Once again, Facebook is embroiled in a scandal where it was caught violating millions of people’s privacy. A blockbuster story published by the New York Times before the holidays revealed that Facebook had entered into secret “partnerships” with various technology companies — Amazon, Microsoft, Netflix, Spotify, and others — that gave hundreds of internet giants vast access to private information for years without Facebook users’ consent.

As the Atlantic’s Alexis Madrigal succinctly put it, “Facebook didn’t sell your data; it gave it away.”

With Congress now embroiled in a government shutdown, it’s still unclear how it will all play out. But Facebook’s tactics — both how it evades oversight from government regulators and how it has misled journalists and the American public — eerily resembles the culprit in this decade’s other major privacy scandal: the National Security Agency (NSA).

In hiding what it was doing from its users and in the underhanded ways it has justified its invasive actions after the fact, Facebook seems to have drawn directly from the NSA’s playbook.

Here’s exactly what that looks like.

Redefine Words Until They Hold No Meaning

For years, one of the NSA’s most effective methods for avoiding public accountability was to redefine common English without explicitly telling anyone. Words like “surveillance” would be defined so narrowly as to lose all meaning, and phrases like “relevant to an investigation” would be expanded so greatly as to encompass everything. (Read this compendium of the NSA’s dictionary put together by the ACLU for a full explanation.)

Facebook reportedly leaned on redefining one key phrase to escape scrutiny of the Federal Trade Commission (FTC) and the agency’s supposed regulatory powers: “service provider.”

As the Times explained, Facebook has been under a consent decree with the FTC since 2012, when the agency reprimanded the social media giant for violating users’ privacy. Facebook was at least supposed to follow strict rules about when and why it could not share users’ data with others. But as the Times reported, Facebook relied on quietly redefining “service provider” to get everything it wanted.

According to the Times, there was a service provider exception to the strict privacy rules set by the FTC, which was “intended to allow Facebook to perform the same everyday functions as other companies, such as sending and receiving information over the internet or processing credit card transactions, without violating the consent decree.”

But Facebook secretly interpreted service providers incredibly broadly, far past what many former FTC officials said was even close to reasonable. Service providers would soon encompass basically any company Facebook wanted to share data with — hundreds of giant corporations, from Netflix to Spotify, and even the Russian search engine Yandex.

“I don’t understand how this unconsented-to data harvesting can at all be justified under the consent decree,” is how David Vladeck, formerly the head of the FTC’s consumer protection bureau, put it.

Pretend There Was No “Abuse” When the Entire System Is the Abuse

Another tried-and-true method of the NSA in response to the Snowden revelations was to essentially claim, “Yes, we were secretly storing massive amounts of data on Americans, but the system was never ‘abused.’” This was President Obama’s initial defense of the program: “There continues not to be evidence that the [metadata surveillance] program had been abused,” he said at the time.

Put aside the fact that there actually was abuse. The existence of the program itself was the abuse. It was never debated or passed into law in Congress, and the American people did not know about it until it was leaked to journalists.

Facebook is now leaning on the same excuses: Yes, the massive data-sharing operation was happening in secret for years, but “Facebook has found no evidence of abuse by its partners,” a spokesman told the Times. Who cares if users were never informed or are outraged at learning of it after the fact?

Act as Your Own Referee, Then Give Yourself a Stamp of Approval

Speaking of declaring yourself as free of abuse: Acting as your own referee is another go-to move of the NSA. In the aftermath of the Snowden leaks, NSA director Keith Alexander gave the spy agency stellar grades in the self-regulating department. “This agency in every case reports on itself, tells you what we did wrong, and does everything we can to correct it,” Alexander told Congress.

Like Facebook, the NSA is supposed to be held accountable by other government entities. In the NSA’s case, it’s the Foreign Intelligence Surveillance Court (FISC). But even the FISC admitted they have a severely limited vision into exactly what the NSA is doing, and the judges rely on the NSA to self-report its own violations.

The chief FISC judge at the time, Reggie Watson, admitted as much to the Washington Post when he wrote, “The FISC is forced to rely upon the accuracy of the information that is provided to the Court” and “does not have the capacity to investigate issues of noncompliance.”

Facebook was able to evade regulators in a similar way, arguably with the FTC’s help. The Times described how “the FTC essentially outsources much of its day-to-day oversight to companies like PricewaterhouseCoopers” — which Facebook paid for “and largely dictated the scope of its assessments.”

Use Government Secrecy to Hide Information from the Public

Of course, the hallmark of the NSA is using the government’s secrecy system to hide its true controversial scope from the American public. Facebook doesn’t have direct access to the government’s classification system, but it has been able to use government redactions to its advantage.

When PricewaterhouseCoopers reviewed some of Facebook’s data partnerships in 2013, it reportedly “found only ‘limited’ evidence that Facebook had monitored those partners’ use of data.” But as the Times reported, that finding “was redacted from a public copy of the assessment, which gave Facebook’s privacy program a passing grade overall.”


Two other lessons can be learned from the NSA privacy scandal. The first, as the Washington Post’s Andrea Peterson said in 2013, “It’s to pay very careful attention to what Sen. Ron Wyden (D-Ore.) says. So if he hints that there’s something worth reading… that should serve as a bat signal to privacy advocates.” (Wyden was the senator who famously caught Director of National Intelligence James Clapper in a lie about the NSA’s surveillance on Americans.)

Maybe the same can now be said about Facebook. In September, when Sheryl Sandberg was testifying before Congress, Senator Wyden provided Facebook a list of very detailed questions about its service provider data-sharing agreements. While Sandberg’s testimony made front-page headlines, Wyden’s questions and Facebook’s evasive answers, published a month later, were overlooked by almost everyone. It turns out that should have been a sign.

But if there is one overarching lesson from Facebook’s series of debacles in 2018, it is that the company has grown so big that it’s hard to see how it can ever be trusted. As the Times described, Facebook had entered into so many data-sharing partnerships that it couldn’t keep track of them all. The system was beyond anyone’s control.

Time and again, in other privacy controversies of the years, Facebook has explained features of its systems to journalists, only to have to backtrack or 180 in their explanations, leading one Gizmodo journalist to conclude, “People at Facebook don’t know how Facebook works.”

It’s the same underlying issue in the NSA’s massive surveillance programs — even if you think their intentions aren’t evil. In attempting to explain how the agency had been illegally collecting data on Americans for years, government lawyers actually admitted to the FISC that its systems were so enormous that “there was no single person who had a complete technical understanding” of how things worked.