In our blog of March 21 st we did a general overview of some of the problems facing Facebook, most notably in the U.S, and involving various regulatory bodies. At that time we alluded to the fact of pending trouble this side of the pond. In the infamous and immortal words of the legendary American baseball player, Yogi Berra, it seems very much like, “it’s déjà vu all over again”. Reports from the office of the DPC concerning developments in its investigations would seem to bear this out.
In the same blog, and in reference to the first Annual DPC Report of the new DPC, we had pointed out the substantial number of data breaches reported by multinationals. Facebook was one of those multinationals and the Facebook Token breach became subject to a statutory inquiry in Sept. last year. Now a report confirms that Facebook, or one of its subsidiaries, has had 11 statutory inquiries by the office of the DPC initiated against it over varying periods. (See the full article by Adrian Weckler, Technology Editor, Irish Independent.) It is a confrontation that seems endless.
In the Left Corner, Weighing in at...
As part of an ongoing investigation by the Justice Department’s securities fraud unit, Facebook now expects to pay between $3bn and $5bn. Political consulting company Cambridge Analytica had improperly obtained the Facebook data of 87 million users and used the data to build tools that helped Trump’s campaign in 2016. (For more details, refer to our previous blog on the American investigations here). At the centre of the current probe is the admission by Facebook in its notification to the DPC, that millions of passwords were stored in totally unsecure ‘plain text format’. Facebook had discovered, “that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers,” said a statement from the Irish DPC.
Storage of passwords in this manner leaves them especially exposed to those with access to certain internal services. It is always recommended, and it is good practice, to store passwords in an encrypted format, thereby allowing websites to confirm what you are entering without actually reading it. What is normal practice is that a password is ‘hashed’ and ‘salted’ which includes using a function called “scrypt” as well as a cryptographic key.
In cryptography, a ‘salt’ is random data that is used as an additional input to a one- way function that ‘hashes’ data, a password or passphrase. This allows the data security team to irreversibly replace a user’s actual password with a random set of characters. With this procedure, a user logging in is validated as having the correct password, without any need to resort to storing the password in plain text. Hardly something to be considered ultra high tech or ‘rocket science’ for the average IT and Data Security team!
The Bell for the End of Round 11.
Somewhat surprisingly, Facebook’s ‘bottom line’ does not seem to be suffering as badly as analysts had been predicting. Sales were up 26% for the first quarter of 2019 to close to $16bn. User numbers also increased, but at a lower rate of just 8%. Market analysts also got Facebook share price expectations wrong. In the year to date, Facebook shares have risen 40%, outperforming much of the wider market. It still has 2.38 billion account holders. Ultimately, much could change when the results of all the investigations become public knowledge. What will the public’s perception of Facebook’s privacy and data protection policy be when all investigations conclude? Negative public sentiments have so far not affected Facebook’s bottom line. People are creatures of habit and change can sometimes be excessively challenging and inconvenient.
These investigations are warning signs for the company and investors alike. Maybe Rick Ackerman’s insight may be more prophetic than speculative. “Even the rabid weasels who drive the company’s shares wildly up and down for fun and profit must be sensing by now that Facebook is no longer cool (think AOL) and that the company has seriously depleted its store of goodwill”. (https://www.fxstreet.com/analysis/more-bad-news-cools-facebooks-rampage-201904032337) Strong words, but a UK government report found Facebook had behaved like ‘digital gangsters’. https://www.npr.org/2019/02/18/695729829/facebook-has-been-behaving-like-digital-gangsters-u-k-parliament-report-says?t=1556562850116
Winners and Losers?
In a post back in March, Mark Zuckerberg stated, “I believe the future of communication will increasingly shift to private, encrypted services, where people can be confident what they say to each other stays secure, and their messages and content won’t stick around forever. This is the future I hope we will help bring about.” Their business practices will have to go through at least an ethical overhaul. At present, they rely on a $55bn advertising revenue stream that comes from products and services that do not have end to end encryption. They are not private to any substantive and quantifiable measure. Yet if the business model is also under increased pressure from data protection and privacy regulators in different jurisdictions, then in theory at least, it must change sooner rather than later.
If this model is to be replaced, the question must be what type or form it will take? Most analysts suggest that Whatsapp and Messenger are the future because Facebook’s data show that is where people are increasingly spending their time. If people move to private messaging apps with high levels of encryption, as Zuckerberg stated is the future and their policy, Facebook will still need data to use to target people with ads. What will be the source of the data needed to target these people? More relevant is whether or not this will be done in accordance with GDPR and data protection legislation? Will their business model stay substantially the same, just being delivered by different vehicles? Will it be ‘free’? A subscription model is unlikely because how many people will actually pay for ‘likes’, and to interact with their ‘friends’? (No ads, but…)
It is conceivable that for many years to come, as one inquiry ends, another starts. Maybe it will be a case of, “the more things change, the more things stay the same”. Cost-benefit analyses done by Facebook may be adjusted once the fines begin to mount up. One certainty is that Facebook will not be allowed to disregard the GDPR and privacy legislation in numerous jurisdictions. Thankfully, for data protection and privacy advocates, the office of the DPC is committed to its mission. It is seriously ‘punching above its weight’. Facebook will find, like many before it, that its financial resources do not afford it special treatment, or confer special status in the eyes of the law.
P.S. For another angle on the subscription ideas see https://techcrunch.com/2018/02/17/facebook-subscription/?guccounter=1&guce_referrer_us=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_cs=Rhxc73OHhIIwVotsx2PW0w
Patrick Rowland, GDPRxpert.ie.
We are Data Protection consultants, based in Carlow/Kilkenny and Mayo, offering a nationwide service.
Visit www.gdprxpert.ie to learn more