The rise of Facebook has not been without scandal, heck, there's even a (pretty good) movie about its troubled beginnings. Founder Mark Zuckerberg has found itself in a tight spot numerous other times; it all came with the territory: becoming a public figure at a young age, becoming a billionaire, creating one of the world's most used websites which happens to be a social network that collects personal data (as surrendered by users themselves), becoming a tech leader and holding the power and influence that comes with the title.
But this month's Cambridge Analytica situation is without doubt the biggest scandal the social juggernaut will have faced in its 14-year history. Big companies, in and outside of tech, getting hacked and exposing customers data is nothing new. Even when done recklessly due to poor security practices, most companies have been able to survive it.
However, the Facebook situation has turned into a much bigger ticking bomb because the abuse of its network data, which did not originate from an unauthorized hack, has had ripple effects that touch dearly into the world of politics, a heated presidential election, and a controversial and scrutinized figure in Donald Trump, now President of the United States.
...this situation has turned into a much bigger ticking bomb because the (...) ripple effects that touch dearly into the world of politics, a heated presidential election, and a controversial and scrutinized figure in Donald Trump, now President of the United States.
Trump's political team at some point during the past election benefited from services offered by Cambridge Analytica. The company built psychological profiles of people using their Facebook data, which could then be used in personalized political messages aimed at potential voters. The raw user data was acquired using Facebook's own APIs, though abusing its terms of service, resulting in data harvesting from an estimated 50 million Facebook friends, who didn’t know about the app or give consent, yet still had their personal info sucked up.
To put that 50 million figure into perspective, by the end of 2017, Facebook had 2.2 billion monthly active users worldwide.
About the situation, Mark Zuckerberg took its time to "understand exactly what happened" and has now responded with an open letter. He's expected to do some interviews (see below) as well, and as media coverage and pressure intensifies, he may have to answer calls to testify in front of Congress, the FTC, or the UK Parliament.
The letter opens saying "We have a responsibility to protect your data, and if we can't then we don't deserve to serve you," and then goes on to explain what happened using a timeline of events. There is no apology, but there is a clear commitment to do better, a claim of responsability by Zuckerberg himself, and the assurance that whatever loophole existed to harvest data, it's not been possible to do that for a long time.
Unfortunately, there is no explanation of when Facebook learned about the API misuse (reports say as early as 2015) and why the company didn't disclose or raise any public concern about this. It also misses the mark when saying they tightened security to third parties in 2014, but the presidential election took place in late 2016.
This is likely just the beginning for Facebook and we'll watch the aftermath unfold in the coming days and weeks. Zuckerberg did anticipate planned future action in the form of three initiatives to secure user data: 1) they will conduct a an audit of any app that had access to large quantities of information before they secured their API in 2014, making sure there is no suspicious activity, 2) they will restrict developers' data access further, asking them to sign a contract and adding an expiry date to third party connections on apps you may no longer use, 3) they will launch a new tool (one already exists but is somewhat obscured within Facebook's security settings) next month that will help users better understand which apps have your data, and giving you easy access to revoke those permissions.
Facebook just happens to be the keeper and trove of all that data and it's up to you to decide if you trust them with it or not.
Do not forget, when you opt-in for a service -- in this case Facebook, but could be any service -- and you voluntarily concede a lot of your personal data, that data is at risk of being acquired by a third party sooner or later, unauthorized or not (no security is perfect). Facebook just happens to be the keeper and trove of all that data and it's up to you to decide if you trust them with it or not.
There are varied opinions on whether Facebook's CEO response addresses enough. Some of the planned improvements may sound coherent, if not necessary, so why didn't they come sooner? Well, on the exterior Facebook is a social network, but its core business depends on collecting users' data and providing access to those users. I'd call that a conflict of interest.