Facebook’s Data-Oligarchy and Illusion of Control
At this point, nothing about Facebook’s vast data collection engine should surprise anyone. Yet for all the effort it expends defending its questionable data practices, the social network’s hunger for users’ personal information has led to it adopting any means necessary for harvesting as much data as possible, acquiring any company that might remotely threaten its numero uno status, crushing its competition and expanding its reach on a colossal scale, with seemingly nothing to stop it on its tracks.
Until now. And 2018 might as well be Facebook’s year of reckoning, its annus horribilis.
The social network giant, which has been rocked by a series of privacy scandals, set off by disclosures earlier this March that a political consultancy firm, Cambridge Analytica, improperly accessed user data in an attempt to influence 2016 U.S. elections, proved itself to be incapable of securing the personal information users entrusted in its hands, in addition to facing mounting criticism for its slow, reactive approach to handling propaganda and mis-(dis)information on the platform.
Now, in a new fairly obvious but no less alarming revelation, Aleksandra Korolova, an assistant professor of Computer Science at the University of Southern California (USC), has found that Facebook not only tracks your location even after explicitly turning the setting off (via IP address, Wi-Fi and Bluetooth data), it also uses this information for location-based ad targeting.
The New York Times, in a recent bombshell report, detailed how a variety of apps exploit intimate levels of location tracking with no consideration for explicit user consent, instead resorting to vague privacy policies to mention the fact that their location data tracked for purposes of showing weather alerts or recommending local sports teams will in fact be shared and sold to advertisers to make quick money.
“There is no way for people to opt out of using location for ads entirely,” said Facebook in an email response to Gizmodo. “We use city and zip level location which we collect from IP addresses and other information such as check-ins and current city from your profile to ensure we are providing people with a good service — from ensuring they see Facebook in the right language, to making sure that they are shown nearby events and ads for businesses that are local to them.”
But by tracking users’ location by default and giving them no option to opt-out, and still misleading users about how they can control their advertising preferences, Facebook has time and again resorted to a deceptive practice of giving an impression that users are in control of their data, while actually providing none. It’s this illusion of control, this dark pattern, that lies at the heart of privacy control paradox.
The least Facebook can do is to go the Google way and give its users an option to turn off location-based ads completely, but all indications are that it won’t.
That’s not all. A treasure trove of emails released by the U.K. Parliament in connection with an ongoing lawsuit filed by Six4Three has raised significant concerns about its wide-ranging data collection practices, and the power it wields as a data-oligarchy to enter into whitelisting agreements with certain companies (like Netflix and Airbnb) in order to let them access friends’ data in exchange for sharing their information back to Facebook.
In an email dated November 19, 2012, CEO Mark Zuckerberg openly talked about third-party app access, throwing light on how tightly Facebook intended to control the social sharing experience, even if it’s to the deteriment of its 2.27 billion monthly users:
“I think we should go with full reciprocity and access to app friends for no charge. Full reciprocity means that apps are required to give any user who connects to FB a prominent option to share all of their social content within that service back to Facebook.”
“We’re trying to enable people to share everything they want, and to do it on Facebook. Sometimes the best way to enable people to share something is to have a developer build a special purpose app or network for that type of content and to make that app social by having Facebook plug into it. However, that may be good for the world but it’s not good for us unless people also share back to Facebook and that content increases the value of our network. So ultimately, I think the purpose of platform — even the read side — is to increase sharing back into Facebook.”
What’s more, it targeted competitor apps like Vine by cutting off access to friends data on the same date it was launched, leading to its failure, and went to the extent of collecting Android smartphone users’ call and SMS history despite knowing it was sensitive (a claim it denied earlier this year), with the sole purpose of improving its People You May Know feature, and used a VPN app it acquired in 2013 (Onavo) to sneakily monitor mobile app usage without their knowledge.
But it doesn’t stop there. In yet another explosive story published by The New York Times on Tuesday, it has also emerged that Facebook entered into extensive data sharing agreements with tech giants like Apple, Amazon, Microsoft, Netflix and Spotify (dating back to 2010) that allowed them to bypass usual privacy rules and obtain users’ names and contact information from their friends, and in some cases, even granted the ability to read, write and delete users’ private messages, all without explicit consent. (Note: This is only applicable if you have connected to these services using Facebook Login.)
In all, the deals described in the documents benefited more than 150 companies — most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organizations. Their applications sought the data of hundreds of millions of people a month, the records show. The deals, the oldest of which date to 2010, were all active in 2017. Some were still in effect this year.
The data-sharing deals include:
- Giving Apple access to users’ Facebook contacts and calendar entries, in addition to “empowering” the company to hide from Facebook users that their iPhones were requesting data from the social network. (Let’s not forget CEO Tim Cook’s strong words of criticism directed against Facebook for its privacy violations: “We’re not going to traffic in your personal life. Privacy to us is a human right. It’s a civil liberty.”)
- Giving Amazon the names and contact information of users, in a partnership that is currently being wound down.
- Giving Bing, Microsoft’s search engine, access to see names and other “public” profile information of a user’s friends. (Microsoft has said it has since then deleted the data.)
- Giving Spotify, Netflix, and the Royal Bank of Canada the ability to read, write and delete users’ private Facebook messages.
- Giving Yandex, Russia’s internet giant, access to Facebook’s unique user IDs even after the social network stopped sharing them with other applications, citing privacy risks.
- Giving Yahoo! access to streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier.
Although Facebook maintains that “none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC,” the report by The Times paints a different side to the story:
According to Facebook, most of its data partnerships fall under an exemption to the F.T.C. agreement. The company argues that the partner companies are service providers — companies that use the data only “for and at the direction of” Facebook and function as an extension of the social network.
In other words, Facebook treated these strategic partners as an extension of itself, thus obviating the need for permission in the first place. (Most of these partners have so far sought to distance themselves from the controversy saying they never misused their access with malicious intent, but declined to discuss the data-sharing terms in detail.)
The development builds off similar reporting this year from The New York Times and The Wall Street Journal that went on to explain how Facebook potentially considered charging developers for access to user data, and inked deals with phone and other device makers, including Apple, Amazon, BlackBerry, Microsoft and Samsung, to expand its reach in return for access to vast amounts of its users’ personal information like relationship status, religion, political leaning and upcoming events, among others.
Personal information just didn't flow out of Facebook. A separate story published by Buzzfeed on Wednesday, based on a report published by German mobile security initiative Mobilsicher, described how third-party apps and services like Tinder, Grindr and Pregnancy+, that rely on the company’s Software Developer Kit (SDK), were “quietly transmitting sensitive user data to Facebook” through the SDK, including details like IP address of the device that used the app, the type of device, time of use, user-specific Advertising Identifier, religious affiliation, dating profiles, and healthcare data, all without the knowledge the users.
Echoing the findings in a separate investigation, Privacy International all but established a pattern where “at least 61 percent of apps we tested automatically transfer data to Facebook the moment a user opens the app. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not.” The apps, including really popular ones like Skyscanner, Kayak, Shazam (now owned by Apple), Yelp, Duolingo and TripAdvisor, were revealed to be “over-sharing” details like when they are opened and closed, and even about flight searches, travel dates, and whether the user had any children (in the case of Kayak).
Ultimately though, it’s not surprising that a tech octopus that runs primarily on ads would find innovative, ruthless ways to extend its tentacles and maximise profits. After all, the information users give up in hopes of staying in touch with family and friends is nothing but fodder to feed its data-hungry algorithms, thereby turning it into a lucrative monetisation platform.
Instead it’s the users wanting an online experience that’s transparent and trustworthy, and not a black box that decides what’s good for them, who end up getting a raw deal. It’s also a timely reminder that Facebook is a money-making juggernaut that will do whatever it takes to grow bigger, not a philanthropic endeavour driven by a lofty goal to make the world “more open and connected.”
On January 24, 2013, the day Facebook’s rival Twitter launched Vine, the company’s vice president of operations Justin Osofsky wrote: “Unless anyone raises objections, we will shut down their friends API access today.” Zuckerberg replied, “Yup, go for it.”
