“We have a responsibility to protect your data, and, if we can’t, then we don’t deserve to serve you. I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again,” Facebook CEO Mark Zuckerberg wrote in a post on Wednesday, five days after the company triggered a firestorm with news it was suspending Cambridge Analytica from its platform for misusing user data.
In “an update on the Cambridge Analytica situation,” Zuckerberg said the company had taken most of the actions to address the issue in 2014 and 2015, but also laid out some (basic) new steps the company will take.
Audits & user notifications
Facebook will look at all apps that had access to large amounts of data before the company made changes to the Facebook Platform in 2014. Those changes were meant to keep apps from obtaining data about a person’s friends unless their friends had also authorized the app, and they also required that developers get Facebook’s approval before requesting any sensitive data from users.
Zuckerberg says the company will audit any app with suspicious activity and ban any developer that does not comply with an audit.
Any developers found to misuse personally identifiable information will be banned, and Facebook will notify affected users. Zuckerberg adds, “That includes people whose data [University of Cambridge data scientist Aleksandr] Kogan misused here as well.”
New restrictions
More restrictions will be placed on developers’ access to user data when those users no longer engage with the apps.
- Developers will lose access to user data if the users haven’t used the app in three months.
- The data an app can get when a user signs in will be limited to only their name, profile photo and email address.
- Developers will have to get user approval and also sign a contract with Facebook in order to ask users for access to their posts or other private data.
Additional changes will be announced in the next few days, says Zuckerberg.
New visibility into apps
In the next month, Facebook will change the News Feed interface so that users see their installed apps — along with a feature that allows them to revoke permissions — at the top of their Feed. This information will also continue to reside in privacy settings.
Cooperating with regulators
Zuckerberg’s accounting of the timeline of events that led to this crisis aligns with what has been reported by news outlets and offers no new insights about why it was allowed to happen.
He added that “Cambridge Analytica claims they have already deleted the data and has agreed to a forensic audit by a firm we hired to confirm this.” And he verified that the company is working with regulators as they investigate what happened.
Of the changes, the company said in a blog post, “Some of these updates were already in the works, and some are related to new data protection laws coming into effect in the EU. This week’s events have accelerated our efforts, and these changes will be the first of many we plan to roll out to protect people’s information and make our platform safer.”
Regulators in the US and the EU are investigating, and Senators have called on Zuckerberg to testify on Capitol Hill.
It can be argued easily that these steps are a long time coming, that Facebook shouldn’t have had to be told about misuse of data by reporters, and that it should have verified Cambridge Analytica had indeed purged user data years ago.
Zuckerberg’s polished response also doesn’t address the fact that Facebook’s entire business model, not just the third-party apps piece, is based on selling user data — and that this is hardly its first privacy scandal. Just its worst.