FAQ: what you should know about Facebook’s latest privacy crisis, and what you can do about it

Today we are publishing an open letter to Facebook and its CEO Mark Zuckerberg to ask a series of questions as the company is once again making headlines for its disregard of users’ privacy and the protection of personal data.

Below is an FAQ to summarise recent news on Facebook use of data and key recommendations for users, the industry, and lawmakers seeking to safeguard privacy and data protection going forward.

Why am I hearing Facebook shared my data with more companies?

On June 3, The New York Times reported that Facebook has partnered with at least 60 device makers to disclose individuals’ personal data before apps were widely available on smartphones. Among the device makers were Apple, Amazon, BlackBerry, Microsoft, Samsung, and Huawei.

What information was shared? What information did the companies gain access to?

The partnerships allowed Facebook to expand its reach, and in exchange, device makers gained access to the data of users — and of their friends — without their explicit consent. Some device makers could retrieve personal information from users’ friends who believed they had barred any disclosure, The New York Times found.

How is this different than Cambridge Analytica?

In the case of Cambridge Analytica, information about Facebook users had been disclosed initially without Facebook’s knowledge via an application which served as a middle man between Facebook and Cambridge Analytica. Here, Facebook willingly agreed and allowed the disclosure of information directly to device makers.

Additionally, Cambridge Analytica used the information from Facebook to build, profile, and then target content — including ads — to users during election campaigns. Cambridge Analytica had advertised to politicians its ability to influence elections processes and used its techniques during the Brexit referendum, the US election, the Kenyan election, and more. It is unclear whether voters were actually influenced by the content they were exposed to as a result of the targeting but the intention was clearly political.

In contrast, from what we know now, it appears that device makers used information from Facebook to offer customers features of the social network, such as messaging, “like” buttons, and address books before apps were available. The motive behind the use therefore seems to be commercial, even if it is still unclear how and what information was used and whether the partnership remained in place after the creation of apps.

Unfortunately, however, it remains unclear in either case exactly how much information Cambridge Analytica, apps developers, or devices makers have been able to access and use. More troubling is that in both cases, as well as in several other revelations over time about Facebook’s handling of user data, much of this disclosure happened without the users’ knowledge or consent.

Isn’t there some other news story involving Facebook right now?

In fact there is. On June 7, 2018 it was reported that, from May 18 to May 27, a Facebook “bug” changed the default settings of for accounts of up to 14 million users, making their posts public to the whole world without their knowledge, even when users thought they were posting a message just to friends or smaller groups of people. The company says it has gone back and reset the affected posts to the user’s default setting before the “bug,” and that the problem has been fixed. Facebook has also started to notify the 14 million users who were affected. While this privacy incident may be the result of a technical glitch (a bug), the disclosure of data in the Cambridge Analytica and device makers cases are the result of a feature of Facebook activity: the over-broad collection and processing of personal information.

Did Mark Zuckerberg answer these questions already before the US Congress and the EU Parliament?

In short, no. Mark Zuckerberg testified before the US Congress in April and the conference of Presidents of the EU Parliament in May regarding the Facebook/Cambridge Analytica case. In both hearings, Zuckerberg was asked about the company’s practices around data collection, the selling of ads, as well as action taken to remedy privacy and data protection violations. In both hearings, these critical questions went mostly unanswered or the answers were so limited that they did not provide a clear indication of whether the company will undergo the changes necessary to fix these problems.

What can I do to protect my privacy?

Some people have chosen not to use Facebook or other social media platforms. However, that ignores the fact that social media has become an important tool for people around the world to communicate, work, and share their experiences. Of course, if you leave the platform, we understand how you might choose to do so, given these recent scandals, and the potential harms and limited redress available globally.

Simply leaving Facebook won’t address the privacy violations that are taking place. Facebook itself exists not only as a standalone social media network, but also an identity authenticator for websites across the internet, as well as its own subsidiaries, which include Messenger, Oculus, WhatsApp, and Instagram, among others. And then there are the wealth of other companies that exist online to collect our data — social media companies, retailers, data brokers, internet service providers, advertising agencies, credit agencies, news networks, and many, many others who vacuum up any and all information they can get access to, monetise, and often, manipulate, it in ways we may never fully understand.

Instead, we are calling on Facebook to provide clear answers on its practices and strong, legal protections for the use of data across the internet. All companies, including Facebook, should commit to independent human rights assessments of their practices. Finally, in the interim, we are calling on Facebook and others to apply the rights encompassed under the General Data Protection Regulation at a global level. No profit is above the respect for fundamental rights, and we can and must demand that industry protect our privacy and protect our data.

What should lawmakers do?

As we explain above, the internet has become a tool for entities looking to capitalise on our personal information. Data breaches, unauthorised disclosure of personal information, profiling and targeting of users for political or commercial purposes…nearly every day, news reports are filled with stories of privacy and data protection violations. It is high time that countries around the world adopt comprehensive data protection laws, if they have not already done so. As many abuses originate from companies headquartered in the United States, legislation on data protection there is now necessary, and, ultimately, inevitable. We have outlined what would be a good starting point for a comprehensive law in the US here and we stand ready to support Congress (or the states) in this effort.

In the EU, member states are making slow progress to adopt a position on the reform of the ePrivacy Regulation, crucial to protect the rights to privacy online and off, as well as confidentiality of communications. Access Now, together with a coalition of NGOs, is calling for the swift conclusion of this comprehensive reform, which should strengthen existing rules around the tracking and monitoring of users’ online behaviour.

In Argentina, Chile, India, Tunisia, and Pakistan — to name a few — we encourage lawmakers to adopt or reform a comprehensive, user-centric data protection regime. To that end, we have developed a policy guide: Creating a Data Protection Framework: A Do’s and Don’ts Guide for Lawmakers. This guide shares lessons from the process and outcome of the GDPR negotiations, as well as flagging issues for the implementation and enforcement of such norms.