It can be hard to remember from down here, beneath the avalanche of words and promises and apologies and blogposts and manifestos that Facebook has unleashed upon us over the course of the past year, but when the Cambridge Analytica story broke one year ago, Mark Zuckerberg’s initial response was a long and deafening silence.
It took five full days for the founder and CEO of Facebook – the man with total control over the world’s largest communications platform – to emerge from his Menlo Park cloisters and address the public. When he finally did, he did so with gusto, taking a new set of talking points (“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you”) on a seemingly unending roadshow, from his own Facebook page to the mainstream press to Congress and on to an oddly earnest discussion series he’s planning to subject us to at irregular intervals for the rest of 2019.
The culmination of all that verbosity came earlier this month, when Zuck unloaded a 3,000-word treatise on Facebook’s “privacy-focused” future (a phrase that somehow demands both regular quotation marks and ironic scare quotes), a missive that was perhaps best described by the Guardian’s Emily Bell as “the nightmarish college application essay of an accomplished sociopath”.
The so-called pivot to privacy is in many ways the logical conclusion to the earth-shaking (and market-moving) response to the Cambridge Analytica story, which plunged Facebook into the greatest crisis in its then 14-year history. After nearly a year of its critics demanding that it respect users’ privacy, here was Facebook saying: “Fine, privacy you shall have.” (More on whether what’s being offered is actually privacy later.)
But it’s worth thinking back to those five days of silence, when the contours of the scandal took shape and revealed themselves with an uncanny distinction: when it came to Facebook, the Cambridge Analytica story did not uncover anything new. The basic facts had already been reported, in the same publication, 16 months previously: Facebook had allowed someone to extract vast amounts of private information about vast numbers of people from its system, and that entity had passed the data along to someone else, who had used it for political ends.
What changed was how we saw those facts. It was as if we had all gone away on a long voyage, returned home to an uneasy sense that something was different, and were not immediately able to grasp that it was ourselves who had changed and not the rooms and furnishings that surrounded us.
Facebook’s PR machine spent much of the first 24 hours after the story broke engaged in a pedantic and self-defeating argument over whether or not what had occurred constituted a “data breach”. By information security standards, Facebook was correct that what occurred was not a “data breach” – as representatives wrote, “no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked”.
But a year later, and in the aftermath of an actual, vast data breach in October, it is apparent that a data breach would have been easier for Facebook’s reputation to weather. Almost every company has suffered a big data breach at this point; only Facebook has endured such an existential reckoning. That’s because what happened with Cambridge Analytica was not a matter of Facebook’s systems being infiltrated, but of Facebook’s systems working as designed: data was amassed, data was extracted, and data was exploited.
At the end of 2018, Zuck debuted a new talking point, asserting that in the aftermath of the 2016 presidential election and the Cambridge Analytica scandal, Facebook had “fundamentally altered [its] DNA”.
Whether Zuckerberg actually believes that is an open question, but it’s clear that few outside Facebook do. “While it appears that Facebook is suddenly ‘woke’ to privacy issues, it’s safe to assume it’s business as usual there,” said Ashkan Soltani, a former chief technologist for the Federal Trade Commission.
“They keep actually putting growth and profits above designing a platform that’s predicated on the needs of its users,” said Lindsey Barrett, a teaching fellow and staff attorney at Georgetown’s Communications and Technology Clinic. As a particularly blatant example of this mindset, Barrett cited Facebook’s insistence on using phone numbers that users provided for security reasons for non-security purposes.
Zuckerberg did make a number of specific promises after the Cambridge Analytica story broke. I asked the company for an update on a number of these, and can only offer the Harvard dropout an “incomplete”.
On 19 March 2018, Facebook said it was pursuing a forensic audit of Cambridge Analytica and other parties involved in the data misuse, but it stood down after the UK’s Information Commissioner’s Office (ICO) began its own investigation. A Facebook spokeswoman said on 13 March that the company was still waiting for approval from the ICO to perform any such audit.
On 21 March 2018, Zuckerberg promised that Facebook would investigate “all apps that had access to large amounts of information” through the platform before 2014, audit any app with suspicious activity and ban any developer who misused personally identifiable information. Facebook provided regular updates on this investigation until 22 August 2018, when the company revealed in a blogpost that it had investigated thousands of third-party apps and suspended “more than 400”. Seven months later, a spokeswoman said that the investigation was continuing, but provided the same numbers: thousands investigated, more than 400 banned.
On 1 May, Facebook made its most ambitious promise – the creation of a “clear history” tool that would allow users to force Facebook to delete all the information it gathers about users as they browse the web. At the time, Facebook said the tool would “take a few months to build”. As BuzzFeed News pointed out in February, it’s been more than a few months. A Facebook spokeswoman did not provide a timeline for when the tool might actually be available, saying that it was taking time to get the tool right.
The other major promise – the big one – is the pivot to “privacy” announced this month. The actual details of this plan are much more mundane, and involve much less actual privacy, than Zuckerberg’s manifesto would like us to believe. The CEO is planning to integrate all three of his company’s messaging platforms – WhatsApp, Instagram and Messenger – into one, which will have end-to-end encryption.
The overwhelming consensus from privacy experts is that this plan has little to do with protecting privacy and everything to do with protecting market share. “They are incredibly adept at strategically using privacy as a justification for an anticompetitive strategy – and the shift to encrypted-messaging or ‘delete history’ makes sense when you consider the impending regulatory pressures around interoperability and data-portability,” said Soltani.
The most obvious of those impending pressures is the increasingly popular idea of taking anti-trust action against Facebook, an idea that has gone from the fringes of the thinktank world to the center of a major 2020 Democratic presidential candidate’s agenda with dramatic speed.
“Once the integration of those three messaging platforms happens, it will be almost technically impossible to break Facebook up,” said Jonathan Albright, director of the Digital Forensics Initiative at the Tow Center for Digital Journalism. “It won’t happen. You can’t do it. And that’s exactly why they’re moving so quickly to do it.”
That “Break Up Big Tech” would be a 2020 campaign slogan was unimaginable just two years ago. Zuckerberg, lest we forget, spent much of 2017 cosplaying a politician on his very own whistlestop tour around the country.
And yet, here we are. The Cambridge Analytica revelations may not have changed Facebook, but they did change us. Our eyes are now open. The question is what we will do.