The Zuckerberg Apology tour (Version 2018) continues today in Washington, DC. Yesterday, Nevada Senators Heller and Cortez-Masto had their opportunity to ask questons. Heller’s questions were well intentioned, but reduced in impact because his premise included the notion Facebook sells user information. It doesn’t. It sells advertising.(1) [NVIndy] Understanding the questions from Cortez-Masto requires a bit of background.
Senator Cortez-Masto referred to the 2011 Consent Decree between the FTC and Facebook.
“I appreciate you being here, I appreciate the apology, but stop apologizing and make the change,” she said. “The skepticism that I have, and I’m hoping you can help me with this, is over the last seven years…I haven’t seen really much change in ensuring that the privacy is there and that individual users have control over their data.” [NVIndy]
She has reason for her skepticism, here’s what the FTC required as of November 29. 2011:
Specifically, under the proposed settlement, Facebook is:
-
barred from making misrepresentations about the privacy or security of consumers’ personal information;
-
required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
-
required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
-
required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
-
required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.
It doesn’t require too much mental effort to comprehend that Facebook’s response to the provision that it is “required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information;” to see there’s been precious little progress made by Facebook in terms of a comprehensive privacy program. (2) Although Zuckerberg described his company’s response as “robust.” (3) Robust is not a term I might apply to Facebook’s efforts since November 29, 2011, especially in regard to the implementation of comprehensive privacy policy development and subsequent audits. Senator Cortez-Masto is correct in assuming we would not be discussing Cambridge Analytica had Facebook complied fully with the 2011 settlement terms.
There are deeper weeds to explore, a trail launched by Senator Maria Cantwell’s inquiry about Palantir. [BI]
“One of the oddest and most uncomfortable moments in the questioning of Facebook CEO Mark Zuckerberg by the Senate on Tuesday was when Senator Maria Cantwell (D-WA) started asking about Palantir. “Do you think Palantir ever scraped data from Facebook?” She asked. Zuckerberg, looked nonplussed and answered. “Senator, I’m not aware of that.” She asked, “Do you know who Palantir is?” Zuckerberg admitted that he did. And he should. Palantir is a company that was founded by his early investor and long-time board member Peter Thiel. [BI]
There was nothing “odd” about the moment, if one assumes Senators had done some homework.
A connection between Facebook, Cambridge Analytica, and Palantir is strongly suggested by this reporting in Business Insider:
“We learned today that an employee, in 2013-2014, engaged in an entirely personal capacity with people associated with Cambridge Analytica,” Palantir told The Times. “We are looking into this and will take the appropriate action.”
The employee was Alfredas Chmieliauskas, according to The Times. His LinkedIn shows that he is a business-development staffer at Palantir in London. He suggested that Cambridge Analytica create a personality-quiz app to harvest data from Facebook users, The Times said. Cambridge Analytica eventually used a similar method to obtain data from about 50 million Facebook users it could then sell.
Sure enough, Cambridge Analytica appropriated the idea, and the collections began.
“Cambridge ultimately took a similar approach. By early summer, the company found a university researcher to harvest data using a personality questionnaire and Facebook app. The researcher scraped private data from over 50 million Facebook users — and Cambridge Analytica went into business selling so-called psychometric profiles of American voters, setting itself on a collision course with regulators and lawmakers in the United States and Britain.” [NYT]
That 50 million number keeps increasing. Given Facebook wants to sell advertising based on access to people, their friends, the friends of their friends, and the friends of the friends of their friends — it isn’t too difficult to assume the number of those affected will move upward. It would have been helpful if Facebook user’s were advised before they took the little “quiz app” that the information from their account would be “scraped” for use by psychometric efforts. Little wonder, then, that Mr. Zuckerberg was nonplussed by Senator Cantwell’s questions.
A couple of efforts seem to be in order. The first is an investigation into Facebook’s compliance with the terms of the November 2011 settlement with the FTC; the second is a thorough investigation into the links between Facebook, Cambridge Analytica, Palantir, CubeYou, and similar data accumulation and analysis entities. (4)
In short, it’s time to have some follow up questions from the ladies in the Senate.
(1) See Sheryl Sandberg’s explanation and comments in this INC article. (2) The original FTC complaint [PDF] can be found here. (3) To see the precise terms of the 2011 settlement with the FTC see this PDF document. (4) For additional information on CubeYou, see CNBC.