After the controversial Cambridge Analytica scandal that rocked Facebook in March this year, the social media site has found itself under the microscope and in hot water ever since. Unfortunately for Facebook, the scandals and frenzy are far from dying down.
Immediately, outraged consumers and advocates began calling on social media platforms to take more responsibility for the daily data being collected by them. Having acknowledged that the Facebook information of up to 87 million users may have been improperly shared with Cambridge Analytica, the world was angered. Within 10 days of the news breaking, Facebook shares had dropped almost 18%.
Facebook faced severe backlash from politicians, media and users alike. Public figures ranging from the New York and Massachusetts Attorney General to Brian Acton, the co-founder of WhatsApp, were calling for more information from Facebook or a total boycott of the site. Over Twitter, Virginia Senator Mark Warner believed it was time for Mark Zuckerberg to testify before Congress to answer for the “social media manipulation” practiced by his company.
FTC Investigation Launched
Soon after the news broke, the Federal Trade Commission announced it was launching an investigation into Facebook’s data privacy practices. The investigation will likely centre around any violations of consent or the FTC Act in general. The scandal raised questions about how social media platforms can prevent and secure third-party data privacy for end users and enhance their security practices. Currently, no formal report or comment has been released by the FTC on the matter.
Expansion of the Bug Bounty Program
On 27th March, Ime Archibong, the Vice President of Platform Partnerships at Facebook wrote a piece explaining that Facebook was expanding their bug bounty program which has operated since 2011. The expansion prompted researchers to locate vulnerabilities on the social media platform, more specifically focussing on data and privacy-related issues.
In the same post, Archibong described other updates to Facebook’s platform, which aimed to “maintain the trust people place in Facebook when they share information”. This included an investigation and audit of all apps with access to Facebook information, a thorough search of suspicious activity and a reduction of data access. Facebook also promised to inform people if an app was banned for data misuse.
New Data Access Restrictions Introduced
As part of these changes, in early April Facebook revealed a number of new data access restrictions being implemented in order to prioritise privacy for end users. The new measures were detailed in a post by Mike Schroepfer, Facebook’s Chief Technology Officer.
The changes essentially would limit the personal data that apps could collect about Facebook’s users, including religion, relationship status, political views, education and work history, news reading, video and games activity and more. This was well received and many believed it marked a turning point for Facebook.
Data Scraping Scandal
It seemed as if Facebook was finally recovering from the incident, when on 6th April Mark Zuckerberg came out with information stating that most of Facebook’s 2 billion users may have had their data scraped by malicious actors utilising a reverse search tool.
The feature being manipulated was designed to enable users to enter phone numbers or email addresses to find friends on Facebook. However, it was revealed that the opt-in feature was being misused by malicious actors to scrape the data of millions of users. Such information could then be used for targeted attacks by cybercriminals.
Zuckerberg explained that while the feature was disabled immediately, the company was aware of many malicious instances where the feature has been utilised. This incident left users and experts questioning whether Facebook could ever properly protect their information from third-parties.
Facebook founder and CEO Mark Zuckerberg then appeared before Congress in a series of Hearings in early April. The Hearings gave Congress members and the public an opportunity to question Facebook about the various scandals that saw user’s private data handed over or exfiltrated from the social media site. Discussion also centred around Facebook’s privacy policies and the government’s role in working with and regulating massive social media platforms in terms of their data privacy.
Announcement of Data Clearing Capabilities
In an attempt to improve their data privacy, Facebook announced a new feature in early May allowing users to flush their history and cookies from their Facebook accounts. However, the post explaining the new feature also stated that it may take several months to build, and essentially warned users that it may impact their Facebook experience.
Privacy Glitch Setback
Unfortunately, another setback came for Facebook in early June when 14 million user posts were switched to ‘public’ for 10 days. The glitch meant that users who had set their content to private had inadvertently made their posts available to the public instead. Facebook’s Chief Privacy Officer, Erin Egan, stated they immediately fixed the issue once it was detected and had begun letting those affected know of the bug.
Norwegian Agency Makes Severe Allegations
Another blow came when the Norwegian Consumer Council released a report on 27th June, alleging that Facebook was doing anything it could to nudge users away from data privacy.
Despite the transparency enforced by the GDPR, the report stated Facebook was still employing various tactics to encourage end users away from data privacy, allowing them to expose their personal information. The report found that Facebook has and continues to utilise psychological methods such as ‘dark patterns’, these beings exploitative design choices used in their interfaces, with the aim of prompting users to share as much data as possible. Users are directed towards subconscious actions that benefit Facebook and may not be in the user’s interests.
This explosive and in-depth report was not commented on by Facebook officials and stirred even more concern from the public.
In July, the Washington Post alleged that the FBI, the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) had joined the FTC in investigating the Cambridge Analytica scandal, questioning Facebook over their knowledge of the data breach since 2015.
However, whether this claim is true still remains unclear. Interestingly, a spokesperson for Facebook came forward claiming that the company and its executives had received questions from federal agencies and were cooperating with officials in the US, UK and beyond.
Crimson Hexagon Ban
In line with their promise to notify users of any bans, Facebook announced on 23rd July that analytics firm Crimson Hexagon was under investigation for potentially violating their data policies through collection of public user data.
Crimson Hexagon is a Boston-based company that collects public posts from various social media sites and uses analytics to measure public attitudes and patterns. The firm was immediately banned after they were found harvesting data from the site. However, Facebook later confirmed they were yet to find any evidence that Crimson Hexagon obtained and used any Facebook information inappropriately.
CISO Calls for Greater Security
A memo dating back to March this year was made public, written by Facebook’s former Chief Information Security Officer (CISO) Alex Stamos. The memo urged the company to rethink their approach to data privacy and political manipulation. Stamos pointed to issues such as “tens of thousands of small decisions [being] made over the last decade within an incentive structure that was not predicated on our 2018 threat profile”.
Indeed, Stamos has been in the headlines since March for allegedly butting heads with Facebook executives over how to properly handle the privacy, misinformation and propaganda concerns plaguing Facebook. Despite resignation rumours dating back to December last year, it was announced on 1st August that Stamos would be leaving the company later this month. His role as CISO will not be replaced; instead, Facebook has chosen to dissolve the security team and embed security engineers within its other divisions.
Political Meddling and Tension Rising
The resignation of Stamos has come at a time of severe tension as the November midterm elections loom and Facebook ramps up its efforts to combat misinformation, propaganda and foreign interference.
In their efforts, Facebook stated they removed 32 pages which were found to be involved in “coordinated inauthentic behaviour” according to an official post by the company. This is important for the company at this time as all eyes are on Facebook, scrutinising how they protect their information against political campaigning and the spread of misinformation this time around.
Facebook recognised that they face “determined, well-funded adversaries who will never give up and are constantly changing tactics”. In their improvement, Facebook claims to be investing in more people and better technology to combat the bad actors misusing the social media site. Their Community Standards Enforcement Report also showed Facebook had disabled 583 million fake accounts in the first quarter of this year alone.
While this escalation is promising, the reality remains that Facebook has a long way to go before they win back the trust of its users, the media and politicians. The company must take responsibility for its data security and prove that it can effectively protect the information it holds on its 2 billion users. Whether this is truly possible for any social media site remains unclear, and unfortunately for users it may get worse before it gets better. In the meantime, users must be informed of and utilise the available privacy settings and ensure they use these sites with caution.