If the Future is Private, the Future Can’t Be Facebook
We will never find privacy on a website designed to extract and exploit our personal information
“The future is private.”
Facebook CEO Mark Zuckerberg apparently likes these four words — enough, anyway, for them to appear behind him on a gigantic screen as he delivered his keynote address his company’s annual development conference, F8, this week.
Despite believing the opposite not long ago, this so-called pivot to privacy is a theme Zuckerberg’s been working on for a little while. He previewed earlier this year in a lengthy manifesto in which he said “the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages won’t stick around forever.”
But Zuckerberg’s newfound verbal commitment to privacy is still at odds with the way his website currently runs. And if privacy is indeed the future, Facebook will have to convince a lot of people that its words actually means something. One of the people who currently disagrees — and is taking Facebook to court over its failure to protect privacy — is Canada’s privacy commissioner.
Last week, Canada’s Office of the Privacy Commissioner (in conjunction with the Information and Privacy Commissioner of British Columbia) issued a damning report into how Cambridge Analytica accessed and collected information people had uploaded to Facebook via the third-party ThisIsYourDigitalLife app, which it reportedly then used to target people with political advertising.
The report upbraids Facebook for failing to get meaningful consent from the 276 Canadian users who installed the app, or from their approximately 622,000 friends and acquaintances whose information subsequently also became available for collection via access granted by Facebook’s former API. It also offers a window into Facebook’s commitment to privacy — as well as a hint of what might come from efforts to regulate the social network.
For instance, Facebook says it now better protect users when they install third-party apps on the site — namely through Graph v.2 (its updated API) and the company’s App Review. Yet, the report finds that those new changes “do not ensure the app uses the information in a manner that is consistent with the app’s representations to Facebook during App review, or with Facebook’s policies.” It seems that as far as the privacy commissioners are concerned, once the app has been approved, Facebook doesn’t employ meaningful checks to see the app is using data as it said it would.
Facebook told the commissioners that it takes “appropriate enforcement action when it becomes aware, through its monitoring measures, of violations of its privacy-related policies by third-party applications.” But, according to the report, Facebook never substantiated “that its monitoring resulted in meaningful enforcement with respect to preventing unauthorized access and use of users’ personal information by third-party apps.”
As Facebook pushes its Groups and Stories functions over third-party apps or even its NewsFeed — as Zuckerberg and others revealed at F8 — some of the specific concerns this report raises may become less relevant. Still, the report’s conclusions offer an important overall perspective on Facebook’s approach to privacy, and it’s not good.
“The facts of this case… do not, in our view, portray an organization taking responsibility for giving real and meaningful effect to privacy protection,” the commissioners write. “They demonstrate Facebook abdicating its responsibility for personal information under its control, effectively shifting that responsibility to users and apps.”
“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions.”
Can Facebook change? Maybe. Mark Zuckerberg certainly seems to believe it’s possible. But what would that shift to privacy really mean? And who gets to decide what privacy actually means?
Again, the Canadian report offers a hint. Facebook appears to want to set the terms — dictating the meaning and parameters of privacy, as well as setting deciding how it chooses to adhere to them.
In their report, the Canadian privacy officers gave Facebook recommendations for improvement, and their expectations on how Facebook could implement those changes. But not only did Facebook disagree with the findings of the report, it “proposed alternative commitments” which in some cases altered the recommendations, “undermining the objectives of our proposed remedies or outright rejecting the proposed remedy,” the privacy officials wrote. In other words, Facebook appeared to try to dictate the terms of its own compliance.
Daniel Therrien, the Federal Privacy Commissioner, put the problem more bluntly in an accompanying press release: “It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions.”
Ultimately, the two privacy watchdogs concluded that it is “difficult to reconcile Facebook’s CEO’s recent public statements regarding Facebook’s desire to work with regulators towards a more privacy-focused platform, with Facebook’s refusal to submit to audits whereby our Offices could confirm that Facebook is acting in an accountable way.”
“Now look,” Zuckerberg told the crowd at F8 this week, “I get that a lot of people aren’t sure we’re serious about this. We don’t exactly have the strongest reputation on privacy right now, to put it lightly. But I’m committed to doing this well and starting a new chapter for our product.”
What Zuckerberg means, exactly, by “doing this well” remains to be seen. For instance, we’re still waiting for the key privacy-oriented deliverable announced last year, the so-called “clear history” button. But as important as it is what Zuckerberg believes privacy protections look like for Facebook, as two Canadian privacy czars have argued, it should not be up to Facebook to set the terms of what counts as meaningful privacy measures or not. Perhaps it’s not even really up to regulators, either. But it should be up to us.
“We say we value privacy, but we hardly understand what we mean by it,” L.M. Sacasas, director of the Center for the Study of Ethics and Technology, wrote in January, amid the furor over Jeff Bezos’s apparent near-blackmailing. “Privacy flourishes in the attention economy to the same degree that contentment flourishes in the consumer economy, which is to say not at all.”
The only solution the consumer economy has to problems raised by the consumer economy is more consumption. As the saying goes, the only solution Facebook has to problems raised by Facebook is more Facebook. No matter Zuckerberg’s promises, if we go looking for privacy from a technology website designed to extract and exploit our personal information, we are not going to find it.
If we want the future to be private, Facebook can’t be the future.