Last Tuesday, on the 10th of April 2018 shortly after 2:30pm, it happened: Facebook’s founder and CEO, Mark Zuckerberg, appeared before congress to respond to questions regarding the latest controversy surrounding the potential abuse of data belonging to millions of users. An appeareance, that caused a lot of media attention worldwide, was widely anticipated, and once more illustrated that data, as a commodity, is nowadays more important and more valuable than ever before.

Privacy is a human right. How much a person reveals of himself, should be a decision left to the individual. The right of privacy is an essential requirement for a free, democratic society. To have a right does not necessarily mean to exercise it consequently, though. At least partially, everyone decides individually, what to present to the public or an authority – and what not. Social networks like Facebook intensify the necessity for this personal triage, by encouraging the user to actively participate and share content with their contacts within the platform.

Facebook’s business model is based on analysing the data users put on the network, to curate it and to generate value. Zuckerberg’s recent statement, no data would be directly sold may be correct, but it’s a half-truth at best: Even if the raw data is not for sale, their interpretation certainly is the basis for Facebook’s popular and prosperous advertising business. In a certain way, this type of information might even be more critical, since actively shared information is being mixed up and correlated with hypothetical data, automated observations sourced in web tracking along with implied information from so-called “similar users” with some shared interests.

It’s not rare that clever statements like “If you’re not paying for it, you’re the product!” are quoted in current discussions of the topic, especially in the comment sections of various tabloids these days. The premise: It was to be fully expected that Facebook collects data to curate and ultimately abuse it – and nobody is forced, to yield his data. Hence the user is actually to blame, if abuse does actually happen. According to this particular brand of reasoning, a guest would be responsible for catching food poisoning at a restaurant with bad hygiene, not the proprietor who acts negligently.

Facebook needs to take responsibility. Not just in dealing with data in general, but also in terms of who can use the platform to influence its users, and to which degree. The scandal revolving around the abuse by Cambridge Analytica is not primarily sourced in the siphoning of personal data, but more so in their use to strongly influence a democratic process, the presidential elections of 2016, by third parties that are most likely to be found outside of the United States. Zuckerberg has recently said the following quote:

My goal here is to create a governance structure around the content and the community that reflects more what people in the community want than what short-term-oriented shareholders might want.

A community-centered account sounds democratic, but ignores the fact that Facebook, being the provider and actively designer of a platform, offers an infrastructure and needs to take responsibility for the rules that apply there. Responsibility, that is being delegated to the users in this statement. And this is not working: An profit-oriented corporation needs to have a clear, accountable position. Is Facebook internationally a neutral platform or does it yield to the legislation of various governments and their legislative laws, even though they may not be congruent with Western – or more likely – American counterparts? This question remains unanswered after the hearing, even though some questions were clearly targeting this topic and were mostly dodged by Zuckerberg.

But what does this mean for the individual user? The #DeleteFacebook movement, a kind of a knee-jerk reaction to the reveal of the extent of the Cambridge Analytica abuse, is losing traction, but still present. What seems clear is that open APIs will disappear gradually over the next few weeks and months and more and more rate limits will be imposed on 3rd party applications to somewhat restrict the ability of their applications to collect larger volumes of data.

Further, Facebook tries to cozy up to its users by adjusting algorithms to focus on messages from friends and family, lowering priority on more general posts like news posts or other articles. A change that might have a subjective positive effect for end-users, but leaves a lot to be questioned regarding the future direction of content curation on Facebook’s timelines.

Should individuals keep using Facebook or is #DeleteFacebook the way to go? There is, as usual, no single answer. Instead, individual risks should be considered, personal values and preferences should be considered, all of that while increasing pressure on legislators to establish clear boundaries and rules regarding the handling of our data, as currently already in progress with GDPR and the overhaul of the Swiss Data Protection act.

By the way: If you would like to know if you were affected by the Cambridge Analytica data leak, here is a link to a Facebook support page that will show you.

About the Author

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

• https://betrifft-mich-dsgvo.ch/
• https://www.facebook.com/help/1873665312923476?ref=shareable