Buried under the avalanche of coverage of its massive security breach, Facebook quietly acknowledged a second major data leak this week, this time admitting that a Russian company that counts the Russian government among its customers had bulk downloaded so much data from the platform that its marketing materials claimed it essentially had a mirror of the Russian portion of Facebook. Most disturbingly, Facebook believes that unlike previous leaks and breaches that focused on demographic information, this leak was driven in part by the company’s need to mass harvest imagery from Facebook to build facial recognition models that could be used by the Russian government for surveillance purposes. As Facebook has increasingly become an unwitting ally in governmental surveillance and repression throughout the world, providing it the enabling datasets for everything from identifying dissidents to tracking critics to targeting misinformation campaigns to building facial recognition systems, the question we must increasingly ask is if it is time to finally force Facebook to take privacy and security seriously, perhaps by shutting down or dramatically curtailing key elements of its business or alternatively whether the company should simply pivot and become a Twitter-like public publishing platform in which everything is considered world readable?
Facebook is an anomaly among its Silicon Valley peers in that its business involves both convincing customers to entrust it with their most sensitive and private information and simultaneously making that private and sensitive information as accessible as possible to advertisers and developers worldwide to exploit for commercial purposes. In contrast, LinkedIn has presented itself as an interactive resume hub, providing the tools for businesses and individuals to advertise their work experience and skills in an environment that is by its nature conducted in public and in which the more visibility a resume or job offer receives the better. Similarly, Twitter’s entire business model is as a megaphone to the world with an interface and mindset that everything is public and in which maximal publicity and virality is the goal. Thus, the fact that Twitter makes money boxing up all of those tweets and selling them to companies all over the world is far less privacy intruding, since users are aware from the start that they are stepping up onto a stage to give a speech to the world. In the same vein, most of the other web giants that have immense data about us guard that data as the lifeblood of their enterprises. Amazon, for example, may collect considerable information about its customers’ purchasing habits, but it guards that information with every bit of its security infrastructure, rather than opening it up with a garden of APIs and openly tout it as the ultimate consumer research platform. To Amazon the data it holds about its customers is its major competitive advantage to be secured at all costs. In contrast, opening itself up as both private platform and public data broker is essentially what Facebook has done for many years: convince people to hand it their data, while strategically and knowingly building an entire infrastructure of tools and processes to absolutely maximize the ability of developers to access all of that data.
In short, the large Silicon Valley companies either promise privacy and fiercely guard their customer data with every bit of their might, wielding it internally as a competitive advantage or they make their business as a publisher, helping their users get their thoughts and ideas out to the public under a privacy model in which everything is public and privacy is not the point. In this regard Facebook stands alone among its peers in that it both promised its users privacy and made a business of maximizing access to their data.
This is one of the reasons that Facebook has become one of the most important surveillance tools of governments worldwide.
Twitter may be useful to collecting population-scale aggregate trends and observing the public posturing of how individuals portray themselves in filtered fashion to the world, but Facebook is where we are really ourselves. Much as West World’s theme park offered a freeing world in which its guests could momentarily shake off the shackles of modern life and enjoy what they wrongfully thought was freedom from observation, judgement and consequence, so too has Facebook become what a quarter of the earth’s population turns to in order to communicate and express themselves in what they believed was a secure and private space.
Other web companies may know us better, but only Facebook makes its observations available to the world.
In its latest data leak, Facebook acknowledged this week that two Russian companies had mass harvested user profiles and images from its platform. Unlike Cambridge Analytica’s alleged work that was focused on domestic political campaigning, the latest case involved companies allegedly providing their services to the Russian government. Most disturbingly of all, however, is that unlike the textual and demographic focus of previous breaches and leaks, this one involved an explicit focus on mass harvesting photographs to build facial recognition models. Specifically, Facebook alleged that it “has reason to believe your work for the government has included matching photos from individuals’ personal social media accounts in order to identify them.”
Yet, as the company pointed out, at least some of its data came from using web crawlers to scrape publicly accessible information available through web searches of Facebook’s site and that under Russian law its practices were entirely legal. The ability of the companies to externally harvest data without actually logging into Facebook points to one of the challenges of Facebook’s privacy model: it portrays itself as a private walled garden in which privacy is paramount yet encourages users to adopt privacy settings that can make their content visible even off Facebook to outsiders beyond its walls.
Facebook’s global nature also poses unique privacy challenges. As an international company doing business in so many countries, it is exposed to each of their distinct legal systems, some of which may be profoundly different from the freedoms and protections familiar to those in the US. The company has no choice but to comply with these demands or concede to such activities which are entirely legal and lawful in those countries.
Therein lies one of the great existential challenges of the increasingly centralized web: as a small set of companies define their respective corners of the “web” for the entire planet, they expose all their users to the laws and norms of every country. In the decentralized web as it was envisioned, a Chinese social media platform based in China and targeting Chinese citizens can censor all mention of Tiananmen Square, but such restrictions have no impact on an American social platform targeting Americans. As the underlying content infrastructure of the web has shrunk to a handful of companies, we are now at a crossroads in which that American social media platform must now accommodate those Chinese censorship demands, potentially extending elements of them globally as it attempts to devise a single set of moderation rules applied to all countries and cultures.
Such international companies have no loyalty but to their bottom line. They have no financial or other incentive in combatting terrorism or halting hate speech, no interest in preventing governments from silencing critics or conducting mass surveillance, no reason to increase privacy or invest in security. Their only risk is the possibility of government intervention, while the economic rewards of permitting each of these activities is substantial. After all, while it officially forbids terroristic speech, at the end of the day Facebook makes money from the ads people see when consuming or responding to that content and the more content there is on its platform the more eyeballs and activity it is able to sell to advertisers.
When it comes to facial recognition, the specter of mass image harvesting from social networks is nothing new in Russia, where FindFace made headlines in 2016 by mass harvesting photographs from Russian social network Vkontakte and enabling realtime facial recognition with 70% accuracy, touting applications like using one’s smartphone to identify a woman walking down the street and send her a dating message or mass identifying everyone walking out of a subway station.
Of course, Facebook itself has made an art of mass facial recognition and even applied for patents covering the notion of commercializing their facial data and algorithms to offer mass facial recognition for businesses and eventual potentially law enforcement (though the company emphasized it had no immediate plans to do so).
One might reasonably ask that if Facebook has at least considered the idea of opening up its facial recognition platform for outside use, why would it object to other companies doing the same? If Facebook sees it acceptable to file a patent application describing the use of its vast image database to allow companies to perform facial recognition and refuses to rule out allowing governments to leverage the same technology, why should it be allowed to stop third party companies from competing with it? Indeed, such arguments go right to the heart of the question of whether Facebook is a monopoly, when it uses its power to stop companies from offering precisely the same services it has contemplated seriously enough to file a patent on.
The company did not respond to a request for comment.
In the end, perhaps the greatest story here is that once again Facebook either failed to notice or simply ignored yet another company mass harvesting data from the sanctity of its walled garden. In its rush to become the central plumbing of the modern social web, Facebook focused all of its resources on making it as easy as possible for others to access the data its users had entrusted to it, without ever considering whether that was a good idea and the privacy implications it would create. The company’s continued reluctance to comment on these issues and the fact that nothing seems to have changed, with yet another breach happening just last month, suggests the only hope we have for privacy online is either for governments to finally intervene and force Facebook to take real steps towards securing its users’ data that go far beyond its current efforts or else finally acknowledge that it cannot keep its users’ information private and pivot to the public model of its peers in which it advertises itself as a platform for public rather than private communication. Given that privacy is effectively dead in today’s digital world, perhaps the best option of all is for Facebook to embrace that its once tranquil walled garden has become an Orwellian surveillance state and teach its two billion users to treat everything they do as public. After all, if we acted every moment as if the cameras were watching, the next data breach would merely be a retweet getting us more publicity.