What Facebook did was probably legal. But that’s the problem.


Yesterday I had a quick interview with BBC Newsnight about the recent Facebook and Cambridge Analytica debate. In one of my answers, I mentioned that I think what Facebook did was probably legal. The text in the tweet is missing the rest of my answer, but I regardless stand by what I said. As a disclaimer, I am not a lawyer.

First of all, consider the facts. Facebook opened up this Graph API V1 in 2010. Zuckerberg announced it on stage, to big fanfare. They actively promoted it and sought partnerships with other app developers, small and large. The documentation was there for everyone to see. It’s possible they gave birth to hundreds, if not thousands, of social media apps via the permissiveness of this single API.

Second, and slightly more uncomfortable point. Obama campaign also used this API. Their motives were more transparent, but their methods weren’t much different. They were sucking in so much data that Facebook’s systems (either for fraud prevention, or system health, or both) slowed them down. Just like Facebook helped Kogan, they also helped Obama campaign many years ago. Obama campaign even bragged about how they sucked in entire US population, breaking Facebook. (Pro-tip: Don’t ever brag on record)

What happened here is not some shady backdoor deal. Facebook and Kogan had a working relationship. And I am not the only one who thinks what Facebook did, in terms of sharing this data from original users who used Kogan’s app and the expanded set is legal.

Here is Daphne Keller from Stanford Law school.

And, like many FB apps, it collected far more information than would seem to be necessary for the app’s purpose or utility to the user. This included not only information about the user who installed it, but information about his or her FB friends (FB has since limited apps’ ability to collect that info). It was supposedly this info about friends that brought the number of affected people up to a reported 50 million.
All this info flowed to the app developers with FB’s permission, subject to the Terms of Service agreed to between the developer and FB.

And here’s also Andrew Keane Woods from Lawfrare blog arguing the same point:

Kogan’s access to the data (if not his later use) was known to Facebook and seemingly consistent with Facebook’s developer application programming interface (API) at the time. This is how Kogan was able to access 50 million user profiles through only a few hundred thousand quiz-takers. You take Kogan’s quiz, and a thousand of your closest friends are also scooped up.

Again, I am not a lawyer. But some lawyers agree.

This might sound like the same pedantry I and everyone criticized Facebook for about the breach discussion. I still think this is a breach of trust, and from an end user’s perspective, there’s not much difference. Your data is at someone’s hands that you didn’t agree with. Kogan, fine, Cambridge Analytica, no.

But there’s a charitable way to think it’s good that this wasn’t a breach. Facebook doesn’t sell user data. But I also don’t think this leak-cum-breach was Facebook’s business model “working as intended” unlike the popular snark. Facebook itself removed these APIs, either because they didn’t want others to have it or they realized it was aggravating and surprising users. This was more of one of Facebook’s business model’s unintended negative consequences that are pushed on users. Many academics, security professionals and technologists warned about this. I myself wrote this in 2013:

Are you going to now trust not only the judgement of the seedy app developers who’d do anything to get their user numbers app, as well as their technical competence in addition to everything else you already had to keep in mind?

The real important thing is, where do we go from here? For me, what Facebook did was acting haphazardly with millions of people’s data, way more than anyone should be OK with. And I think 50 million is a fraction of the real leak. Hundreds, if not thousands of apps sucked these graphs. Many of those companies, now dead, sold for scraps, with their data as one of the few salvageable assets.

Academics and ex-Facebook employees who worked on these tools think the real number is much bigger. Sandy Parakilas who used to work at Facebook investigating breaches pegs it much higher. (Disclaimer: Parakilas now works at Uber, where I used to work. I never met him.) We need to establish a baseline for meaningful discussion of what really happened. For this, Facebook needs to cooperate, or be forced to do so.

The point is, we need hard numbers to have a meaningful, rational discussions. Ideally, this number should be audited by third-parties. Only then we can understand the magnitude of the problem. But that’s not enough; we need to understand the people behind such decisions, and their principles, goals, perspectives.. Facebook management should be answering the questions from various US, EU, and UK bodies about what happened in public settings. They are no strangers to promoting their work in public, relishing in media attention. They are hugely influential, way more so than most politicians int he world. Now it’s their turn to answer questions in public, not just release carefully prepared statements.

And then, we need to ask ourselves, is this OK? Should we allow this to happen, ever again? And what should be the consequences of such negligence. Facebook doesn’t seem like a good custodian. Their judgement in building these APIs, being negligently permissive is one thing. But they also failed to notify users back in 2015 when they first uncovered what happened. They threatened to sue journalists for reporting the breach this time. And since the crisis happened, their executives are nowhere to be found. None of this inspires confidence or competence.

Establishing the legality of what happened is important. If we don’t, then we won’t have a good way to build actual, legal accountability. Facebook can fix all their problems but without actual penalties for mistakes, things will fall through the cracks again. Will all this compliance hurt margins? Yes. Will it hurt innovation? Possibly. But the current situation where user’s pay for the mistakes of other isn’t particularly a good place to be, unless you are Facebook.

And today, we are worried about Facebook and Cambridge Analytica but come tomorrow, it will be another company who build such a giant dataset. Then we won’t have Zuckerberg to blame, but ourselves.