Facebook is still falling short on privacy, says German minister

Germany’s justice minister has written to Facebook calling for the platform to implement an internal “control and sanction mechanism” to ensure third-party developers and other external providers are not able to misuse Facebook data — calling for it to both monitor third party compliance with its platform policies and apply “harsh penalties” for any violations.

The letter, which has been published in full in local mediafollows the privacy storm that has engulfed the company since mid March when fresh revelations were published by the Observer of London and the New York Times — detailing how Cambridge Analytica had obtained and used personal information on up to 87 million Facebook users for political ad targeting purposes.

Writing to Facebook’s founder and CEO Mark Zuckerberg, justice minister Katarina Barley welcomes some recent changes the company has made around user privacy, describing its decision to limit collaboration with “data dealers” as “a good start”, for example.

However she says the company needs to do more — setting out a series of what she describes as “core requirements” in the area of data and consumer protection (bulleted below). 

She also writes that the Cambridge Analytica scandal confirms long-standing criticisms against Facebook made by data and consumer advocates in Germany and Europe, adding that it suggests various lawsuits filed against the company’s data practices have “good cause”.

Unfortunately, Facebook has not responded to this criticism in all the years or only insufficiently,” she continues (translated via Google Translate). “Facebook has rather expanded its data collection and use. This is at the expense of the privacy and self-determination of its users and third parties.”

“What is needed is that Facebook lives up to its corporate responsibility and makes a serious change,” she says at the end of the letter. “In interviews and advertisements, you have stated that the new EU data protection regulations are the standard worldwide for the social network. Whether Facebook consistently implements this view, unfortunately, seems questionable,” she continues, critically flagging Facebook’s decision to switch the data controller status of ~1.5BN international users this month so they will no longer be under the jurisdiction of EU law, before adding: “I will therefore keep a close eye on the further measures taken by Facebook.

Since revelations about Cambridge Analytica’s use of Facebook data snowballed into a global privacy scandal for the company this spring, the company has revealed a series of changes which it claims are intended to bolster data protection on its platform.

Although, in truth, many of the tweaks Facebook has announced were likely in train already — as it has been working for months (if not years) on its response to the EU’s incoming GDPR framework, which will apply from May 25.

Yet, even so, many of these measures have been roundly criticized by privacy experts, who argue they do not go far enough to comply with GDPR and will trigger legal challenges once the framework is being applied.

For example, a new consent flow, announced by Facebook last month, has been accused of being intentionally manipulative — and of going against the spirit of the new rules, at very least.

Barley picks up on these criticisms in her letter — calling specifically for Facebook to deliver:

  • More transparency for users
  • Real control of users’ data processing by Facebook
  • Strict compliance with privacy by default and consent in the entire ecosystem of Facebook
  • Objective, neutral, non-discriminatory and manipulation-free algorithms
  • More freedom of choice for users through various settings and uses

On consent, she emphasizes that under GDPR the company will need to obtain consent for each data use — and cannot bundle up uses to try to obtain a ‘lump-sum’ consent, as she puts it.

Yet this is pretty clearly exactly what Facebook is doing when it asks Europeans to opt into its face recognition technology, for example, by suggesting this could help protect users against strangers using their photos; and be an aid to visually impaired users on its platform; yet there’s absolutely no specific examples in the consent flow of the commercial uses to which Facebook will undoubtedly put the tech.

The minister also emphasizes that GDPR demands a privacy-by-default approach, and requires data collection to be minimized — saying Facebook will need to adapt all of its data processing operations in order to comply. 

Any data transfers from “friends” should also only take place with explicit consent in individual cases, she continues (consent that was of course entirely lacking in 2014 when Facebook APIs allowed a developer on its platform to harvest data on up to 87 million users — and pass the information to Cambridge Analytica).

Barley also warns explicitly that Facebook must not create shadow profiles, an especially awkward legal issue for Facebook which US lawmakers also questioned Zuckerberg closely about last month.

Facebook’s announcement this week, at its f8 conference, of an incoming Clear History button — which will give users the ability to clear past browsing data the company has gathered about them — merely underscores the discrepancies here, with tracked Facebook non-users not even getting this after-the-fact control, although tracked users also can’t ask Facebook never to track them in the first place.

Nor is it clear what Facebook does with any derivatives it gleans from this tracked personal data — i.e. whether those insights are also dissociated from an individual’s account.

Sure, Facebook might delete a web log of the sites you visited — like a gambling site or a health clinic — when you hit the button but that does not mean it’s going to remove all the inferences it’s gleaned from that data (and added to the unseen profile it holds of you and uses for ad targeting purposes).

Safe to say, the value of the Clear History button looks mostly as PR for Facebook — so the company can point to it and claim it’s offering users another ‘control’ as a strategy to try to deflect lawmakers’ awkward questions (just such disingenuousness was on ample show in Congress last month — and has also been publicly condemned by the UK parliament).

We asked Facebook our own series of questions about how Clear History operates, and why — for example — it is not offering users the ability to block tracking entirely. After multiple emails on this topic, over two days, we’re still waiting for the company to answer anything we asked.

Facebook’s processing of non-users’ data, collected via tracking pixels and social plugins across other popular web services, has already got Facebook into hot water with some European regulators. Under GDPR it will certainly face fresh challenges to any consent-less handling of people’s data — unless it radically rethinks its approach, and does so in less than a month. 

In her letter, Barley also raises concerns around the misuse of Facebook’s platform for political influence and opinion manipulation — saying it must take “all necessary technical and organizational measures to prevent abuse and manipulation possibilities (e.g. via fake accounts and social bots)”, and ensure the algorithms it uses are “objective, neutral and non-discriminatory”.

She says she also wants the company to disclose the actions it takes on this front in order to enable “independent review”.

Facebook’s huge sprawl and size — with its business consisting of multiple popular linked platforms (such as WhatsApp and Instagram), as well as the company deploying its offsite tracking infrastructure across the Internet to massively expand the reach of its ecosystem — “puts a special strain on the privacy and self-determination of German and European users”, she adds.

At the time of writing Facebook had not responded to multiple requests for comment about the letter.