For the exclusive use of T. Choy, 2023. UV8106 Rev. Feb. 9, 2021 Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy We don’t exactly have the strongest reputation on privacy right now, to put it lightly. —Mark Zuckerberg, May 3, 20191 When it was widely reported that during the 2016 US presidential election, more Facebook users got their news from social media than anywhere else, alarms around unverified news and disinformation rang. Fake news became more widely read than real news items. The commotion got even louder as elected officials and regulators started to investigate the public’s growing apprehension around the internet. Accusations of Facebook spreading disinformation, allowing foreign influences in US elections, and even promoting genocide grew. Facebook’s contact-importing practices, called “friend permissions,” became a lightning rod for privacy advocates. Yet throughout the turmoil, advertisers continued to favor Facebook over other social media platforms. For Facebook’s founder, Marc Zuckerberg, there was a certain amount of incredulity around the sustained attacks and new restrictions regulators proposed for tech firms and privacy. The pivotal point seemed to arrive with a third-party data broker called Cambridge Analytica, which purchased data gleaned from Facebook users and used it to inform political operatives. How could something that had started as a survey end with Facebook under fire in such a public way? The company was at a time of reflection, Zuckerberg had said, midway through 10 hours of testimony on Capitol Hill. He noted that the first decade of company strategy had focused on creating tools that brought folks together and empowered them to do good things.2 By the spring of 2019, Zuckerberg had admitted to an urgency to launch a new business phase that would go beyond building tools and include examining the firm’s responsibility to “make sure that they’re used for good.”3 With the Federal Trade Commission (FTC) ruling that Zuckerberg must make quarterly reports to Facebook’s board (and its newly formed privacy committee) about actions his business took regarding privacy and personal data, did the tech giant have any choice? 1 Julia Carrie Wong, “Facebook’s Zuckerberg Announces Privacy Overhaul: ‘We Don’t Have the Strongest Reputation,’” Guardian, April 30, 2019, https://www.theguardian.com/technology/2019/apr/30/facebook-f8-conference-privacy-mark-zuckerberg (accessed Mar. 10, 2020). 2 “Transcript of Mark Zuckerberg’s Senate Hearing,” Washington Post, April 10, 2018, https://www.washingtonpost.com/news/theswitch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/ (accessed Sept. 15, 2019). 3 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/. This public-sourced case was prepared by Tami Kim, Assistant Professor of Business Administration; and Gerry Yemen, Senior Researcher. It was written as a basis for class discussion rather than to illustrate effective or ineffective handling of an administrative situation. Copyright 2020 by the University of Virginia Darden School Foundation, Charlottesville, VA. All rights reserved. To order copies, send an email to sales@dardenbusinesspublishing.com. No part of this publication may be reproduced, stored in a retrieval system, used in a spreadsheet, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the permission of the Darden School Foundation. Our goal is to publish materials of the highest quality, so please submit any errata to editorial@dardenbusinesspublishing.com. This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 2 UV8106 Data Collection: Risk and Opportunity As the world’s largest internet peer-to-peer platform with more than 2.4 billion users,4 Facebook was built upon a simple premise—people wanted to share things with their friends and family (see Exhibit 1). And share they did, in over 100 different languages worldwide. Through online profiles, users posted images and videos, shared information and news, played games with one another, and discovered new products and services. Part of the experience was facilitated by developers of third-party apps, which were allowed to integrate with Facebook. Through all these touch points, Facebook collected and stored 96 data categories, which generated 192 billion data points from users around the world.5 (See Exhibit 2 for the type of data collected and the usage thereof.) Data centers in the United States and Europe stored the data Facebook collected. The data Facebook shared with partners6 through its analytics services was quite extensive. Indeed, some referred to its practice as leasing: “[Facebook] is most certainly the largest data broker in the history of the data industry.”7 Zuckerberg was quick to point out that Facebook sold ads (thereby earning money that was almost entirely revenue for Facebook8), not data. When data was reported to advertisers, Facebook user statistics were commonly aggregated. Personal identifiers like name and address were shared only if Facebook users gave the company permission.9 Advertisers were provided information around which ads led the user to buy something or take an action (or not) around a product or service they had viewed.10 If a Facebook user logged off its site or app, the firm continued to track his or her internet activity. “We do that for a number of reasons,” Zuckerberg said, “including security, and including measuring ads to make sure that the ad experiences are the most effective.”11 Users could opt out of this feature. While Zuckerberg acknowledged that users were often uncomfortable with companies’ gathering information about them, they seemed willing to do it as long the ads were of interest. “What we found is that even though some people don’t like ads,” Zuckerberg said, “people really don’t like ads that aren’t relevant.”12 Facebook earned income based on the number of user clicks, likes, and shares of customer ads. In addition to gathering users’ data to target advertising, Facebook shared it with data brokers who collected and sold consumers’ personal information. Data brokers claimed that the purpose for wanting data included marketing, verifying identities, and revealing fraud—all seemingly appropriate. But there were benefits and risks to consumers from this practice. For example, the use of personal data collected prevented someone from getting a bank loan using someone else’s identity was a good thing. But someone being denied a bank loan because of a mistaken identity was a bad thing. Both situations could happen using data-brokered information. Concerns around personal privacy and data collection surfaced, and Facebook users started to pay more attention to what was happening. While Facebook had been considered a favored platform in the first decade of the 2000s, its favor seemed to be declining in the second decade of the 2000s. Indeed, in 2014, the FTC settled an investigation of Facebook over privacy violations, which forced the company to strengthen efforts to guard users’ information (five years later, the FTC fined Facebook $5 billion for privacy violations). Facebook was not alone. The same year, the Facebook annual report, 2019. https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/. 6 Partners included advertisers, aggregators, product/service sellers and vendors, researchers and academics, and law enforcement. 7 “Written Testimony of John Battell—Cambridge Analytica and Other Facebook Partners: Examining Data Privacy Risks,” US Senate Committee on Commerce, Science, & Transportation, June 17, 2018, https://nsarchive.gwu.edu/news/cyber-vault/2019-02-06/congressional-hearing-documents (accessed Sept. 13, 2019). 8 Facebook annual report, 2019. 9 “Data Policy,” Facebook, https://www.facebook.com/about/privacy/update/printable (accessed Oct. 1, 2019). 10 https://www.facebook.com/about/privacy/update/printable. 11 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/. 12 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/. 4 5 This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 3 UV8106 Snapchat mobile messaging application settled an FTC privacy case for keeping photo and video messages that were posted through third-party applications—even though Snapchat promised users that their messages disappeared once opened. Likewise, Google had to pay a $22.5 million fine for privacy violations. Search engines Google, Chrome, and Mozilla Firefox, as well as tech behemoth Amazon, came under scrutiny because their browser extensions (called add-ons or plug-ins) were harvesting data around browser history and page views.13 For instance, a marketing-intelligence service called Nacho Analytics provided personal information such as “usernames, passwords, and GPS coordinates” along with “names of patients, doctors, and even medications to clients using data from plug-ins.”14 The third-party browser-extension companies running the apps defended the practice as their terms of services stated they may collect personal data. At least Amazon paid users $10 for using the extensions and allowing collection of user data. The tech industry was not the only sector under attack for its practices around consumers’ personal data. Target, the large retailer with an often-envied reputation of being a “cooler” company than other discount retailers, tarnished its standing among many consumers with privacy violations. It came to light that every Target customer was given a guest ID number linked to their credit card, name, and email address. Within that number was everything that person purchased as well as any demographic data that could be gleaned. As consumer profiles grew, shopping behaviors could be predicted. For example, the firm’s digital team ran test data searching for patterns and discovered a connection between its baby registry and the purchase of unscented baby lotion. They also noted that supplements were frequently purchased early on in pregnancy, and that large bags of cotton balls and scent-free soap were common during late stages of pregnancy. Target’s data team ran data around categories of shoppers and items that fit and came up with a “pregnancy prediction” score that was eerily accurate.15 With that knowledge, Target started to send baby-item coupons to customers as their due date approached. This practice earned screeching headlines when a father read a coupon mailer for baby items addressed to his high-school-aged daughter.16 Target’s reputation went from “cool” to “snoop” as its customers objected to the practice. Consumers organized on Facebook and Twitter calling for boycotts (using the hashtags #boycotttarget, #boycotttargetcouponing, and #pregnant). Although Target continued to use predictive data, it changed the coupon practice by creating a coupon booklet to make baby items appear arbitrary. Within a short period of time, consumers relaxed, used Target coupons, and decided they were not being spied on by the company.17 Savvier consumers understood how their personal data was used and shared, and some were okay with the lack of transparency in which it occurred. Other consumers had no knowledge that their personal information was being collected. Some wanted their personal data used only with their consent, and others wanted to be compensated. There were even calls for personal data to be protected as a human right.18 For those who were deeply concerned about privacy but still wanted a social media account, there was MeWe, which had its “privacy bill of rights” on its homepage and marketed itself as the social media firm that “doesn’t own your personal information and content.”19 In contrast to Facebook’s 4,000-plus words and 72 links on its data policy, MeWe’s privacy policy contained 1,000-plus words and a single link to archived policies on its homepage. 13 Geoffrey A. Fowler, “Your Data’s For Sale. I Found It.,” Washington Post, July 19, 2019, https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/?utm_term=.7ff63ac62014 (accessed Jul. 19, 2019). 14 https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/?utm_term=.7ff63ac62014. 15 Kashmir Hill, “How Target Figured out a Teen Girl Was Pregnant before Her Father Did,” Forbes, February 16, 2012, https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#5e5f64f76668 (accessed May 13, 2019). 16 See Gus Lubin, “The Incredible Story of How Target Exposed a Teen Girl’s Pregnancy,” Business Insider, February 16, 2012, https://www.businessinsider.com/the-incredible-story-of-how-target-exposed-a-teen-girls-pregnancy-2012-2 (accessed Oct. 1, 2019); or https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/ for more. 17 https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#5e5f64f76668. 18 “The World’s Most Valuable Resource Is No Longer Oil, but Data,” Economist, May 6, 2017. 19 MeWe, “MeWe’s Privacy Bill of Rights—Check It Out,” https://mewe.com/#bill (accessed Jul. 18, 2019). This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 4 UV8106 Overall, in a Pew Research Center survey, 88% of respondents believed they had little to no control over their purchase histories, 85% said they had little to no control over their internet history or social media activity.20 The majority felt they had little to no control over their location data (82%). And they certainly weren’t confident that companies would take responsibility when their data had been misused or compromised.21 Cambridge Analytica Although Facebook users often agreed to share their own data, many were caught off guard by learning that they had inadvertently shared their contact-list information with the company. This all came to head in 2015 in a privacy breach with a political consulting company called Cambridge Analytica. A social psychologist and researcher at Cambridge University, Aleksandr Kogan, designed a survey app called This Is Your Digital Life. The app involved personality questions and invited users to participate through Facebook. The survey app could be logged into using Facebook, which in turn authorized Kogan to access Facebook users’ data (“names, birthdays, gender, location, affinities, and page likes”22). In addition, Kogan was given permission from Facebook survey participants to use their friends’ data if they used “friend permissions” on their Facebook settings.23 The survey app’s terms of service stated that respondents’ data could be sold or transferred (this was not allowed by Facebook, but in this case, it wasn’t prevented). Kogan used participants’ responses to build personality profiles that could be used to predict behavior. Roughly 300,000 Facebook users downloaded the app and took the survey, but because of their privacy settings, “Kogan was able to access some information about tens of millions of their friends.”24 Kogan’s research moved away from academic research when, for $800,000, he sold the data—which essentially had been mined from 87 million of Facebook’s users without their knowledge—to Cambridge Analytica, a Facebook advertising client.25 The data enabled Cambridge Analytica to identify “undecided” voters, and it then sold this data to political operatives in the United States—to Ted Cruz’s presidential nomination campaign and to the Donald Trump campaign—as well as to pro-Brexit operatives in the United Kingdom to help hone political messaging.26 According to Facebook, the violation of the company’s Platform Policy occurred when Kogan sold the data.27 Once this information was made public in 2015 in the Guardian, Facebook contacted Kogan and Cambridge Analytica. Both verified that the report was accurate and were told to delete the data.28 Facebook also revoked Kogan’s Facebook account. Facebook did not contact users who had been impacted by the breach. Writing on January 18, 2016, Cambridge Analytica confirmed that it had deleted Kogan’s data and all backups thereof.29 20 Farhad Manjoo, “We Hate Data Collection. That Doesn’t Mean We Can Stop It,” New York Times, November 15, 2019, https://www.nytimes.com/2019/11/15/opinion/privacy-facebook-pew-survey.html (accessed Jun. 23, 2020). 21 https://www.nytimes.com/2019/11/15/opinion/privacy-facebook-pew-survey.html. 22 United States District Court Northern District of California, Security and Exchange Commission vs. Facebook, Inc., Case 3:19-cv-04241, July 27, 2019, https://www.sec.gov/litigation/complaints/2019/comp-pr2019-140.pdf (accessed Jun. 23, 2020). 23 Lesley Stahl, “Aleksandr Kogan: The Link between Cambridge Analytica and Facebook,” 60 Minutes, September 2, 2018, https://www.cbsnews.com/news/aleksandr-kogan-the-link-between-cambridge-analytica-and-facebook-60-minutes/ (accessed Jun. 23, 2020). 24 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/. 25 Hannah Kuchler, “How Facebook Grew Too Big to Handle,” Financial Times, March 28, 2019, https://www.ft.com/content/be723754-501c-11e99c76-bf4a0ce37d49 (accessed Jul. 18, 2019). 26 Carole Cadwalladr and Emma Graham-Harrison, “Revealed: 50 Million Facebook Profiles Harvested for Cambridge Analytica in Major Data Breach,” Guardian, March 17, 2018, https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election (accessed Sept. 12, 2019). 27 https://www.sec.gov/litigation/complaints/2019/comp-pr2019-140.pdf. 28 https://www.sec.gov/litigation/complaints/2019/comp-pr2019-140.pdf. 29 “House Energy and Commerce Questions for the Record,” US House of Representatives Energy and Commerce Committee, June 29, 2019, https://docs.house.gov/meetings/IF/IF00/20180411/108090/HHRG-115-IF00-Wstate-ZuckerbergM-20180411.pdf (accessed Mar. 30, 2020). This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 5 UV8106 On June 11, 2016, Kogan provided certified verification that he (and all other researchers and entities with whom he’d shared the data) had deleted the data and backups of it.30 At first, Facebook said little to nothing about anything that had happened around data and Cambridge Analytica. Facebook did, however, announce that it was removing Cambridge Analytica’s Facebook page on March 16, 2018—one day before the New York Times and the Guardian broke a more complete story from a former Cambridge Analytica employee. Just shy of a month later, Facebook posted a notice about the breach, as shown in Figure 1, notifying users directly for the first time. (See Exhibit 3 for changes Facebook made as a result). Facebook maintained that the data had been illegally taken. Kogan said: The idea that we stole the data, I think, is technically incorrect. I mean they created these great tools for developers to collect the data. And they made it very easy. I mean, this was not a hack. This was, “Here’s the door. It’s open. We’re giving away the groceries. Please collect them.”31 As Facebook replied in writing to the Energy and Commerce Committee of the US House of Representatives on June 29, 2018: Because all of these concerns relate to activity that took place off of Facebook and its systems, we have no way to confirm whether Cambridge Analytica may have Facebook data without conducting a forensic audit of its systems. Cambridge Analytica has agreed to submit to a forensic audit, but we have not commenced that yet due to a request from the UK Information Commissioner’s Office, which is simultaneously investigating Cambridge Analytica (which is based in the UK). And even with an audit, it may not be possible to determine conclusively what data was shared with Cambridge Analytica or whether it retained data after the date it certified that data had been deleted.32 Figure 1. Facebook users’ notification at the top of their news feed on April 10, 2018.33 “Protecting Your Information “We understand the importance of keeping your data safe. We have banned the app “This Is Your Digital Life,” which one of your friends used Facebook to log into. We did this because the app may have misused some of your Facebook information by sharing it with a company called Cambridge Analytica. In most cases, the information was limited to public profiles, Page likes, birthday, and current city. “You can learn more about what happened and how you can remove apps and websites anytime if you no longer want them to have access to your Facebook information. “There is more work to do, but we are committed to confronting abuse and to putting you in control of your privacy.” Data source: Olivia Harvey, “Did Facebook Warn You That a Friend Used the “This Is Your Digital Life” App? Here’s What That Means.” Hellogiggles, April 13, 2018, https://hellogiggles.com/news/facebook-this-is-your-digital-life-app/ (accessed July 2, 2020). Regardless of how the data breach occurred, the notion that Facebook had failed to keep user data secure grew to the extent that WhatsApp cofounder Brian Acton spearheaded a movement to delete Facebook accounts. What had been done with breached Facebook users’ data angered the users themselves, legislators, https://docs.house.gov/meetings/IF/IF00/20180411/108090/HHRG-115-IF00-Wstate-ZuckerbergM-20180411.pdf. https://www.cbsnews.com/news/aleksandr-kogan-the-link-between-cambridge-analytica-and-facebook-60-minutes/. 32 https://docs.house.gov/meetings/IF/IF00/20180411/108090/HHRG-115-IF00-Wstate-ZuckerbergM-20180411.pdf. 33 Olivia Harvey, “Did Facebook Warn You That a Friend Used the “This Is Your Digital Life” App? Here’s What That Means.” Hellogiggles, April 13, 2018, https://hellogiggles.com/news/facebook-this-is-your-digital-life-app/ (accessed July 2, 2020). 30 31 This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 6 UV8106 and the general public, so that mishandling of privacy and trust became a prime example of all that was wrong in the tech field. The judgment and anger may have been high among many, but there were some strong supporters of Zuckerberg and the company. The cofounder of PayPal, Peter Thiel, counseled Zuckerberg and opposed suggestions that Facebook conduct an outside investigation of the Cambridge Analytica breach.34 Legislators summoned Zuckerberg to Congress to testify before the House of Representatives’ Committee on Energy and Commerce on April 11, 2018, on the issue of transparency and use of consumer data—and the previous day, he had testified before the Senate Committee on the Judiciary and the Senate Committee on Commerce, Science, and Transportation (see Appendix 1 for excerpts from these hearings). Both public hearings included some Congressional members who supported Facebook. Indeed, after reporting on the scandal and hearings, one USA Today journalist asked, “Can we go back to loving Facebook again, now?”35 Consumer Data Rights and Privacy Concerns As Facebook, Google, and other tech giants made headlines due to privacy concerns, it was clear that consumer and regulator concerns about the use and protection of their data had been simmering for some time. Data breaches of sites such as Ashley Madison (an extramarital-affair platform) and Equifax (a credit-reporting agency) affected 32 million and 147 million consumers, respectively, and left tech firms with an urgent need to take huge measures to preempt other breaches and to devise contingency plans in case such breaches did occur. Some companies worried about consumer protection from certain types of exploitative advertisers (e.g., moneylenders that charged extremely high interest rates or that threatened violence against people who were late on payments targeting low-income consumers). Even when tech companies had strong privacy policies and enforced them, some argued that it wasn’t enough protection because those policies were often difficult to decipher and understand. Similarly, privacy-control settings were often elusive and far from user friendly, making it less likely that consumers would actually take appropriate steps to ensure their data was used in the ways they desired. Some leaders in business and government subscribed to the notion that consumers were naïve, and thus it was up to regulators and companies to take proactive actions to protect them. At the same time, industry experts raised the impracticality of too many protection measures—for instance, even if a company were to ask its consumers to give consent to every party it shared their personal data with, the complex ecosystem would make it impractical, not to mention costly. “It might surprise some to know that many major corporations also don’t actually sell their consumer data,” one marketing scholar said, “because it is valuable.”36 While consumers did already have the ability to opt out of sharing some of their data by purchasing apps that didn’t practice data collection, most didn’t buy said apps. “It’s really bizarre that we are unwilling to pay 50 cents for an app in the app store but we are totally okay with paying $5 or $6 for a cup of coffee,” another scholar noted. “Because of this psychology, it’s really hard to ask people to pay for electronic things they expect to be free.”37 34 Eric Lutz, “Guess Who’s Behind Facebook’s Political Ad Policy,” Vanity Fair, December 19, 2019, https://www.vanityfair.com/news/2019/12/peter-thiel-behind-facebooks-political-ad-policy (accessed Jun. 23, 2020). 35 Jefferson Graham, “Facebook’s Zuckerberg Got Grilled, but Nothing’s Really Changed,” USA Today, April 14, 2018, https://www.usatoday.com/story/tech/talkingtech/2018/04/14/facebooks-zuckerberg-got-grilled-but-nothings-really-changed/516312002/ (accessed Jun. 23, 2020). 36 “Your Data Is Shared and Sold…What’s Being Done about It?,” Knowledge@Wharton, October 28, 2019, https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/ (accessed Jun. 23, 2020). 37 https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/. This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 7 UV8106 Facebook: The Crackdown? Certainly, Facebook was under tremendous pressure from the general public and regulators. Consumer trust had been broken. As people became increasingly concerned about their own privacy, so too did regulators. The top regulator on privacy and data security in the United States was the FTC, which frequently launched investigations, issued reports, and recommended legislation around the internet and its lack of transparency with regards to personal data gathered. Although the FTC had the ability to fine businesses, payment was often made without admissions of wrongdoing (e.g., in the cases of Google and Equifax). Indeed, the regulator’s authority was limited to the laws around privacy protection, of which few existed when it came to the internet. Despite that, since 2018, Facebook had made progress on providing users more transparency around how the organization operated, how policies were enforced, and how shared data was collected. Yet challenges persisted over how to deal with misinformation on Facebook’s platform and what to do with efforts to regain public trust. Facebook needed access to user data in order to ensure its advertising revenue source remained profitable (see Exhibit 4) and to ensure its platform remained attractive for its more than 7 million advertisers.38 Zuckerberg had this to say: But it’s clear now that we didn’t do enough to prevent these [Facebook] tools from being used for harm as well. That goes for fake news, foreign interference in elections, and hate speech, as well as developers and data privacy. We didn’t take a broad enough view of our responsibility, and that was a big mistake. It was my mistake, and I’m sorry. I started Facebook, I run it, and I’m responsible for what happens here.39 Facebook had an important existential decision to make. Had it crossed the line with users over data collection? Or would things smooth out, as it had for Target and its relationship with shoppers? And what exactly was part of Facebook’s responsibility and what wasn’t? 38 Kerry Flynn, “Cheatsheet: Facebook Now Has 7 Million Advertisers,” Digiday, January 30, 2019, https://digiday.com/marketing/facebookearnings-q4-2018/#:~:text=Facebook%20has%207%20million%20advertisers,operating%20officer%20Sheryl%20Sandberg%20revealed (accessed Jun. 18, 2020). 39 House of Representatives Committee on Energy and Commerce Hearing, April 11, 2018. This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 8 UV8106 Exhibit 1 Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy Snapchat Survey: Why People Use Each App, 2018 Application How People Use It Facebook Talk to friends and family Share pictures Conduct private conversations Learn about events Instagram Share pictures Talk to friends Follow influencers and celebrities Share my day Share videos Snapchat Talk to friends Share pictures Play with lenses and filters Share videos Share my day Twitter Keep up on current events and news Follow discussions, influencers, celebrities Learn about interests and topics of interest Share views on topics YouTube Learn about interests and topics of interest Learn about new products Share videos Follow pop culture news Find products to buy Data source: “[US] Apposphere: How the Apps You Use Impact Your Daily Life and Emotions,” Snapchat Business, January 8, 2019, https://forbusiness.snapchat.com/blog/apposphere-how-the-apps-you-use-impact-your-daily-life-and-emotions (accessed Oct. 1, 2019). This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 9 UV8106 Exhibit 2 Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy Data Facebook Collected From users and Facebook friends All content and communications posted on Facebook products Metadata (i.e., photo/file location, date taken or created) All Facebook camera material Networks and connections (contact information from synced devices) How Facebook products were used All content viewed on Facebook Transaction made using Facebook (credit/debit card numbers, billing, shipping, contact information) Information/content that other Facebook users provided about you From devices Information about all devices integrated with Facebook (attributes, operations, and behaviors such as mouse movement, identifiers, signals, settings, networks and connections, cookie data) From partners and Facebook business tools Activities used offline (i.e., when logged out of Facebook) including APIs and SDKs, websites visited, purchases, ads, games played, and store purchases API = application programming interface; SDK = software development kit. Data source: All policies in this part of the exhibit are taken directly from “Data Policy,” Facebook, https://www.facebook.com/policy.php (accessed Oct. 1, 2019). This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 10 UV8106 Exhibit 2 (continued) How Facebook Used Collected Data Improve products Make suggestions on content/features that may interest user Personalize products for user (i.e., location-related information) Learn how Facebook products were used Tailor Facebook products offered to user Autofill information from one product to another and one device to another Develop and test better products Face recognition1 Customize ads and sponsored content Research and innovate for social good Provide measurement analytics to Facebook partners Measure ad effectiveness and distribute partner ads Improve communication about products/services Understand how products were used and what type of people were using them Promote safety and security Investigate suspicious activity Prevent spam Maintain product integrity Data source: “Data Policy,” Facebook, https://www.facebook.com/policy.php (accessed Oct. 1, 2019). 1 If turned on. This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 11 UV8106 Exhibit 2 (continued) How Facebook Used Collected Data Your activity with other businesses When you share information like your phone number or email address with a business, they might add it to a customer list that can be matched to your Facebook profile. We can then try to match the ad to the most relevant audience. You may have shared your information with these businesses by: “Signing up for an email newsletter “Making purchases at retail stores “Signing up for a coupon or discount” Your activity across Facebook companies and products Ads are shown to you based on your activity across Facebook companies and products—such as: Pages you and your friends like Information from your Facebook and Instagram profile Places you check in using Facebook Your activity on other Websites you visit or apps you use can send Facebook websites and apps data directly by using our business tools (such as a pixel) to help us show you ads based on products or services you've looked at, such as a shirt on a clothing retailer's website. Examples of this include: Viewing one of their web pages Downloading their mobile app Adding a product to a shopping cart or making a purchase This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 12 UV8106 Exhibit 2 (continued) How Facebook Used Collected Data Your location We use location data to show you ads from advertisers trying to reach people in or near a specific place. We get this information from sources such as: Where you connect to the internet Where you use your phone Your location from your Facebook and Instagram profile Data source: All policies in this part of the exhibit are taken directly from “Understand What Data Is Used to Show You Ads,” Facebook, https://www.facebook.com/ads/about/?entry_product=ad_preferences (accessed Jul. 7, 2020). This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 13 UV8106 Exhibit 2 (continued) Personal Data Facebook Collected Age Age of car Email service used Field of study Generation Industry Interests Language Office type Property size School Square footage of home Year home was built Ethnic affinity Income and net worth Year car was bought Education level Employer Gender Home ownership and type Home value Household composition Internet browser Job title Location Operating system Parents Relationship status Style and brand of car a user drives Expectant parents Conservatives and liberals Expats (divided by country of origin) Mothers, divided by type (e.g., soccer, trendy) How many employees a user’s company has Where user is likely to buy their next car How much money user is likely to spend on their next car Number of credit lines a user has open Kinds of stores user shops at Types of restaurants user eats at Types of vacations user tends to go on Length of time user has lived in their house Early/late adopters of technology Users in new relationships Users who have new jobs Users who are newly engaged Users who are newly married Users who have recently moved Users who have birthdays soon Users likely to engage in politics Users who are likely to move soon Users who are away from family or their hometown Users who have an anniversary within 30 days Users who have donated to charity (divided by type) Users who play canvas games Users who own a gaming console Users who plan to buy a car, including kind/brand and how soon Users who bought auto parts or accessories recently Users who are likely to need auto parts or services Users who work in management or are executives Users who have used Facebook Payments Users who own motorcycles Users who own small businesses Users who spend money on household products Users whose household makes more purchases than the average Users who tend to shop online or offline Users in long-distance relationships Users who travel frequently, for work or pleasure Users who recently used a travel app Users who have created a Facebook event Users who administer a Facebook page Users who have spent more than average via Facebook Payments Users who have recently uploaded photos to Facebook Users who belong to a credit union, national bank, or regional bank Users who are interested in the Olympics, American football, cricket, or Ramadan Users who recently returned from a trip Users who participate in a timeshare Users who invest (divided by investment type) Users who commute to work Users receptive to online auto insurance, higher education, mortgages, prepaid debit cards, or satellite TV Users who buy allergy meds, cough/cold meds, pain-relief products, over-the-counter meds Users who are friends with someone who has an anniversary, is newly married/engaged, who recently moved, or who has an upcoming birthday Users who spend money on products for kids or pets, and what kinds of pets they have Source: Caitlin Dewey, “98 Personal Data Points That Facebook Uses to Target Ads to You,” Washington Post, August 19, 2016, https://www.washingtonpost.com/news/the-intersect/wp/2016/08/19/98personal-data-points-that-facebook-uses-to-target-ads-to-you/ (accessed Jun. 23, 2020). This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 14 UV8106 Exhibit 3 Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy Facebook Policy Changes after Cambridge Analytica Apps Limit information apps could access from Facebook Must have approval from Facebook for access to anything from users beyond their public profile, email address, and friends list Make it easier for users to understand what data they allow apps access to Make it easier to remove permissions from any apps users had previously given access to their data Platform Removed developers’ access to users who hadn’t used the app in three months User approval for apps is limited to name, profile photo, email address Apps must sign a contract with Facebook to ask users for access to data beyond name, profile photo, email address Restrict APIs like groups and events from users sharing other people’s information Shut down Facebook feature that allowed users to look up phone numbers and email addresses Investigating Investigate all apps that had access to vast amounts of data Conduct forensic audit of apps suspected of misusing data Data source: “Transcript of Mark Zuckerberg’s Senate Hearing,” Washington Post, April 10, 2018, https://www.washingtonpost.com/news/theswitch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/ (accessed Sept. 15, 2019). This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 15 UV8106 Exhibit 4 Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy Net Digital Ad Revenue February, 20191 40% 35% 30% 25% 20% 15% 10% 5% 0% Amazon Facebook Google Microsoft Verizon Data source: James Grimaldi and Brent Kendall, “The Government v. The Tech Giants,” Wall Street Journal, September 10, 2019. Facebook Stock Price $250 $200 $150 $100 $50 $‐ Data source: “Facebook, Inc. (FB), Time Period: May 18, 2012–Sept. 15, 2019,” Yahoo! Finance, https://finance.yahoo.com/quote/FB/history?period1=1337313600&period2=1568520000&interval=1m o&filter=history&frequency=1mo (accessed Oct. 1, 2019). 1 Google data included YouTube, and Facebook data included Instagram. This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023. For the exclusive use of T. Choy, 2023. Page 16 UV8106 Appendix 1 Facebook, Cambridge Analytica, and the (Uncertain) Future of Online Privacy Zuckerberg Testimony at the Senate Committee on the Judiciary and the Senate Committee on Commerce, Science, and Transportation Honorable Greg Walden (chair): The incident involving Cambridge Analytica and the compromised personal information of approximately 87 million American users—or mostly American users—is deeply disturbing to this committee. The American people are concerned about how Facebook protects and profits from its users’ data. In short, does Facebook keep its end of the agreement with its users? How should we as policymakers evaluate and respond to these events? Does Congress need to clarify whether or not consumers own or have any real power over their online data? Have edge providers grown to the point that they need federal supervision?1 Mark Zuckerberg: My top priority has always been our social mission of connecting people, building community, and bringing the world closer together. Advertisers and developers will never take priority over that, as long as I am running Facebook.2 Zuckerberg: When we learned in 2015 that Cambridge Analytica had bought data from an app developer on Facebook that people had shared it with, we did take action. We took down the app, and we demanded that both the app developer and Cambridge Analytica delete and stop using any data that they had. They told us that they did this. In retrospect, it was clearly a mistake to believe them... Senator Bill Nelson: Yes. Zuckerberg: …and we should have followed up and done a full audit then. And that is not a mistake that we will make. Nelson: Yes, you did that, and you apologized for it. But you didn’t notify them. And do you think that you have an ethical obligation to notify 87 million Facebook users? Zuckerberg: Senator, when we heard back from Cambridge Analytica that they had told us that they weren’t using the data and had deleted it, we considered it a closed case. In retrospect, that was clearly a mistake. We shouldn’t have taken their word for it, and we’ve updated our policies and how we’re going to operate the company to make sure that we don’t make that mistake again. Nelson: Did anybody notify the FTC? Zuckerberg: No, senator, for the same reason—that we’d considered it a closed—a closed case.3 House of Representatives Committee on Energy and Commerce Hearing, April 11, 2018. “Transcript of Mark Zuckerberg’s Senate Hearing, Washington Post, April 10, 2018, https://www.washingtonpost.com/news/theswitch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/ (accessed Sept. 15, 2019). 3 https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/. 1 2 This document is authorized for use only by Tsz Kin Choy in CB 3043 taught by Lei Su, City University of Hong Kong from Jan 2023 to Jun 2023.