As 2019 comes hurtling towards us one company is going to breath a sigh of relief that 2018 will fade into the distance – Facebook.
The House of Zuckerberg must be counting the hours until midnight of 2018 because this year has not been one that Facebook will want to remember.
The social media giant has experienced what could be charitably be called an ‘annus horribilis.’
In 1992 Queen Elizabeth said in her Christmas message, “1992 is not a year I shall look back on with undiluted pleasure. In the words of one of my more sympathetic correspondents, it has turned out to be an ‘annus horribilis’.”
Mr Zuckerberg might be excused for echoing that statement in 2018. This year has been one that the house that Zuckerberg built would prefer to forget. However, a translating of the Latin phrase as ‘a year of disaster or misfortune’ perhaps is apt – the misfortune has however been largely of Facebook’s own making.
Let’s take a look back at the train smash of data breaches and privacy stumbles that have characterized Facebook’s experience in 2018.
The Cambridge Analytica furor
Facebook’s seeming indifference to its users’ right to privacy and the protection of their usage data was brought into sharp focus in 2018 with what has now been dubbed the Cambridge Analytica scandal. The now defunct Cambridge Analytica was a political consulting and strategic communication firm that provided data and advice to political parties and other influencer groups. Clients included the pro Brexit ‘Leave EU’ supporters and the Trump political machine during the elections that saw him eventually assume office. It later became public knowledge that Facebook had allowed (or at least turned a blind eye) to Cambridge Analytica’s harvesting of ‘personally identifiable information’ of around 87 million of its users without their knowledge or consent.
Cambridge Analytica was able to access user profiles due to what has been described as extremely lax safeguards protecting user data. Add to this an almost willful disregard of developer oversight (leading to developers abusing the Facebook API), as well as users agreeing to terms and conditions that could only be charitably called broad. Add these issues together and you have the components that caused a perfect storm of privacy violation.
Delving deeper into just how Cambridge Analytica gained access to personal data reveals a startling fact. The company exploited the functionality of an app called ‘thisisyourdigitiallife.’ The information gathered allows companies to build ‘psychographic profiles’ of those users who downloaded the app. But even more startling was the fact that not only was information on profiles and user history gathered – but the app also allowed Cambridge Analytica to gather data on the users Facebook ‘friends.’ Clearly Facebook had not kept its eye on the privacy ball.
Cambridge University researchers have claimed that the data “can be used to automatically and accurately predict a range of highly sensitive personal attributes including: sexual orientation, ethnicity, religious and political views, personality traits, intelligence, happiness, use of addictive substances, parental separation, age, and gender.” Clearly this was an enormous breach of the trust that Facebook users had in the company.
In March 2018, Facebook threatened to sue The Guardian newspaper over publication of the story. Campbell Brown, a former CNN journalist who now is the head of news partnerships at Facebook, commented that the action “not our wisest move,” a masterful understatement. Cambridge Analytica also threatened to sue The Guardian for defamation.
It became increasingly apparent that Facebook was making every effort to draw down a veil of secrecy over the Cambridge Analytica affair. However, the company failed dismally at the coverup attempt. Eventually Zuckerberg and Facebook COO Sheryl Sandberg were called to testify before U.S. Congress on how Facebook was dealing with data security and privacy issues. It must be noted that Congress was by no means impressed with either the testimony of Zuckerberg nor the transparency reaqlted to the issues of privacy and data security. This was not Facebooks finest hour.
Facebook woes continue
If users thought that Facebook would live up to its commitment to improve the protection of consumer data and respect privacy boundaries (as Zuckerberg claimed at the Congressional hearing) they were in for a rude surprise. In October 2018 Facebook revealed that the company had experienced a data breach that affected 29 million users. Hackers stole the data by using an automated system that migrated across users’ Friend network. The effect of the hacking attack was to make users much more vulnerable to targeted phishing attacks.
The hackers made off with data from 14 million users that included profile information such as details of birth dates, employment and education history, religious preference, types of devices used, pages followed and recent searches and location check-ins. Another 15 million users saw data on names and contact details being accessed. Facebook revealed that the attackers accessed posts and friend lists of an additional 400,000 users.
In what was cold comfort Facebook commented that the hackers did not access personal messages nor did they manage to hack information related to financial transactions.
The hackers this time exploited Facebooks ‘view as’ feature which had three different vulnerabilities that allowed hackers to both post and browse the accounts of users.
Facebook faced the ire of not only congressional authorities in the United States for the breach that had been ongoing since July 2017. The Irish data protection commissioner, opened an investigation into the breach. Authorities in other jurisdictions including the U.S. states of Connecticut and New York also looked into the attack, as did Japan’s Personal Information Protection Commission (JPPC).
Commenting on the attack Zuckerberg said, “I feel like we’ve let people down and that feels terrible, but it goes back to this notion that we shouldn’t be making the same mistake multiple times.” However the fact of the matter is that Facebook seems to be making the same mistakes again and again when it comes to both privacy and data security.
Enter Facebook Portal
In early October Facebook announced the launch of its Portal device. The device harnesses the company’s messaging system to allow users (amongst other functionality) to make high quality video calls. Facebook was adamant that no data would be collected through Portal. Not even call log data or app usage data, like the fact that you listened to Spotify — will be used to target users with ads on Facebook said a spokesperson at the launch. Reporters were skeptical given Facebooks checkered record when it comes to privacy issues.
They were right not to take that statement at face value. Their cynicism was rewarded when Facebook clarified their stance by announcing that although Portal doesn’t have ads it will gather data about who you call and data about which apps you use on Portal. That data can be used to target you with ads on other Facebook-owned properties.
A spokesperson said, “Portal voice calling is built on the Messenger infrastructure, so when you make a video call on Portal, we collect the same types of information (i.e. usage data such as length of calls, frequency of calls) that we collect on other Messenger-enabled devices.””
When a company is not even sure of its own messaging on a subject like privacy, especially with a track record like Facebook, users have every reason to get anxious. This is especially true when Facebook announced that they had even further plans for living rooms across the globe. A project codenamed Ripley is in the pipeline – a camera that you plug into your TV to turn it into a ‘mega Portal.’ Facebook’s claim that Portal is “private by design” is in tatters. Consumers who were excited about Portal may now be slightly more apprehensive.
The bad news keeps coming
Facebook executives might have been cautiously confident that they could make it to the end of 2018 without further privacy related incidents – however, that was not to be.
On December 14 the company announced that a bug may have allowed third party apps to access and download 6.8 million private images from users accounts even if the images were not publicly posted. The vulnerability occurred over a 12-day period in September of 2018.
Facebook commented on their blog that because of the bug, roughly 1,500 apps could access “a broader set of photos than usual.” It’s worth noting that Facebook allows apps by third-party developers to obtain users’ permission and access photos shared on their timeline.
With numerous #privacy missteps, this year has been one that the house that Zuckerberg built would prefer to forget.
Click to Tweet
Marc Rotenberg, the executive director of the Electronic Privacy Information Center commented, “It’s stunning that Facebook has the ability to send user photos to third parties when the user has not fully uploaded the photo … It’s like a provider sending draft emails.”
More to come?
It’s been a bad year for Facebook – and a worse one for its users. However – many of the problems at the social media company are systemic – and the product of its own attitude to harnessing the data of users to run targeted ad campaigns. The company is the custodian of vast amounts of this data – and it provides that to third parties. The problems experienced by Facebook are largely self-inflicted and the direct result of their business model. That isn’t going to change anytime soon. However – the regulators (as well as lawmakers) in the United States and in the European Union are rapidly losing faith and patience with Facebook – it is only matter of time before they take action – and that could be very bad news for Zuckerberg and co.