Facebook Wants You to Have Privacy, Just Not From Facebook

The company’s knowledge goes far beyond status updates. It tracks people across the internet on other companies’ websites and apps. It uses IP addresses to target ads to people who turned off location-based tracking on their phones. It’s been caught collecting call and text histories from users’ Android devices. It’s stored facial data from people who never agreed to biometric scans. It was just caught monitoring the phone activity of some kids as young as 13. On Feb. 7, Germany’s antitrust regulator was expected to announce the results of a three-year investigation into whether the company has illegally used its market power to coerce data sharing consent.

No wonder Facebook wants to have a different discussion about privacy. From his Senate testimony last year to a Wall Street Journal op-ed last month, Chief Executive Officer Mark Zuckerberg has stressed that Facebook isn’t selling user data. (In response to a request for comment for this story, Facebook referred questions about its business model to the op-ed.) In privacy terms, this is a largely semantic distinction. Facebook does sell clients your attention, tailoring ads to what your online behavior suggests you might like. The less data the company shares—due to privacy concerns or anything else—the more it can charge for exclusive access to its 2.7 billion global users.

A current plan involves merging the background messaging functions of the other apps it owns (Instagram, WhatsApp, and Facebook Messenger) so people can send chats among services. Facebook says it will encrypt the messages so that only senders and receivers can see them. What it doesn’t say is that making messaging possible across all the different accounts would make it easier for it to know who’s who—that a certain WhatsApp number and anonymous Instagram profile correspond to a real identity on Facebook. Confirming users’ identities across apps would strengthen Facebook’s ad business, especially by helping it target people who are starting to use Facebook less and Instagram more. This has the potential to yield perverse outcomes: Users will still see separately branded apps, but Facebook might start to recommend, for example, that parents follow their closeted teens’ secret anonymous Instagram accounts.

On a Jan. 30 earnings call with investors, Zuckerberg didn’t deny a commercial benefit to merging the apps’ back-end processes. He just said, “that isn’t a big focus here.”

Facebook regularly uses privacy and security as justifications for changes that benefit the company in other ways. Last year, Zuckerberg told Congress his team had to track nonusers around the internet for ambiguous security purposes and only later admitted that it also used that data to target those people with ads pitching Facebook. The company recently got rid of tools that allowed outside developers to automatically collect public information from its user base. That may stop bad actors, but it also stops researchers and journalists from studying the influence of propaganda across its network. In January, Facebook’s changes rendered inoperable a database of its political ads produced by investigative journalists at ProPublica. Now the only source of the information is Facebook’s own archive.

As the company updates and polices its own privacy rules, it runs afoul of others’. On Jan. 29, Facebook admitted to paying teens to monitor their phone activity. Parental consent amounted to a box checked on an online form. Through the teens’ phones, Facebook was able to see what all their friends said to them, without the other parties’ knowledge. Apple Inc. blocked that research app because it violated the phone maker’s policies. Facebook acknowledged that it ran afoul of Apple’s rules, but not that the app was doing anything sneaky. The company got consent from everyone, Chief Operating Officer Sheryl Sandberg said on Bloomberg Television, and “what matters is that people know how their information is being used.”

Except they can’t know. Facebook gave its research app participants instructions for how to give the company “root access” to their phones. What that means, and what wasn’t spelled out specifically in the instructions, is that Facebook could see all the data sent to and from the phones over Wi-Fi or cellular networks, says Will Strafach, CEO of Guardian Mobile Firewall, who reviewed the technical aspects of Facebook’s operation. The research app operated basically like an on switch for full surveillance processed through Facebook’s servers, according to Strafach. “If I wasn’t angry about it, I would respect how well they deployed this,” he says. “Nobody can say for sure what they’ve collected.”

The incident ignited a new line of questioning from U.S. lawmakers, who are starting to recognize that privacy-related scrutiny should extend to Facebook’s data collection, too. “Wiretapping teens is not research, and it should never be permissible,” says Connecticut Senator Richard Blumenthal, the highest-ranking Democrat on the chamber’s consumer protection subcommittee. Still, the creepy behavior didn’t clearly break any laws. Europe is a step ahead: Under the General Data Protection Regulation enacted last year, Facebook has to more clearly disclose what data it’s gathering and why when requesting that users click OK. Irish authorities already have seven investigations open on Facebook’s tactics. If the company is in violation, it could be fined a maximum of 4 percent of its global revenue.

Of course, it’s difficult to imagine any regulator conjuring a fine big enough to upend the data-hungry business model of a company that made $21.7 billion in profit last year. And as long as Facebook is unwilling to limit its collection practices, we’ll all have little choice in what we share.

©2019 Bloomberg L.P.