Germany’s justice minister has written to Facebook calling for the platform to implement an
internal “control and sanction mechanism” to ensure third-party developers and
other external providers are not able to misuse Facebook data — calling for it
to both monitor third party compliance with its platform policies and apply
“harsh penalties” for any violations.
The letter, which has been published in full in local media,
follows the privacy storm that has engulfed the company since mid March when
fresh revelations were published by the Observer of London and the New York
Times — detailing how Cambridge Analytica had obtained and used personal
information on up to 87 million Facebook users for political ad targeting
purposes.
Writing to Facebook’s founder and CEO Mark Zuckerberg,
justice minister Katarina Barley welcomes some recent changes the company has
made around user privacy, describing its decision to limit collaboration with
“data dealers” as “a good start”, for example.
However she says the company needs to do more — setting out
a series of what she describes as “core requirements” in the area of data and
consumer protection (bulleted below).
She also writes that the Cambridge Analytica scandal confirms long-standing criticisms
against Facebook made by data and consumer advocates in Germany and Europe,
adding that it suggests various lawsuits filed against the company’s data
practices have “good cause”.
“Unfortunately, Facebook has not responded to this criticism
in all the years or only insufficiently,” she continues (translated via Google
Translate). “Facebook has rather expanded its data collection and use. This is
at the expense of the privacy and self-determination of its users and third
parties.”
“What is needed is that Facebook lives up to its corporate
responsibility and makes a serious change,” she says at the end of the letter.
“In interviews and advertisements, you have stated that the new EU data
protection regulations are the standard worldwide for the social network.
Whether Facebook consistently implements this view, unfortunately, seems
questionable,” she continues, critically flagging Facebook’s decision to switch
the data controller status of ~1.5BN international users this month so they
will no longer be under the jurisdiction of EU law, before adding: “I will
therefore keep a close eye on the further measures taken by Facebook.“
Since revelations about Cambridge Analytica’s use of
Facebook data snowballed into a global privacy
scandal for the company this spring, the company has revealed a series
of changes which it claims are intended to bolster data protection on its
platform.
Although, in truth, many of the tweaks Facebook has
announced were likely in train already — as it has been working for months (if
not years) on its response to the EU’s incoming GDPR framework, which will
apply from May 25.
Yet, even so, many of these measures have been roundly
criticized by privacy experts, who argue they do not go far enough to comply
with GDPR and will trigger legal challenges once the framework is being
applied.
For example, a new consent flow, announced by Facebook last
month, has been accused of being intentionally manipulative — and of going
against the spirit of the new rules, at very least.
Barley picks up on these criticisms in her letter — calling
specifically for Facebook to deliver:
More transparency for users
Real control of users’ data processing by Facebook
Strict compliance with privacy by default and consent in the
entire ecosystem of Facebook
Objective, neutral, non-discriminatory and manipulation-free
algorithms
More freedom of choice for users through various settings
and uses
On consent, she emphasizes that under GDPR the company will
need to obtain consent for each data use — and cannot bundle up uses to try to
obtain a ‘lump-sum’ consent, as she puts it.
Yet this is pretty clearly exactly what Facebook is doing
when it asks Europeans to opt into its face recognition technology, for
example, by suggesting this could help protect users against strangers using
their photos; and be an aid to visually impaired users on its platform; yet
there’s absolutely no specific examples in the consent flow of the commercial
uses to which Facebook will undoubtedly put the tech.
The minister also emphasizes that GDPR demands a
privacy-by-default approach, and requires data collection to be minimized —
saying Facebook will need to adapt all of its data processing operations in
order to comply.
Any data transfers from “friends” should also only take
place with explicit consent in individual cases, she continues (consent that
was of course entirely lacking in 2014 when Facebook APIs allowed a developer
on its platform to harvest data on up to 87 million users — and pass the information
to Cambridge Analytica).
Barley also warns explicitly that Facebook must not create
shadow profiles, an especially awkward legal issue for Facebook which US
lawmakers also questioned Zuckerberg closely about last month.
Facebook’s announcement this week, at its f8 conference, of
an incoming Clear History button — which will give users the ability to clear
past browsing data the company has gathered about them — merely underscores the
discrepancies here, with tracked Facebook non-users not even getting this
after-the-fact control, although tracked users also can’t ask Facebook never to
track them in the first place.
Nor is it clear what Facebook does with any derivatives it
gleans from this tracked personal data — i.e. whether those insights are also dissociated
from an individual’s account.
Sure, Facebook might delete a web log of the sites you
visited — like a gambling site or a health clinic — when you hit the button but
that does not mean it’s going to remove all the inferences it’s gleaned from that
data (and added to the unseen profile it holds of you and uses for ad targeting
purposes).
Safe to say, the value of the Clear History button looks
mostly as PR for Facebook — so the company can point to it and claim it’s
offering users another ‘control’ as a strategy to try to deflect lawmakers’
awkward questions (just such disingenuousness was on ample show in Congress
last month — and has also been publicly condemned by the UK parliament).
We asked Facebook our own series of questions about how Clear
History operates, and why — for example — it is not offering users the ability
to block tracking entirely. After multiple emails on this topic, over two days,
we’re still waiting for the company to answer anything we asked.
Facebook’s processing of non-users’ data, collected via
tracking pixels and social plugins across other popular web services, has
already got Facebook into hot water with some European regulators. Under GDPR
it will certainly face fresh challenges to any consent-less handling of people’s
data — unless it radically rethinks its approach, and does so in less than a
month.
In her letter, Barley also raises concerns around the misuse
of Facebook’s platform for political influence and opinion manipulation —
saying it must take “all necessary technical and organizational measures to
prevent abuse and manipulation possibilities (e.g. via fake accounts and social
bots)”, and ensure the algorithms it uses are “objective, neutral and
non-discriminatory”.
She says she also wants the company to disclose the actions
it takes on this front in order to enable “independent review”.
Facebook’s huge sprawl and size — with its business
consisting of multiple popular linked platforms (such as WhatsApp and Instagram), as well as the company
deploying its offsite tracking infrastructure across the Internet to massively
expand the reach of its ecosystem — “puts a special strain on the privacy and
self-determination of German and European users”, she adds.
At the time of writing Facebook had not responded to
multiple requests for comment about the letter.
No comments:
Post a Comment