Response to FTC Task Force on Anti-Competition: 3 Investigative Tactics to Ferret Out Facebook’s Fraud

In light of the FTC’s announcement of a task force on anti-competition in technology platforms, here are three direct ways of demonstrating that Facebook managed a devastating pay-to-play scheme with the data of 2 billion people that goes far beyond the narrow scope of the 87 million people affected by Cambridge Analytica and forced over 35,000 businesses to shut down for reasons that had nothing to do with privacy:

Proving Sales of Private Data to the Highest Bidders:

1. Cross-check companies who entered into ad purchasing agreements with companies who entered into Private Extended API Agreements or Addenda. This will demonstrate that Facebook sold user data and tried to conceal this fact by tying together two different agreements that it pretended were unrelated.

2. Access and review the communications between Facebook and these companies surrounding their decision to enter into these two “separate” agreements to determine their understanding in doing so and whether a quid pro quo was involved.

3. Review all other agreements with companies who entered into Private Extended API Agreements, particularly agreements related to procurement by Facebook of the company’s IP or data, even if they are “unrelated” to these other agreements.

4. Over 5,000 companies entered Private Extended API Agreements based on the UK Parliament report. It’s important that if only a sample of them are reviewed that the sample be sufficiently large and appropriate (and not hand-picked by Facebook!). Companies who are major brands or sell non-software products or services will not have suffered the same kind of extortionary demands as companies who build popular consumer apps.

5. Track the evolution of these agreements from 2012 through the present and review all the internal communications of Facebook executives when discussing whether and under what terms to continue whitelisting these companies.

Proving the Deliberateness of Privacy Violations Through Repeated Data Transfers in These Agreements

1. Cross-check the privacy metadata supplied by Facebook (if any) on individual data points in user data files accessed from Facebook’s APIs by the many large developers who entered into these Private Extended API Agreements against the privacy metadata on individual data points in the user data files generated after the user uploaded the data to Facebook (i.e., only me, friends, friends of friends, public, etc.).

2. Through this cross-checking exercise, you should be able to determine, for instance, that John Doe uploaded 100 photos to Facebook and set them to “only me” on a certain date, but that at a later date Facebook sent those photos to, say, Tinder through its APIs with no “only me” privacy setting on them, and Tinder subsequently showed those photos to other Tinder users, not knowing that only John Doe was supposed to see them, etc.

3. This cross-checking exercise would demonstrate quite clearly that that there is in fact not one Cambridge Analytica “breach”, but many hundreds of them, and that the core issue is not whether to allow third parties access to user or friend data; it is Zuckerberg’s explicit decision not to pass privacy settings when transferring that data over Platform APIs (even after the FTC Consent Decree!).

4. Regardless of whether anyone at Facebook makes or tries to make this cross-checking exercise difficult, it is extremely important that investigators are very specific in their requests to be able to match data in user data files with the data files third-party companies received from Facebook. No amount of excuses from Facebook that it dealt with these issues “upstream” in its own systems or that the technology is too complicated to match users across these files should deter investigators. Investigators must pierce through any and all evasive responses.

5. The third-party company files should include data transfers from both public APIs and private APIs, both of which were specified in various Private Extended API Agreements. 54 public APIs were part of this pay-to-play scheme. Facebook must not be permitted to hand-pick the third-party data files it shares with the investigators. Investigators should carefully choose them from the pool of the more than 5000 companies who entered into these agreements and rely on informed experts to do so.

The Discussions that Led To The Biggest Privacy Scandal in History

1. Request all communications we believe reveal the inception of the exclusionary pay-to-play scheme, specifically discussions around the “Platform Business Model,” “transition to mobile” and “reciprocity,” as well as around changes (or the lack thereof) to the privacy settings held by Zuckerberg, Sandberg, Olivan, Lessin, Cox, Rose, Stretch, Bosworth and a number of other executives throughout 2012.

2. Request from Facebook all the communications of Platform managers like Simon Cross, Eddie O’Neil, Doug Purdy and Justin Osofsky, and privacy leaders like Rob Sherman, concerning Facebook’s privacy settings from 2012 through present.

3. With the appropriate search terms and a diligent review of the documents, the failure to pass privacy settings in APIs and the rationale behind that decision will become abundantly clear.

These are just a handful of the many ways the FTC can get to the bottom of Facebook’s deceptive business practices. We have cooperated and will continue to cooperate with the FTC and other governmental investigators; it is time for all others to do so as well.

We will never get past this cycle of repeated investigations as long as investigators limit their focus to individual “breaches,” like the Cambridge Analytica “breach,” rather than addressing the wider privacy-violating and anti-competitive conduct at the root of all these scandals.

So, how can you help us continue to bring Facebook’s fraud to light? Please see our campaign at the link below as it details how we are seeking to enforce your rights and to ensure that Facebook and others answer all the questions that the FTC has pursued and which Facebook continues to duck while trying to sue us for millions of dollars of damages in California court.

Message us on Twitter @realsix4three or use the hashtag #zuckmustgo. Learn more at zuckmustgo.com or facebooksappeconomy.com and consider donating to our efforts to get to the bottom of Facebook’s fraud.