Facebook CEO Mark Zuckerberg Breaks Silence On Data Leak With Yet Another Apology

News
By Lucian Armasu
published

After five days of complete silence on the issue, Facebook CEO Mark Zuckerberg came out with an update on the company's recent controversy involving a data leak that affected 50 million Americans and allowed their data to be used for political purposes. Zuckerberg also offered yet another apology for the “breach of trust” between Facebook and its users, which now seems to happen roughly once a year.

Zuckerberg Apologizes (Again)

In a letter to the public, Zuckerberg admitted that because of the way Facebook’s data sharing with third parties worked before 2014, companies such as Strategic Communication Laboratories (SCL) and Cambridge Analytica were able to obtain not just your own data, for which you had to give permission, but also your friends’ data. Sharing your friends’ data without their consent is probably never a good idea, as the European Union (EU) realized not too long ago when it wrote the General Data Protection Regulation (going into effect this May).

After Facebook learned how Cambridge University researcher Aleksandr Kogan was harvesting its users’ data (again, through rules and APIs specifically allowed and written by Facebook), it likely realized that maybe it’s not a good idea to allow third parties to collect friends’ data without their consent. The company made changes in 2014 that prevented third parties from getting friends’ data unless they also gave permission to share their data with the same third-party developer.

However, even in this case, people may not have fully understood what they were signing-up for when, say, taking a quiz on Facebook. If a quiz app asks for all of your timeline data, including photos, comments, likes, shares, and profile information, most people may just click "OK" because they want to take the quiz, without realizing the implications of their agreement. Any app, whether it was a simple quiz or game, could have obtained all of their and their friends' data this easily.

The users may be partly at fault here, too, but most people ignore privacy policies, usually for a good reason: they’re made difficult to read and understand on purpose. Companies also need to take responsibility for how easy or hard they’re making their options and settings to understand by their users.

Zuckerberg said that he learned from the media in 2015 that Krogan was giving access to the data to Cambridge Analytica, and then Facebook asked Krogan and Cambridge Analytica to certify that they deleted all improperly obtained data.

However, at the time, Facebook didn’t do any audit. Only after the recent Cambridge Analytica story came out did the company send auditors to Analytica’s offices. The auditors didn’t have time to investigate because the UK Information Commissioner’s Office (ICO) came with a warrant and told the auditors to stand down so they wouldn’t impede the government’s investigation.

A “Breach Of Trust”

Zuckerberg also admitted that the Cambridge Analytica story showed a “breach of trust” between Facebook and its users:

This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.

Zuckerberg committed to investigating all the apps that requested large amounts of information before the 2014 rule change. A full audit of any app with suspicious activity will be conducted, and any developer who refuses the audit will be immediately banned from the platform. If the audits will find apps that misused personally identifiable information, the company will ban those apps and tell everyone about its findings.

Facebook’s CEO also said that further API restrictions will be added to the platform, so that developers will lose access to people’s data if the apps weren’t used in the last three months. Presumably, Facebook will also check to see if the developers aren’t simply storing the data somewhere else before they lose access, as Cambridge Analytica did.

Another restriction, which should have probably existed from day one, will be to allow third-party developers to obtain only your name, profile photo, and email address when you sign-in with the Facebook login. For additional data, the developers will have to sign contracts with Facebook.

Finally, Zuckerberg also promised a new tool in Facebook that will allow users to more easily revoke app permissions. This feature will be available next month.

Are The Tighter Rules Permanent?

Facebook has a long track record of changing its mind in regards to its privacy policies. In the past, the company would often nullify users’ more privacy-oriented settings and make their data more public by default. It took many outcries and many years for Facebook to eventually start allowing its users to actually make their data more private and limit who got to see it.

It also took companies such as SCL and Cambridge Analytica, and perhaps others, to grossly abuse the lax rules Facebook put in place for its data sharing with third-party applications - the same kind of rules Facebook was going to use to obtain your WhatsApp data after purchasing the messaging company. It was only after the EU Data Protection Authorities started intervening and requiring strict regulation over how Facebook can obtain the data and what it can do with it, that the company took a more privacy-oriented approach.

In the EU, Facebook won’t be given much of a choice once the GDPR goes into effect, especially now that the privacy enforcers are going to watch the company much more closely after what happened with Cambridge Analytica. However, it remains to be seen if this wasn’t just another apology from Zuckerberg in a long string of apologies, meant to get people to put their pitchforks down and forget about deleting their accounts.

Without some strong privacy regulations in the U.S., too, the company won’t have much incentive not to change its mind a couple of years later, and start relaxing the rules again, in order to make more money and make its shareholders happy.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
10 Comments Comment from the forums
  • Giroro
    All this is exactly why Americans need a constitutionally protected right to privacy.

    It's not generally not legal for someone to come into your home and filp through all your personal data, so it shouldn't be legal for a computer to do it to millions of people simultaneously. That level of data aggregation isn't just a threat to the individuals using these services. It is far bigger than "I have nothing to hide". Because you absolutely have things to hide, even if you don't appreciate it at the time. There's good reasons that doors have locks, windows have blinds, accounts have passwords, and you don't walk around with your checking account number printed on your T-shirt.
    In the case of all the aggregated tax information from the Experian breach or the security clearance info stolen by the 2015 OPM breach, its more than personal data, its a major threat to national security.

    If law enforcement wants to listen to a single phone call they need a warrant, but public companies are free to collect and sell as much data as they want? Wasn't it ATT that was caught selling unlimited phone records to law enforcement agencies who realized they have a loophole to avoid due process? Things like that are a problem. We need to fix these problems.

    Companies simply should not be allowed to collect this much personally identifiable data - especially without meeting baseline requirements for data security.

    In the very least, I demand the right to own or copyright my own personal information. If a company is out there copying and distributing my private data, how is that any different than a company copying and selling a song, or a book? How is a person's life story told in the form of Facebook timelines any different than a self-published autobiography?
    Basically if its impossible to protect privacy, then people should be able to charge royalties on their personal information. Meaning what Facebook/Cambridge did should be categorized as piracy, at a minimum.
    Reply
  • bigpinkdragon286
    20818777 said:
    All this is exactly why Americans need a constitutionally protected right to privacy.
    The U.S. Supreme Court has interpreted the Constitution to protect Americans' rights to both privacy and autonomy.

    This doesn't prevent individuals from clicking buttons that waive privacy rights because they would rather take a quiz on Facebook.
    Reply
  • Dantte
    Funny how Mark Zuckerbergs apology failed to mention the 2012 Obama campaign, toms fails to mention it as well, and how they did the exact same thing, but with 2 differences.

    Difference #1 the Obama campaign gathered user data via an app in partnership with Facebook, Trump used a 3rd party company.

    Difference #2 the Obama app didnt ask for permission for friends data, the Trump app did.
    Reply
  • 10tacle
    20818908 said:
    The U.S. Supreme Court has interpreted the Constitution to protect Americans' rights to both privacy and autonomy.

    Well SCOTUS also ruled that Social Media is public domain after seeing a few cases in recent years where lower courts sent them to SCOTUS. If memory served me correctly, the cases revolved around privacy rights and free speech and there are still no cut and dry Constitutional interpretations of where the line is drawn between public domain and privacy rights. This is nothing new of course because websites have been capturing private data from people visiting their pages long before FB came along. It may even take an Amendment to make something happen for a consistent interpretation by courts. We are in uncharted legal waters.

    But EU nations are going after Facebook now over privacy rights and threatening to sue. Belgium just took action last month in one such example: https://www.reuters.com/article/us-facebook-belgium/facebook-loses-belgian-privacy-case-faces-fine-of-up-to-125-million-idUSKCN1G01LG
    Reply
  • ubercake
    20818777 said:
    All this is exactly why Americans need a constitutionally protected right to privacy.

    It's not generally not legal for someone to come into your home and filp through all your personal data, so it shouldn't be legal for a computer to do it to millions of people simultaneously. That level of data aggregation isn't just a threat to the individuals using these services. It is far bigger than "I have nothing to hide". Because you absolutely have things to hide, even if you don't appreciate it at the time. There's good reasons that doors have locks, windows have blinds, accounts have passwords, and you don't walk around with your checking account number printed on your T-shirt.
    In the case of all the aggregated tax information from the Experian breach or the security clearance info stolen by the 2015 OPM breach, its more than personal data, its a major threat to national security.

    If law enforcement wants to listen to a single phone call they need a warrant, but public companies are free to collect and sell as much data as they want? Wasn't it ATT that was caught selling unlimited phone records to law enforcement agencies who realized they have a loophole to avoid due process? Things like that are a problem. We need to fix these problems.

    Companies simply should not be allowed to collect this much personally identifiable data - especially without meeting baseline requirements for data security.

    In the very least, I demand the right to own or copyright my own personal information. If a company is out there copying and distributing my private data, how is that any different than a company copying and selling a song, or a book? How is a person's life story told in the form of Facebook timelines any different than a self-published autobiography?
    Basically if its impossible to protect privacy, then people should be able to charge royalties on their personal information. Meaning what Facebook/Cambridge did should be categorized as piracy, at a minimum.
    Everything you said makes sense and I agree, but it's completely contrary to the oligarchy that controls the world by superseding the authority of any sovereign nation. They may make Zuckerberg or his corp, rather, the fall-guy in this situation, but they won't change a darned thing as a result. Any "privacy" policy put in place will simply be worded in a manner by which companies will continue to own and take our data.
    Reply
  • gggplaya
    20818777 said:
    All this is exactly why Americans need a constitutionally protected right to privacy.

    It's not generally not legal for someone to come into your home and filp through all your personal data, so it shouldn't be legal for a computer to do it to millions of people simultaneously. That level of data aggregation isn't just a threat to the individuals using these services. It is far bigger than "I have nothing to hide". Because you absolutely have things to hide, even if you don't appreciate it at the time. There's good reasons that doors have locks, windows have blinds, accounts have passwords, and you don't walk around with your checking account number printed on your T-shirt.
    In the case of all the aggregated tax information from the Experian breach or the security clearance info stolen by the 2015 OPM breach, its more than personal data, its a major threat to national security.

    If law enforcement wants to listen to a single phone call they need a warrant, but public companies are free to collect and sell as much data as they want? Wasn't it ATT that was caught selling unlimited phone records to law enforcement agencies who realized they have a loophole to avoid due process? Things like that are a problem. We need to fix these problems.

    Companies simply should not be allowed to collect this much personally identifiable data - especially without meeting baseline requirements for data security.

    In the very least, I demand the right to own or copyright my own personal information. If a company is out there copying and distributing my private data, how is that any different than a company copying and selling a song, or a book? How is a person's life story told in the form of Facebook timelines any different than a self-published autobiography?
    Basically if its impossible to protect privacy, then people should be able to charge royalties on their personal information. Meaning what Facebook/Cambridge did should be categorized as piracy, at a minimum.

    Your analogy is not accurate because facebook users allowed permission to access their data. The problem is, people just click on OK because they're too lazy to read it and just want to play the game or quiz. Cambridge used Amazon's freelance work service to actually pay people for access to their facebook account. It was a measly $2 and it was for their metadata, but it is what it is.

    You're analogy is more accurate if some people paid you $2 to walk through your house with your permission, looking at all your pictures, seeing what kind of things you purchased or talk about, and flipping through your phone's contact list, then walking out.
    Reply
  • mjslakeridge
    20819655 said:
    Funny how Mark Zuckerbergs apology failed to mention the 2012 Obama campaign, toms fails to mention it as well, and how they did the exact same thing, but with 2 differences.

    Difference #1 the Obama campaign gathered user data via an app in partnership with Facebook, Trump used a 3rd party company.

    Difference #2 the Obama app didnt ask for permission for friends data, the Trump app did.

    Hopefully this information will come out (well it's already out, but not widely reported on) if/when there are congressional hearings where Facebook executives are asked to testify under oath. My first question would be "To what extent did Facebook coordinate, cooperate with or otherwise assist ANY political campaign or political party"?

    I doubt the mainstream media would even report honestly (the U.S. media) if there was testimony that Facebook assisted the Obama 2012 campaign. A lot of the dishonesty from the media is what they DON'T cover, if it is not favorable to their side.

    Reply
  • Giroro
    "You're analogy is more accurate if some people paid you $2 to walk through your house with your permission, looking at all your pictures, seeing what kind of things you purchased or talk about, and flipping through your phone's contact list, then walking out."

    If you wanted to be even more accurate, I feel it's closer to a company approaching people in a shopping mall and offering them $2 for their opinion. Except they hid a contract in fine print on the back of the check, so when you endorse the check you are actually giving them written permission to do things like enter you home, GPS track your car, publish your life story in a book and then make a movie based on that book, etc.
    Still not a perfect analogy though. Partly because you would have actually had to have the contract in front of you before signing it with a valid signature - and partly because it is illegal to print a legally binding contract on the back of a check (in my state at least).
    Of course, whether or not clicking 'ok' on a ToS is legally binding in the first place is an entirely different debate. I personally feel that it would be pretty hard to prove exactly who clicked 'ok' when the account was being created. So signing away the rights to your life story sounds like the kind of thing where a notary needs to be involved.
    Reply
  • jungleboogiemonster
    20819655 said:
    Funny how Mark Zuckerbergs apology failed to mention the 2012 Obama campaign, toms fails to mention it as well, and how they did the exact same thing, but with 2 differences...

    You forgot a huge difference. CA's data was collected under the guise of academic research, which it wasn't. People were not aware that the data was going to be handed over to CA and be used for political purposes. That means people who never would have given their data to a Republican, or any political group, gave up their information unwittingly. Obama's app was clearly his app. Obama's app also followed Facebook's guidelines. If you have any problems with how Oabam's app collected the data, it's on Facebook for having guidelines you disagree with.
    Reply
  • Dantte
    20828411 said:
    20819655 said:
    Funny how Mark Zuckerbergs apology failed to mention the 2012 Obama campaign, toms fails to mention it as well, and how they did the exact same thing, but with 2 differences...

    You forgot a huge difference. CA's data was collected under the guise of academic research, which it wasn't. People were not aware that the data was going to be handed over to CA and be used for political purposes. That means people who never would have given their data to a Republican, or any political group, gave up their information unwittingly. Obama's app was clearly his app. Obama's app also followed Facebook's guidelines. If you have any problems with how Oabam's app collected the data, it's on Facebook for having guidelines you disagree with.

    This is FALSE, and you sir are wrong, sad part is I dont know if your that grossly misinformed or are willfully lying to protect some ideal?

    Your first point: 'People willingly gave data to Obama's app but were tricked by CA'. Partially wrong, the CA questionnaire ASKED for permission for user and friends data (admittedly under false pretense): the Obama app only asked for user data which included; birth dates, locations, and 'likes', but then proceeded to take all available data and friends data associated with that account WITHOUT permission.

    Your second point: "Obama's app also followed Facebook's guidelines." 100% WRONG, Obama's app took user and friends data WITHOUT permission. Facebook discovered this and instead of cutting off the flow of information, they partnered with the Obama campaign to then target users and their friends with political ads and "get out the vote" which was only sent to users with an 87% or higher chance of voting democrat and made to look as if it were coming from their friends. Facebook promptly put an end to the Obama app at the end of the 2012 election.

    There is also another difference here I failed to mention in my original post and your also dont mention: The data collected by the Obama campaign was USED in the general election and is still used and on file at the DNC... thats right people, the DNC has a digital profile on you! The CA app was NOT used by the Trump campaign as they felt the RNC data was more reliable, as far as we know, this data was destroyed.

    Democrats BRAGGING about the data collection:
    https://youtu.be/eIA1lQBqH1s
    https://www.nytimes.com/2013/06/23/magazine/the-obama-campaigns-digital-masterminds-cash-in.html

    Dont get me wrong here, I think taking user data without a users permission or them know how such data is going to be used is wrong. I'm calling out everyone Obama, Hillary, DNC, Trump, RNC, CA, etc... My point in this comment is simply to educate, put out facts, and especially call out Zuckerberg as a hypocritical FAKE, and Toms as well for not telling the whole truth.
    Reply