Social media giant Facebook has upheld one of its promises to its users––that it would never sell their personal data––but only because the company was giving it away for free instead. Even then, it considered selling it until deciding that the backlash would be a problem.
Instead, according to a report in The New York Times, the social network allowed other companies essentially unrestricted access to user data, including their private messages. The article goes on to say that despite the promise by Facebook executives that those practices had ended, and despite sworn testimony in hearings before Congress saying the same thing, the practices continued at least through late summer 2018.
This data sharing has gone on for years, and received notice earlier this year when a political research company, Cambridge Analytica, was revealed to have used vast amounts of Facebook user data without user permission. Worse, it now appears that Facebook ignored user privacy settings, and in some cases even prevented users from disabling sharing.
For its part, Facebook has said that companies using its users’ data were subject to rigorous controls, but there’s no evidence that Facebook ever audited those companies and their use of Facebook data.
Worked Around a 2011 Consent Decree
Back in 2011, Facebook entered into a consent decree with the Federal Trade Commission in which it agreed not to share any user data outside the company without the user’s express permission. According to communications examined by the Times in its report, Facebook got around this by deciding that those other companies were really extensions of itself, and therefore permission wasn’t required.
Former FTC officials who were involved in the Facebook case at the time have said that the company was wrong to make such an assumption. Meanwhile, some of the companies who had received access to private user data have said that they didn’t ask for such access, didn’t need it and hadn’t used it. Others said that they were careful not to use it inappropriately.
But Facebook opened up data sharing with so many companies that the executives in charge of that effort weren’t able to keep up with the demand and instead instituted automated sharing with few controls.
As you might expect, Facebook’s practice of playing fast and loose with user privacy is coming home to roost. On Dec. 19, the Attorney General of the District of Columbia announced that Washington, D.C., was suing Facebook for damages as a result of the Cambridge Analytica data sharing. Karl Racine, the D.C. AG, released a statement explaining the action. “Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used,” said Racine.
“Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.”
More Litigation Expected from Other Jurisdictions
The action by the District of Columbia is likely to be followed by attorneys general in a number of states. Eventually, these lawsuits could yield some compensation for Facebook’s victims within that jurisdiction. Racine said that he estimates that half of all D.C. residents were affected by the Facebook action.
But legal action by D.C. and several states may be the least of Facebook’s worries. Members of Congress from both sides of the aisle are already discussing legislation that would protect against such sharing similar to the ways that Europe’s GDPR protects its citizens. But it’s unclear whether that’s enough, since the GDPR apparently has had little effect on Facebook since it was implemented last May 25.
But there are other troubles for Facebook. The feared A-word is now being bandied about in Washington. That word, antitrust, could be the government’s big gun against a company that appears to be out of control and that refuses to conduct itself properly. Antitrust actions by the Department of Justice could result in Facebook being broken up into smaller independent companies that are prevented from joining back together. Mark Zuckerberg could even find himself being removed as head of Facebook or any of the surviving companies and prevented from leading such a company again.
What Enterprises Need to Discuss Internally
But right now, you have to contend with a social media platform to which promises mean little. If you or your company is using Facebook, it’s up to you to protect yourself, and it’s up to your company's social media managers to protect against the worst instincts of Facebook managers. Here are some things to keep in mind:
- The concept of privacy does not (and has never) existed for Facebook, which means that you must assume that everything you post there will be public in some way.
- Facebook can and will share your photos and images with others, despite the privacy settings or whether you’ve deleted them. So don’t post photos you don’t want to be public.
- Just because you’ve deleted something doesn’t mean that Facebook can’t use it.
- Private messages between you and another user aren’t really private—Facebook can see those messages and it can share them with others.
- Your privacy settings are meaningless to Facebook and companies it decides to share with.
This does not mean that you can’t use Facebook as a means of customer outreach or for marketing. Just be careful that you don’t collect anything that might be considered private when you do. Facebook can be an excellent platform for customer communications as long as you and your customers understand its limitations.