Facebook opens door to regulatory scrutiny with unprecedented disclosures
14 June 2018. By Mike Swift.
In the wake of Mark Zuckerberg’s recent testimony before Congress, Facebook produced an unprecedented 449 pages of written answers this week to questions the CEO couldn’t immediately answer during his in-person testimony prompted by the Cambridge Analytica privacy leak.
The exchanges with members of the Senate’s Judiciary and Commerce committees have forced Facebook to open up to an unprecedented degree about its trade in personal data, and the extensive technology it built to power an advertising business that produced $39.9 billion in revenue in 2017.
There is no going back. In a 35-page exchange between Facebook and Senator Catherine Cortez Masto, Facebook was forced to detail its ability to track the online activities of people, even those with no direct relationship with Facebook, on websites outside the social network. It revealed that tracking tools are deployed on millions of websites, including its “Facebook pixel” code, invisible to consumers, that is embedded on 2.2 million websites.
Facebook denied a published report that it creates “shadow profiles” of the online likes and habits of people who are not Facebook users. But it confirmed that it does collect extensive information about non-Facebook users.
Facebook typically talks about how it allows advertisers to target ads to highly segmented groups of people — for example, politically conservative Hispanic women in their mid-30s living in Chicago who like sports-related video games. Facebook says it never sells the actual identity of those people to advertisers.
In its answers (see here) to the Senate committees' members, Facebook also discussed how it receives large amounts of personal data from retailers, apps, and software developers, who feed the company data about what their consumers buy or look at on their websites and apps, even if those users lack an account or are logged out of Facebook.
“Advertisers, app developers, and publishers can send us information through Facebook,” the company told Cortez Masto. “These partners provide information about your activities off Facebook — including information about your device, websites you visit, purchases you make, the ads you see, and how you use their services — whether or not you have a Facebook account or are logged into Facebook.”
Many times, Facebook sidestepped or ignored the senators’ questions, such as refusing to tell Senator Chris Coons what it spends on privacy and data security. “We do not have a single budget line-item for these efforts,” the company tersely told Coons, a Democrat from Delaware.
But the extensive disclosures it did make, coupled with the important questions it refused to answer, are unlikely to diminish the regulatory heat Facebook is facing in the United States and other countries.
Senator Ed Markey, a Massachusetts Democrat who co-authored the Children’s Online Privacy Protection Act (COPPA), wanted a commitment Facebook would not sell information it collected about children once they turned 13.
“I am disappointed that Facebook once again refuses to promise that it will never include advertising in Messenger Kids, an offering specifically targeted to children ages 12 and under,” Markey said this week. “Companies like Facebook should not be able to cash in on children or teens' personal information.”
— Tough questions from Nevada —
The lengthy exchange between Facebook and Cortez Masto, a Democrat from Nevada, was perhaps the most interesting portion of the written response.
Responding to the freshman senator’s questions, Facebook was forced to discuss its patents on technology to track the eye movements of users for identification purposes, and the body movements of users to determine their emotional state so as to target advertising.
Facebook said it might use eye-tracking to help identify people using its Oculus virtual reality headsets, but would always consider privacy when using that technology.
“Like many companies, we apply for a wide variety of patents to protect our intellectual property. Right now we’re not building technology to identify people with eye-tracking cameras,” Facebook said.
“However, we’re always exploring how new technologies and methods can improve our services, and eye-based identification is one way that we could potentially reduce consumer friction and add security for people when they log into Oculus or access Oculus content. If we implement this technology in the future, we will absolutely do so with people’s privacy in mind, just as we do with movement information (which we anonymize in our systems).”
The former attorney general of Nevada quizzed Facebook about the gender and race diversity of its workforce. And she aimed a half-dozen probing questions at whether the Cambridge Analytica leak is proof that Facebook violated a privacy consent decree with the US Federal Trade Commission that became effective in 2012.
“Facebook has not violated the Federal Trade Commission Act,” the social media giant told Cortez Masto, although it acknowledged that third-party apps on Facebook’s platform might have.
“Facebook is not in a position to determine whether third-party app developers violated the Act and leaves that determination to the FTC, although we can confirm that misrepresenting the terms of an app to users is a violation of Facebook’s developer policies,” the company said.
The company sidestepped a question from Cortez Masto about whether the FTC asked Facebook to block the ability of friends to share data about their friends without getting permission from that person. But Facebook said the FTC was fully informed that users were subject to having their personal data shared by their friends on the social network.
“We furnished extensive information to the FTC regarding the ability for users to port their Facebook data (including friends data that had been shared with them) with apps on Facebook’s platform, as part of the FTC’s investigation culminating in the July 27, 2012 Consent Order,” the company said, adding that the consent decree “did not require Facebook to turn off the ability for people to port friends data that had been shared with them on Facebook to apps they used.”
— Facebook’s rivals —
During his testimony before the Senate and House in April, Zuckerberg demurred when asked to name Facebook’s main competitors.
This time, the company did more to argue it is not a social media monopoly, naming more than a dozen companies which it said it competes with directly.
If consumers want to share photos and videos online, they can choose DailyMotion, Snapchat, YouTube, Flickr, Twitter, Vimeo, Google Photos or Pinterest, Facebook said. If they want to send someone a message, they can use Telegram, Skype, Line, Viber, Apple’s iMessage, WeChat, Snapchat and LinkedIn. To buy an ad, they could go to Spotify, Twitter, Google, YouTube, Amazon or Snapchat.
“Facebook represents a small part (in fact, just 6%) of this $650 billion global advertising ecosystem and much of that has been achieved by helping small businesses — many of whom could never have previously afforded newspaper or TV ads — to cost-effectively reach a wider audience,” the company told Senator Kamala Harris, a Democrat from California.
Competition regulators in the US, EU and elsewhere have become increasingly concerned about the share of the growth that Facebook and Google are capturing in that global advertising ecosystem.
Nevertheless, Facebook said, it is not alone in collecting personal data that gets shared with third parties. Even Congress does it.
“For example, the Senate Commerce Committee’s website shares information with Google and its affiliate DoubleClick and with the analytics company Webtrends,” Facebook said at one point, calling out its Silicon Valley neighbor. “This means that, when a person visits the Committee’s website, it sends browser information about their visit to each one of those third parties.”