytica or any of its principals. Thus, while it might seem impressive that Facebook’s crack investigation team has already discovered 200 apps that needed to be suspended, this seems like it is really just scratching the surface.
#2: Facebook hints that more than 87 million people might have been affected by improper data use by Cambridge Analytica
Anyone else notice that the number of people who might have been impacted by the Cambridge Analytica scandal continues to rise substantially? The number of people who used the quiz app was only 260,000, but the media soon extrapolated that more than 50 million people might have been impacted. And that figure was soon ratcheted up to 87 million. That’s the number that everyone has been using, but now even that number seems to be under review.
In one response, the company cryptically noted that “Facebook does not actually know” how many people were impacted. Moreover, the same response notes that the 87 million figure is “a highly conservative estimate…” So let’s read between the lines here – Facebook is basically using the same estimate that the media has already reported, and has no idea of how to figure out what the real number is. Facebook is basically playing a game of damage control here, knowing that if the number continues to grow, so does the company’s potential liability under the 2011 FTC consent decree.
#3: Facebook continues to maintain that the FTC consent decree does not apply
And, speaking of the 2011 FTC consent decree, what does the Cambridge Analytica case mean for how it is enforced? From Facebook’s perspective, a worst-case scenario would be that the company is found to be in violation of the FTC consent decree. That would expose the company to potentially millions of dollars in damages, as well as extensive regulatory and legal penalties.