[BreachExchange] Facebook’s very bad year, explained

Mon Dec 24 18:38:00 EST 2018

https://www.vox.com/technology/2018/12/21/18149099/delete-facebook-scandals-2018-cambridge-analytica

Facebook
<https://www.vox.com/2018/12/19/18148136/facebook-privacy-violations-nyt-netflix-spotify-amazon-yahoo>
started 2018 talking about bringing people together
<https://newsroom.fb.com/news/2018/01/news-feed-fyi-bringing-people-closer-together/>
by showing users more “meaningful posts” from their friends and family.
It’s ending 2018 explaining why it was sharing information about those
friends and families with dozens of companies without users’ consent
<https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html>.

Over the past year, the social network has found itself at the center of a
growing storm over a wide array of issues, ranging from data privacy
<https://www.vox.com/policy-and-politics/2018/4/11/17225518/mark-zuckerberg-testimony-facebook-privacy-settings-sharing>
to Russian meddling
<https://www.vox.com/policy-and-politics/2018/10/25/18016212/russian-meddling-dark-money-influence-2018-midterm-elections-citizens-united>
to fake news
<https://www.vox.com/2018/8/21/17764698/fake-news-on-facebook-user-rating-system>.
The company and CEO Mark Zuckerberg have issued multiple apologies
<https://www.vox.com/2018/4/10/17220290/mark-zuckerberg-facemash-testimony>
for its missteps, and yet the scandals keep coming.

Just this week, the New York Times
<https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html>
reported that Facebook had let companies such as Spotify and Netflix read
users’ private messages, and Washington, DC, Attorney General Karl Racine
sued
<https://www.washingtonpost.com/technology/2018/12/19/dc-attorney-general-sues-facebook-over-alleged-privacy-violations-cambridge-analytica-scandal/>
Facebook for letting the political consulting firm Cambridge Analytica
access data from some 87 million users.

“We have great products here that people love,” Zuckerberg said
<https://s21.q4cdn.com/399680738/files/doc_financials/2018/Q3/Q318-earnings-call-transcript.pdf>
in a call discussing Facebook’s quarterly earnings in January. That’s
becoming progressively less the case.

It’s not entirely clear yet what Facebook’s complete 2018 story will be,
but there is at the very least a pattern: Facebook does the bad thing,
hides the bad thing, and then when the bad thing becomes public, it says
it’s sorry and offers up explanations, only to either keep doing that bad
thing or repeat the cycle related to a different bad thing.

That’s all left it unclear as to whether Facebook can, or is willing to, fix
itself
<https://www.vox.com/business-and-finance/2018/11/15/18096935/new-york-times-facebook-soros-zuckerberg-schumer>.

The start of the year was relatively smooth

Facebook had a fairly normal start to the year.

Its first big announcement
<https://newsroom.fb.com/news/2018/01/news-feed-fyi-bringing-people-closer-together/>
of 2018 was that it would show people more posts from their friends and
families in their News Feed in response to criticism that it was
overprioritizing content from businesses, media, and brands. In a post,
Zuckerberg said he wanted Facebook to be “good for people’s well-being.”

The company also said it would do better about making sure news was
from “trusted
sources <https://newsroom.fb.com/news/2018/01/trusted-sources/>” and
prioritizing local news
<https://newsroom.fb.com/news/2018/01/news-feed-fyi-local-news/> and
putting out posts on social media and democracy
<https://newsroom.fb.com/news/2018/01/hard-questions-democracy/>. It said
it was getting ready
<https://www.facebook.com/business/news/facebooks-commitment-to-data-protection-and-privacy-in-compliance-with-the-gdpr>
for new privacy rules out of Europe because it “takes data protection and
people’s privacy very seriously.”

In February, special counsel Robert Mueller indicted
<https://www.vox.com/2018/2/16/17020776/russian-indictments-robert-mueller>
13 Russian nationals and three Russian entities, focusing primarily on a
Russian troll farm called the Internet Research Agency, for their political
propaganda efforts in the US, including on social media platforms such as
Facebook. The focus was on the Russian actors, though, not the platforms
they used.

The same month, Wired published a long piece about Facebook’s “hellish
<https://www.wired.com/story/inside-facebook-mark-zuckerberg-2-years-of-hell/>”
two years, but the tone was that it might turn around. Facebook had
“evolved” and come to realize some of its responsibilities. Facebook,
perhaps, was getting better.

Except it wasn’t.
Then Cambridge Analytica hit

On March 16, Facebook made a sudden announcement
<https://newsroom.fb.com/news/2018/03/suspending-cambridge-analytica/> that
it was suspending a relatively obscure political consultancy, Strategic
Communication Laboratories, and its data analytics firm, Cambridge
Analytica, from its platform. On March 17, we found out why: The New York
Times
<https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html>
and the Guardian
<https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election>
published a pair of blockbuster stories outlining how Cambridge Analytica
had harvested private information from more than 50 million users without
their permission.

The now-defunct
<https://www.theverge.com/2018/5/2/17311892/cambridge-analytica-us-offices-shutting-down-facebook-scandal>
firm had worked with multiple political campaigns, including Donald Trump’s
2016 presidential bid, and claimed to be able to create “psychographic”
profiles
<https://www.vox.com/policy-and-politics/2017/10/16/15657512/cambridge-analytica-facebook-alexander-nix-christopher-wylie>
to create personality profiles for voters. Cambridge Analytica got the data
from a researcher who made a personality quiz app on Facebook that
collected information on users and their friends.

After the Cambridge Analytica scandal broke, lawmakers, regulators, and
users all over the world were, understandably, outraged. The Federal Trade
Commission said
<https://www.ftc.gov/news-events/press-releases/2018/03/statement-acting-director-ftcs-bureau-consumer-protection>
it would launch an investigation into whether Facebook’s handling of data
violated a 2011 consent order
<https://www.npr.org/sections/thetwo-way/2011/11/29/142898301/facebook-settles-with-ftc-on-charges-it-deceived-users-on-privacy>
it had with the company.

Facebook said it was sorry
<https://newsroom.fb.com/news/2018/03/hard-questions-cambridge-analytica/>
and promised to do better
<https://newsroom.fb.com/news/2018/03/cracking-down-on-platform-abuse/>. It
literally took out full-page newspaper ads apologizing.

In April, Facebook admitted that 87 million users had been affected by the
Cambridge Analytica scandal, and Zuckerberg went to Washington. He
testified before both Senate
<https://www.vox.com/policy-and-politics/2018/4/10/17222062/mark-zuckerberg-testimony-graham-facebook-regulations>
and House of Representatives
<https://www.vox.com/technology/2018/4/11/17224244/mark-zuckerberg-facebook-hearing-privacy>
and fielded a wide range of questions from lawmakers, including its efforts
to combat Russian disinformation and fake news, user privacy, and potential
monopolistic practices.

What became clear in the hearings was that US lawmakers seem confused about
what Facebook does, what its problems are, and how to fix it — in other
words, don’t hold your breath if you’re anticipating big tech regulation
<https://www.vox.com/policy-and-politics/2018/4/10/17208322/facebook-mark-zuckerberg-congress-testimony-regulation>
from the US.

As part of its apology tour, Facebook banned the Russian trolls from the IRA
<https://newsroom.fb.com/news/2018/04/authenticity-matters/>, said it would
make ads and pages more transparent
<https://newsroom.fb.com/news/2018/04/transparent-ads-and-pages/>, and put
out a splashy video
<https://www.facebook.com/facebook/videos/here-together-60-video/10157309509986729/>
saying it would do better.
Zuckerberg runs into troubles in Europe

In May, it was European lawmakers’ turn to take a crack at Zuckerberg, who
appeared before the European Parliament
<https://www.vox.com/policy-and-politics/2018/5/22/17381776/mark-zuckerberg-facebook-europe-privacy-gdpr>.
The good news: European politicians seem to have a much better hold on the
ins and outs of Facebook and approached Zuckerberg with tough, skeptical
questions. The bad news: Zuckerberg got about 10 minutes, at the end of the
hearing, to respond.

May was also the month that the General Data Protection Regulation
<https://www.vox.com/policy-and-politics/2018/4/5/17199754/what-is-gdpr-europe-data-privacy-facebook>
(GDPR), a new privacy and data collection law, went into effect in Europe.
Facebook made a show of complying
<https://newsroom.fb.com/news/2018/04/new-privacy-protections/>.

The same month, the Guardian
<https://www.theguardian.com/technology/2018/may/24/facebook-accused-of-conducting-mass-surveillance-through-its-apps>
mentioned a lawsuit brought against Facebook in the US by an app developer
named Six4Three that alleged its data policies favored some companies over
others. The story was largely missed, but one British lawmaker paid
attention, and in December, he obtained and released
<https://www.vox.com/business-and-finance/2018/12/6/18127980/facebook-uk-documents-emails-mark-zuckerberg>
more than 200 pages of documentation from the suit. Among the revelations:
Zuckerberg and his team discussed how to make money off user data, and
Facebook discussed “whitelist” agreements with multiple companies to help
them access user information.

Over a later data breach, Facebook could also potentially face a $1.6
billion
<https://www.wsj.com/articles/facebook-faces-potential-1-63-billion-fine-in-europe-over-data-breach-1538330906>
fine out of Europe.
The scandals just keep coming

Month after month, through the summer and into the fall, revelations about
Facebook kept coming.

In June, the Times reported
<https://www.theverge.com/2018/6/4/17424174/facebook-user-data-deal-device-manufacturer-nyt-report>
that Facebook gave some 60 device makers access to user data, including
Huawei
<https://www.cnbc.com/2018/06/05/facebook-gave-data-access-to-chinese-firm-flagged-by-us-intelligence.html>,
a Chinese telecommunications company that US intelligence has expressed
concerns
<https://www.vox.com/technology/2018/12/11/18134440/huawei-cfo-arrest-5g-risk-meng-wanzhou>
about for years.

Also over the summer, Facebook revealed bugs in features that let users decide
whom they shared content with
<https://newsroom.fb.com/news/2018/06/audience-selector-error/> and whom
they blocked <https://newsroom.fb.com/news/2018/07/blocking-bug/>. It made
announcements about flagging and deleting suspicious activity ahead of the 2018
midterms
<https://www.vox.com/2018/7/31/17635592/facebook-elections-russia-2018-midterms>
and tackling accounts out of Russia and Iran
<https://www.theverge.com/2018/8/21/17766422/facebook-influence-campaign-russia-iran-fake-accounts>.
It also
<https://www.nytimes.com/2018/07/02/technology/facebook-federal-investigations.html>
said the Department of Justice, the FBI, and the Securities and Exchange
Commission were looking into its affairs as part of the Cambridge Analytica
probe.

But it became a sort of one step forward, two steps back scenario.

On August 6, Facebook banned
<https://newsroom.fb.com/news/2018/08/enforcing-our-community-standards/>
right-wing conspiracy theorist Alex Jones; on August 13, the federal
government filed charges
<https://www.theverge.com/2018/8/19/17757108/us-department-of-housing-and-urban-development-facebook-complaint-race-gender-discrimination>
saying that Facebook had violated the Fair Housing Act by allowing ads to
discriminate against certain groups. (Facebook later said it was removing
the ads
<https://techcrunch.com/2018/08/21/facebook-is-removing-over-5000-ad-targeting-options-to-prevent-discriminatory-ads/>.)
And in September, the American Civil Liberties Union alleged
<https://www.npr.org/2018/09/18/649158898/facebook-allowed-employers-to-exclude-women-from-job-ads-aclu-says>
that Facebook let employers target job ads just to men.

In April, Facebook said it would self-implement the Honest Ads Act
<https://www.axios.com/facebook-ad-changes-5da9d7f7-d297-488b-9f46-9729101201f8.html>,
legislation that would require more transparency about who’s buying
political ads on its platform. As the midterms approached, people were
still able to buy and place political ads
<https://www.vox.com/business-and-finance/2018/11/15/18096935/new-york-times-facebook-soros-zuckerberg-schumer>
and put them under anyone’s names, including Vice President Mike Pence and
the Islamic State
<https://news.vice.com/en_us/article/wj9mny/facebooks-political-ad-tool-let-us-buy-ads-paid-for-by-mike-pence-and-isis>
.
The concerns about data privacy and security go well beyond Cambridge
Analytica

Over the course of the year, it’s become increasingly clear that Facebook’s
security and privacy issues go far beyond Cambridge Analytica — and that
the company is never going to come out and say what its problems are, or
fix them.

In September, Facebook released a “security update
<https://newsroom.fb.com/news/2018/09/security-update/>” saying a breach
had exposed the data of 50 million users. It eventually revealed that about
30 million users’
<https://newsroom.fb.com/news/2018/10/update-on-security-issue/> “access
tokens” had been stolen that hackers could use to take over people’s
accounts.

Then in December, Facebook said it has exposed
<https://www.theverge.com/2018/12/14/18140771/facebook-photo-exposure-leak-bug-millions-users-disclosed>
up to 6.8 million people’s private photos in another leak. That breach had
also happened in September, but Facebook waited about six weeks to mention
it.
It’s not clear if Facebook actually can — or wants to — get better

What’s become increasingly clear throughout the year is that Facebook might
not want or have the ability to fix itself. While publicly it’s constantly
apologizing, privately, it’s still acting shady.

In November, the Times detailed
<https://www.nytimes.com/2018/11/14/technology/facebook-data-russia-election-racism.html>
how Facebook, including Zuckerberg and chief operating officer Sheryl
Sandberg, had sought to downplay and deny recent scandals around it,
including Cambridge Analytica and Russian meddling. The report also
outlined how Facebook hired the Republican consulting firm Definers to
conduct and spread opposition research
<https://www.vox.com/2018/11/16/18098728/facebook-anti-semitism-george-soros-definers-nyt>
about its detractors, including highlighting their ties to liberal
billionaire George Soros, a maneuver many called anti-Semitic. Sandberg
also came under fire for reportedly asking whether Soros
<https://www.vox.com/policy-and-politics/2018/11/30/18119616/sheryl-sandberg-soros-freedom-from-facebook>
had shorted Facebook’s stock.

The Wall Street Journal
<https://www.wsj.com/articles/with-facebook-at-war-zuckerberg-adopts-more-aggressive-style-1542577980>
reported in November that Zuckerberg had told Facebook executives earlier
in the year that his company was at war.

And that war has continued: Third-party reports
<https://www.vox.com/technology/2018/12/17/18144946/senate-report-russia-facebook-twitter-google>
for the Senate Intelligence Committee on Russian interference released on
Monday said that Facebook and fellow tech giants Twitter and Google had
done the “bare minimum” to provide the committee data and information. And
on Wednesday, the Times
<https://www.vox.com/2018/12/19/18148136/facebook-privacy-violations-nyt-netflix-spotify-amazon-yahoo>
reported that Facebook had allowed companies such as Spotify and Netflix to
access users’ private messages and provided access to other user data for
some 150 companies between 2010 and, you guessed it, 2018. In response to
the Times report, Facebook said
<https://newsroom.fb.com/news/2018/12/facebooks-partners/> none of the
features or partnerships gave access to people’s information without their
permission and tried to explain the message access
<https://newsroom.fb.com/news/2018/12/facebooks-messaging-partnerships/>.

Facebook keeps saying that it’s not selling user data, but it’s making
money off it by letting outside parties take a peek.
This is hurting Facebook

Facebook has paid a price. Employee morale is down
<https://www.businessinsider.com/facebook-employee-morale-drops-after-scandals-survey-report-2018-11>,
calls for quitting Facebook
<https://www.nytimes.com/2018/12/19/business/delete-facebook-account.html>
are growing louder, and the founders of two of its most popular products —
WhatsApp
<https://www.theguardian.com/technology/2018/apr/30/jan-koum-whatsapp-co-founder-quits-facebook>
and Instagram
<https://www.vox.com/business-and-finance/2018/9/25/17900610/instagram-founders-resign-facebook-kevin-systrom>
— have resigned. Facebook’s stock price has declined by more than 20
percent this year, and Zuckerberg lost an estimated $15 billion
<http://time.com/money/5478554/mark-zuckerberg-facebook-loss-net-worth/>.

Despite all that, it appears that Facebook’s leadership continues to
believe its behavior is the best course of action. It’s a business, and
providing dubious access to user data, engaging in and allowing shady
political activity, and hiding errors until the last minute, it seems, is
perceived as more lucrative than the alternative.

Eventually, Facebook may be forced to really reckon with what’s happened —
because of law enforcement actions, fines, regulation, user revolt, or
something else. Thus far, through all the scandal, it’s charging ahead.
There will surely be another apology soon.
Zuckerberg runs into troubles in Europe