“Mr. Zuckerberg, would you be comfortable sharing with us the name of the hotel you stayed in last night?” That was Senator Dick Durbin’s first question for Facebook CEO Mark Zuckerberg, who spent a marathon afternoon on Capitol Hill testifying in front of a row of senators. Zuckerberg — propped up on a cushion on his chair — grinned, let out a breathy laugh, froze for a couple seconds, and then finally answered: “Uuuh, no!”
Durbin followed up by asking Zuckerberg if he would share the names of people he’s sent messages to recently. Zuckerberg again declined. Durbin’s stunt was an obvious trick. But it was a potent one. Amid the more complicated (or, at least, complicated-sounding) processes of data-harvesting and ad-targeting, the core question at the heart of Facebook’s most recent woes is this: How comfortable do you feel with other people knowing where you’ve been and who you’re talking to? Zuckerberg famously, and somewhat ironically, is very guarded about his private life. And yet, as the senators grappled with this afternoon, Facebook’s entire business model requires it to sink its fangs into users and extract data from them through a number of methods.
And how do you defend that? You explain that users signed up for Facebook’s vampire kiss, and that in fact they’re completely in control of the flow rates of their data and exact location of the puncture wounds. “User control” was what Zuckerberg clung to all day. “You sign up for Facebook, you get the ability to share the information that you want with people,” he explained. “That’s what the service is: you can connect to the people that you want and share what matters to you. That’s photos or links or posts. And you get control over who you share it with, and you can take it down if you want, and you don’t need to put anything up in the first place if you don’t want.”
That sounds benign, doesn’t it? The problem is that setting aside Facebook’s tangled privacy controls, one of the core issues with Facebook is that they collect reams of data that users don’t explicitly provide, and are often totally unaware of having given up. As Hawaii senator Brian Schatz put it, “Everybody kind of understands that when you click like on something, or if you say you like a certain movie or have a particular political proclivity, I think that’s fair game. Everybody understands that. But what we don’t understand as a matter practice and as a matter of not being able to decipher the terms of service and the privacy policy, is what exactly are you doing with the data collected in the process of using the platform.”
In addition to understanding what you share on Facebook, Zuckerberg’s site can also track you across the web, because most websites contain embedded Facebook code. Facebook also owns a VPN called Onavo — that it encourages users to install and which millions have — which monitors its users’ internet traffic. “In general, Facebook is not collecting data from other apps that you use,” Zuckerberg said, despite the fact that it very much does. Facebook has many methods of collecting activity on what you do on Facebook aside from actively sharing on the platform.
So let’s return to Senator Durbin’s hypothetical. Would Zuckerberg feel comfortable sharing the hotel he’s staying at? According to Facebook’s practices, the question is beside the point. Using geolocation or an IP address, all you’d need to do is open Facebook’s mobile app on your phone. Facebook’s technology doesn’t need Zuck to post “I’m in Washington D.C.” to know that he’s in Washington, D.C. Similarly, Facebook doesn’t need you to say “I’ve got a crush on so-and-so.” All it needs is for you to visit so-and-so’s profile a dozen times a day. It’s this type of indirectly shared behavioral data that users do not understand in the same way that they understand something like a status update.
And users aren’t the only ones confused about what data they share and who they share it with. As Senator Richard Blumenthal pointed out to Zuckerberg, the app that Aleksandr Kogan used to harvest Facebook user data and then sell it to Cambridge Analytica had a privacy policy that enabled users to authorize him to do exactly that, despite that fact that it violated Facebook’s own policy. That detail slipped by anyone reviewing Kogan’s app for compliance. In other words, Facebook didn’t read the terms of service. How can they expect users to be any better?