Facebook investors, alarmed by the social giant’s latest privacy problems, pushed the stock down more than 7% on Dec. 19 — wiping out around $30 billion in market value. The stock was essentially flat on Thursday as the market assessed the fallout.
At the start of the year, CEO Mark Zuckerberg wrote in a Jan. 4 post that his “personal challenge for 2018 is to focus on fixing” issues Facebook was wrestling with, including “defending against interference by nation states.” Instead, 2018 has delivered a steady drumbeat of public failings for Facebook, with Zuckerberg and his company under more scrutiny than ever.
Here’s a summary of the scope of the problems Facebook is dealing with and what’s likely to happen.
What happened this week?
Washington, D.C.’s attorney general sued Facebook on Wednesday, alleging the company failed to protect the private data of millions of users that wound up in the hands of Cambridge Analytica, a political consulting firm that used the information to target voters during the 2016 presidential election. That came less than a day after a damaging report by the New York Times, which alleged Facebook has given large tech partners, including Microsoft and Amazon, data on hundreds of millions of users each month, including email addresses and phone numbers — which those partners were able to access without users’ knowledge or consent, according to the Times.
How big a deal are the revelations that Facebook gave big partners extensive access to user data, including the ability for some to write and delete private messages?
Facebook is downplaying them, but the new information has renewed calls for more comprehensive U.S. privacy legislation and could fuel the Federal Trade Commission’s probe into whether the company violated its consumer-privacy deal with the agency. Facebook says many of the data deals documented in most recent Times report have expired, while it is pledging to review “all our APIs and the partners who can access them,” Konstantinos Papamiltiadis, director of developer platforms and programs, wrote in a blog post. The company also claims that it never granted access to user data without the permission of its users.
On the issue of letting partners like Netflix and Spotify access Facebook users’ messages, Facebook essentially says that this has been overblown. By necessity, Facebook had to enable read/write/delete access for those partners to Messenger accounts of users who had opted-in to the features in order to make those integrations possible. “These experiences are common in our industry — think of being able to have Alexa read your email aloud or to read your email on Apple’s Mail app,” VP of product partnerships Ime Archibong wrote in a blog post response Wednesday. At the same time, Facebook noted, those messaging features have been discontinued.
How do the latest issues compound what came to light about Facebook earlier in 2018?
For context: Other internet players including YouTube and Twitter have been targets of controversy, including for failing to curb hate speech, misinformation and abuse, while Google’s CEO was called in front of Congress earlier this month to address topics including its data-collection practices, anticompetitive actions and alleged political bias. And data-privacy problems aren’t unique to Facebook (see: Marriott’s disclosure of a hack compromising info on 500 million Starwood guests).
But Facebook has spent more than its share of the time in the spotlight. A string of negative headlines and disclosures about the company’s business practices and security breaches have rattled Facebook. Those include:
- The Cambridge Analytica scandal: After news reports in March that Facebook user data was improperly obtained by the U.K.-based political consulting firm, Facebook disclosed that info on up to 87 million users was actually in the possession of Cambridge Analytica, which subsequently shut down.
- In May, Facebook suspended 200 apps that had access to large amounts of user data prior to 2014, as part of its efforts to clean up the mess from the Cambridge Analytica situation.
- In June, Facebook confirmed it had data-sharing agreements with Chinese manufacturers including Huawei Technologies and Lenovo, which granted the device makers special access to user data. In response, Facebook noted that it was already winding down access to such partners. It also said the program was launched a decade ago when app developers (including Twitter and YouTube) “had to work directly with operating system and device manufacturers to get their products into people’s hands,” according to Facebook’s Archibong.
- In August, Facebook said it identified and removed several hundred pages and accounts associated with Iranian state media. The company said it also removed content associated with Russian intelligence services and a group of accounts associated with Middle East media organizations that acted in concert while pretending to represent independent entities.
- In September, Facebook announced the biggest hack in its history after it discovered a security hole had compromised up to 50 million user accounts. The company later said hackers had successfully accessed data from 29 million Facebook members.
- In November, a New York Times investigative report detailed Facebook’s response to scandals over misuse of its platform and data-privacy gaffes, including that it withheld knowledge of Russia’s weaponizing the platform to spread propaganda. It also revealed that Facebook hired a D.C.-area political consulting firm to push negative coverage of competitors and critics — including urging journalists to investigate ties between billionaire financier George Soros and anti-Facebook groups.
- In early December, a U.K. parliamentary committee released a 250-page report, which included numerous internal company emails, detailing how Facebook granted favored partners including Netflix “whitelist” access to user info while it blocked rivals from accessing its data. (Facebook said the documents, obtained through an app developer’s 2015 lawsuit against the company, were “cherry-picked” and lacked context.)
- Facebook last week (Dec. 14) disclosed that it had discovered a bug in photo-sharing system that may have exposed the private photos of as many as 6.8 million users. (It said it fixed the bug and was notifying affected users.)
Is Facebook going to face other regulatory or legal repercussions?
Besides the D.C. attorney general’s lawsuit, other government actions are growing more probable with every new revelation. The year of “bad publicity and significant issues” for Facebook makes it “more likely that the U.S. government will take action to penalize and/or regulate FB,” CFRA Research’s Scott Kessler wrote in a Dec. 19 research note. At the same time, the analyst reiterated a “buy” rating on the company because “we still see its fundamentals as healthy and valuation as attractive.”
On Capitol Hill, both Democrat and Republican lawmakers this week criticized Facebook, with some questioning whether Zuckerberg lied in his testimony during congressional hearings when he said Facebook users have “complete control” over their own data. Sen. Brian Schatz (D-Hawaii), who serves on U.S. Senate committees including Commerce, Science and Transportation, tweeted Tuesday, “It has never been more clear. We need a federal privacy law. [Facebook is] never going to volunteer to do the right thing. The FTC needs to be empowered to oversee big tech.” Analysts expect the U.S. to adopt legislation similar to Europe’s General Data Protection Regulation; Zuckerberg has said Facebook will apply GDPR-compliant controls worldwide.
Meanwhile, the FTC initiated its investigation into Facebook’s privacy practices this spring, which remains ongoing. The agency is expected to specifically examine whether Facebook violated the terms of its agreement with the FTC, approved in 2012, under which Facebook is required to give consumers “clear and prominent notice” and must obtain “their express consent before sharing their information beyond their privacy settings.” (Facebook insists that none of its data-sharing partnerships violated the FTC agreement.) The FTC has the authority to impose fines on Facebook, which Facebook would have the right to appeal. The agency also may seek additional restrictions on the company’s data-handling practices.
Are heads going to roll at Facebook because of these scandals?
It doesn’t seem like anything will change on the senior-management front right now. Despite calls from some investors for Zuckerberg to step aside, when asked in a CNN interview last month if he was going to resign as chairman, he said “That’s not the plan.” (Because he controls 60% of the voting shares in Facebook, only Zuckerberg can decide to exit.) COO Sheryl Sandberg — who acknowledged that she directed Facebook’s communications staff to look into Soros’ financial interests after Soros called internet companies like Facebook “a menace to society” — has the support of the board (which includes, of course, Zuckerberg as well as Sandberg).
Meanwhile, Elliot Schrage, Facebook’s longtime VP of communications and public policy who was already set to leave the company, in a memo just before Thanksgiving took the blame for hiring Definers, the political consulting firm that tried to push journalists to look into Soros’ backing of Facebook critics.
Is Facebook going to see a drop in users?
It’s unclear how big an impact the ongoing privacy problems are having on Facebook’s user growth. Immediately after the Cambridge Analytica erupted in public, Facebook actually boosted its daily active users in the U.S. and Canada. But in Q2 and Q3, daily active users have effectively been flat in the U.S. — and have dropped in Europe. Partly, the leveling-off of growth is because Facebook is already so massive it doesn’t have more runway to add more users. But privacy concerns clearly don’t help.
Is the privacy of Facebook users at risk?
Facebook says it’s doing everything it can to safeguard user data and remediate holes in its systems — but given its privacy track record, an increasing number of users are likely to either cancel their accounts, reduce their usage, or more tightly restrict their privacy settings. Facebook introduced new privacy tools this year, designed to consolidate controls that were previously in separate places. More information is on Facebook’s website at this link. The company also offers instructions on how to deactivate or permanently delete Facebook accounts at this link.