Most Facebook users’ public profile data has likely been scraped by “malicious actors” and millions more may have been scooped up by a controversial data company than previously reported, the social media platform revealed Wednesday, raising new questions for founder Mark Zuckerberg to answer when he testifies before House and Senate committees next week.
Weeks after it was first reported that data firm Cambridge Analytica obtained information on tens of millions of Facebook users without their knowledge, Zuckerberg has recently amped up his defensive PR campaign, taking questions from the press on a 45-minute conference call Wednesday following in-depth interviews with CNN and Vox.
“I wish that I could snap my fingers and in three or six months have solved all of these issues,” he told reporters Wednesday. “But I just think the reality is, given how complex Facebook is and how many systems there [are], we need to rethink our relationship with people and our responsibility there across every single part of what we do.”
Facebook announced in a blog post that Cambridge may have obtained information on as many as 87 million users, far more than the 50 million media outlets had reported and nearly three times the amount the data firm claimed it had received. In addition, Facebook said most of its 2 billion users can assume basic information from their public profile has been harvested by third parties.
Cambridge’s actions were first reported weeks ago, sparking soul-searching in some quarters about how much information is being shared on social media, but Zuckerberg said the full extent of these intrusions only became clear in the last few days during an audit of the whole system.
“In all honesty, I think Facebook did not calm consumer’s fears fast enough because, in part, it was dealing with its own shock to its company’s core,” said David Muir, an assistant professor of marketing at the University of Delaware. “It has had to come to terms with the reality of being a social media company in the digital age.”
Speaking to reporters Wednesday, Zuckerberg acknowledged that Facebook long underestimated its responsibility for protecting information and preventing the spread of misinformation.
“It’s clear now that we didn’t do enough,” he said. “We didn’t focus enough on preventing abuse and thinking through how people could use these tools to do harm as well. That goes for fake news, foreign interference in elections, hate speech, in addition to developers and data privacy.”
Last month, Facebook suspended Cambridge Analytica’s access to the platform. The firm, which worked closely with President Donald Trump’s campaign in 2016, obtained data on millions of users from researcher Aleksandr Kogan in 2014. Kogan had developed a personality quiz app that collected users’ demographic information and some of their Facebook friends’ data when they used it.
Though only 270,000 users took the quiz, Facebook now estimates that, based on the maximum number of friends its users had at the time, information on more than 86 million people could have been obtained.
Cambridge Analytica has maintained that it only received data on 30 million users from Kogan, that it deleted the data when it became clear Facebook’s policies had been violated, and that it never used any of the information in its work for the Trump campaign.
A separate issue may have made the public profile data of most Facebook users vulnerable to malevolent forces. The site’s account recovery tools and search functions inadvertently allowed people to use a phone number or email address to collect a user’s demographic information and public photos.
“I certainly think that it is reasonable to expect that if you had that setting turned on, that at some point during the last several years, someone has probably accessed your public information in this way,” Zuckerberg said.
Facebook announced several policy changes Wednesday aimed at alleviating the concerns raised by these scandals, including significant restrictions on access to profile information by third-party apps. The site is also proposing updates to its terms of service and data policies to spell out more clearly data it collects and how it uses it.
Even after instituting these measures, Zuckerberg said it will never be possible to prevent every attempt to exploit the system.
“This is going to be a never-ending battle,” he said. “You never fully solve security — it’s an arms race. In retrospect we were behind, and we didn’t invest enough in it up front.”
Ray Klump, a software engineer and director of the Master of Information Security program at Lewis University, observed that privacy settings were already available and it was not hard for users to see how their public profile looked. Facebook could have made it easier, but there is an element of personal responsibility for users who chose not to make information private.
“I don’t see this as a problem that Facebook caused or that Facebook can necessarily control,” he said. “When we use Facebook, we know it’s a mechanism for sharing, and we’re sharing all this data willingly, and we’re believing what we see in our news feed willingly.”
Despite the avalanche of bad press the company has been buried under in recent weeks, Zuckerberg insisted there has been no “meaningful” change in user behavior. However, he stressed that does not absolve the company of responsibility to protect personal data.
"Even if we can't really measure a change and the usage of a product, or the business or anything like that, it still speaks to people feeling like this is a massive breach of trust and that we have a lot of work to do to repair that," he said.
Experts are unsurprised that the harvesting users’ public data has not inspired a mass exodus from the platform.
“I think the Facebook brand is remarkably resistant for a number of reasons,” Klump said. “First, people like the brand…. It’s become part of their lives.”
If this was an illegal data breach to steal identities, private details, or financial information, the reaction might be different, but he suggested many feel they have nothing to hide in their public profiles.
“There are subsets of Facebook users who constantly teeter on the line of ‘should I?/shouldn’t I?’ when it comes to deactivating their accounts,” Muir said. “I think these individuals may have been pushed over the edge and likely account for a sizable share of those who have left Facebook since news of the scandal broke.”
Facebook is deeply entrenched in many people’s lives and, to an extent, they are captive to it.
“To switch to another social media platform is very costly in terms of time and energy, especially the more input one has spent in creating a social media landscape, all which creates high switching costs and user ‘lock-in,’ whereby the user sees no alternative but to continue to use the platform,” Muir said.
Even if users are disturbed by the latest revelations, they will weigh the risks to their privacy against the benefits they get from their social media activities.
“I think we sometimes underestimate how important tech companies like Facebook are to our daily lives…. Quitting is easier said than done,” said Elizabeth Cohen, an assistant professor of communication studies at West Virginia University.
While Zuckerberg admitted a number of mistakes, he was unapologetic about Facebook collecting data on users’ behavior and interests in order to maximize effective advertising.
“People tell us that if they’re going to see ads, they want the ads to be good,” he said Wednesday. “And the way to make the ads good, is by making it so that when someone tells us they have an interest, they like technology or they like skiing or whatever it is they like, that the ads are actually tailored to what they care about.”
Damage to the brand so far may not be severe, but challenges for Zuckerberg and Facebook still await.
The House Energy and Commerce Committee confirmed Wednesday that Zuckerberg will testify at a hearing on transparency and use of consumer data by Facebook next Wednesday. The Senate Judiciary Committee and Commerce, Science, and Transportation Committee also announced that Zuckerberg will appear at a joint hearing Tuesday titled “Facebook, Social Media Privacy, and the Use and Abuse of Data.”
“Facebook now plays a critical role in many social relationships, informing Americans about current events, and pitching everything from products to political candidates,” Senate Commerce Committee Chairman John Thune, R-S.D., said in a statement. “Our joint hearing will be a public conversation with the CEO of this powerful and influential company about his vision for addressing problems that have generated significant concern about Facebook’s role in our democracy, bad actors using the platform, and user privacy.”
Some lawmakers are already signaling a harsh interrogation for Zuckerberg.
Next week’s Commerce/Judiciary joint hearing is a good first step toward instituting some vitally necessary rules of the road for Big Tech - something that can and ought to be a bipartisan priority.— Richard Blumenthal (@SenBlumenthal) April 5, 2018
“I’m glad Mr. Zuckerberg has agreed to face the music. His company has shamelessly shredded the privacy rights of its users,” said Sen. Richard Blumenthal, D-Conn., a member of the Senate Judiciary Committee. “Just today, Facebook admitted that the personal data of most of its 2 billion users had been compromised by ‘malicious actors’ over the last several years. This hearing is a good first step towards instituting some vitally necessary rules of the road for Big Tech.”
Experts are hoping the hearings provide a clearer picture of exactly what has gone wrong and how Facebook’s business practices can be improved.
“I think we need to know more about the timeline of what Facebook knew, when it knew…how much things like [what happened with] Cambridge Analytica happened with other apps,” Cohen said.
There are several questions Muir would like to see Zuckerberg answer. Among them: “You previously have stated you would not mind seeing Facebook regulated. What would those regulations look like to you? What information should be protected?”
Facebook is under similar pressure to institute privacy protections and behave more responsibly by foreign governments as well. Officials in Germany have threatened to launch an investigation of the company, and an Australian government watchdog agency is already investigating whether its privacy laws have been violated.
Zuckerberg confirmed Wednesday that changes being made to comply with the European Union’s General Data Protection Regulation will be made available to users everywhere in some form.
As more information drips out about how Facebook handled—or mishandled—user data, the changes announced so far may not be enough to satisfy Congress or the American people.
“The hearings will hopefully make the practices that Facebook has more transparent,” Cohen said. “Then the public and the legislature can decide what needs to be done about it.”