All posts in “Mark Zuckerberg”

EU parliament pushes for Zuckerberg hearing to be live-streamed

There’s confusion about whether a meeting between Facebook founder Mark Zuckerberg and the European Union’s parliament — which is due to take place next Tuesday — will go ahead as planned or not.

The meeting was confirmed by the EU parliament’s president this week, and is the latest stop on Zuckerberg’s contrition tour, following the Cambridge Analytics data misuse story that blew up into a major public scandal in mid March. 

However, the discussion with MEPs that Facebook agreed to was due to take place behind closed doors. A private format that’s not only ripe with irony but was also unpalatable to a large number of MEPs. It even drew criticism from some in the EU’s unelected executive body, the European Commission, which further angered parliamentarians.

Now, as the FT reports, MEPs appear to have forced the parliament’s president, Antonio Tajani, to agree to live-streaming the event.

Guy Verhofstadt — the leader of the Alliance of Liberals and Democrats group of MEPs, who had said he would boycott the meeting if it took place in private — has also tweeted that a majority of the parliament’s groups have pushed for the event to be streamed online.

And a Green Group MEP, Sven Giegold, who posted an online petition calling for the meeting not to be held in secret — has also tweeted that there is now a majority among the groups wanting to change the format. At the time of writing, Giegold’s petition has garnered more than 25,000 signatures.

MEP Claude Moraes, chair of the EU parliament’s Civil Liberties, Justice and Home Affairs (LIBE) committee — and one of the handful of parliamentarians set to question Zuckerberg (assuming the meeting goes ahead as planned) — told TechCrunch this morning that there were efforts afoot among political group leaders to try to open up the format. Though any changes would clearly depend on Facebook agreeing to them.

After speaking to Moraes, we asked Facebook to confirm whether it’s open to Zuckerberg’s meeting being streamed online — say, via a Facebook Live. Seven hours later we’re still waiting for a response, including to a follow up email asking if it will accept the majority decision among MEPs for the hearing to be live-streamed.

The LIBE committee had been pushing for a fully open hearing with the Facebook founder — a format which would also have meant it being open to members of the public. But that was before a small majority of the parliament’s political groups accepted the council of presidents’ (COP) decision on a closed meeting.

Although now that decision looks to have been rowed back, with a majority of the groups pushing the president to agree to the event being streamed — putting the ball back in Facebook’s court to accept the new format.

Of course democracy can be a messy process at times, something Zuckerberg surely has a pretty sharp appreciation of these days. And if the Facebook founder pulls out of meeting simply because a majority of MEPs have voted to do the equivalent of “Facebook Live” the hearing, well, it’s hard to see a way for the company to salvage any face at all.

Zuckerberg has agreed to be interviewed onstage at the VivaTech conference in Paris next Thursday, and is scheduled to have lunch with French president Emmanuel Macron the same week. So pivoting to a last minute snub of the EU parliament would be a pretty high stakes game for the company to play. (Though it’s continued to deny a U.K. parliamentary committee any face time with Zuckerberg for months now.)

The EU Facebook agenda

The substance of the meeting between Zuckerberg and the EU parliament — should it go ahead — will include discussion about Facebook’s impact on election processes. That was the only substance detail flagged by Tajani in the statement on Wednesday when he confirmed Zuckerberg had accepted the invitation to talk to representatives of the EU’s 500 million citizens.

Moraes says he also intends to ask Zuckerberg wider questions — relating to how its business model impacts people’s privacy. And his hope is this discussion could help unblock negotiations around an update to the EU’s rules around online tracking technologies and the privacy of digital communications.

“One of the key things is that [Zuckerberg] gets a particular flavor of the genuine concern — not just about what Facebook is doing, but potentially other tech companies — on the interference in elections. Because I think that is a genuine, big, sort of tech versus real life and politics concern,” he says, discussing the questions he wants to ask.

“And the fact is he’s not going to go before the House of Commons. He’s not going to go before the Bundestag. And he needs to answer this question about Cambridge Analytica — in a little bit more depth, if possible, than we even saw in Congress. Because he needs to get straight from us the deepest concerns about that.

“And also this issue of processing for algorithmic targeting, and for political manipulation — some in depth questions on this.

“And we need to go more in depth and more carefully about what safeguards there are — and what he’s prepared to do beyond those safeguards.

“We’re aware of how poor US data protection law is. We know that GDPR is coming in but it doesn’t impact on the Facebook business model that much. It does a little bit but not sufficiently — I mean ePrivacy probably far more — so we need to get to a point where we understand what Facebook is willing to change about the way it’s been behaving up til now.

“And we have a real locus there — which is we have more Facebook users, and we have the clout as well because we have potential legislation, and we have regulation beyond that too. So I think for those reasons he needs to answer.”

“The other things that go beyond the obvious Cambridge Analytica questions and the impact on elections, are the consequences of the business model, data-driven advertising, and how that’s going to work, and there we need to go much more in depth,” he continues.

“Facebook on the one hand, it’s complying with GDPR [the EU’s incoming General Data Protection Regulation] which is fine — but we need to think about what the further protections are. So for example, how justified we are with the ePrivacy Regulation, for example, and its elements, and I think that’s quite important.

“I think he needs to talk to us about that. Because that legislation at the moment it’s seen as controversial, it’s blocked at the moment, but clearly would have more relevance to the problems that are currently being created.”

Negotiations between the EU parliament and the European Council to update the ePrivacy Directive — which governs the use of personal telecoms data and also regulates tracking cookies — and replace it with a regulation that harmonizes the rules with the incoming GDPR and expands the remit to include internet companies and cover both content and metadata of digital comms are effectively stalled for now, as EU Member States are still trying to reach agreement. The directive was last updated in 2009.

“When the Cambridge Analytica case happened, I was slightly concerned about people thinking GDPR is the panacea to this — it’s not,” argues Moraes. “It only affects Facebook’s business model a little bit. ePrivacy goes far more in depth — into data-driven advertising, personal comms and privacy.

“That tool was there because people were aware that this kind of thing can happen. But because of that the Privacy directive will be seen as controversial but I think people now need to look at it carefully and say look at the problems created in the Facebook situation — and not just Facebook — and then analyze whether ePrivacy has got merits. I think that’s quite an important discussion to happen.”

While Moraes believes Facebook-Cambridge Analytica could help unblock the log jam around ePrivacy, as the scandal makes some of the risks clear and underlines what’s at stake for politicians and democracies, he concedes there are still challenging barriers to getting the right legislation in place — given the fine-grained layers of complexity involved with imposing checks and balances on what are also poorly understood technologies outside their specific industry niches.

“This Facebook situation has happened when ePrivacy is more or less blocked because its proportionality is an issue. But the essence of it — which is all the problems that happened with the Facebook case, the Cambridge Analytica case, and data-driven advertising business model — that needs checks and balances… So we need to now just review the ePrivacy situation and I think it’s better that everyone opens this discussion up a bit.

“ePrivacy, future legislation on artificial intelligence, all of which is in our committee, it will challenge people because sometimes they just won’t want to look at it. And it speaks to parliamentarians without technical knowledge which is another issue in Western countries… But these are all wider issues about the understanding of these files which are going to come up.  

“This is the discussion we need to have now. We need to get that discussion right. And I think Facebook and other big companies are aware that we are legislating in these areas — and we’re legislating for more than one countries and we have the economies of scale — we have the user base, which is bigger than the US… and we have the innovation base, and I think those companies are aware of that.”

Moraes also points out that U.S. lawmakers raised the difference between the EU and U.S. data protection regimes with Zuckerberg last month — arguing there’s a growing awareness that U.S. law in this area “desperately needs to be modernized.”

So he sees an opportunity for EU regulators to press on their counterparts over the pond.

“We have international agreements that just aren’t going to work in the future and they’re the basis of a lot of economic activity, so it is becoming critical… So the Facebook debate should, if it’s pushed in the correct direction, give us a better handle on ePrivacy, on modernizing data protection standards in the US in particular. And modernizing safeguards for consumers,” he argues.

“Our parliaments across Europe are still filled with people who don’t have tech backgrounds and knowledge but we need to ensure that we get out of this mindset and start understanding exactly what the implications here are of these cases and what the opportunities are.”

In the short term, discussions are also continuing for a full meeting between the LIBE committee and Facebook.

Though that’s unlikely to be Zuckerberg himself. Moraes says the committee is “aiming for Sheryl Sandberg,” though he says other names have been suggested. No firm date has been conformed yet either — he’ll only say he “hopes it will take place as soon as possible.”

Threats are not on the agenda though. Moraes is unimpressed with the strategy the DCMS committee has pursued in trying (and so far failing) to get Zuckerberg to testify in front of the U.K. parliament, arguing threats of a summons were counterproductive. LIBE is clearly playing a longer game.

“Threatening him with a summons in UK law really was not the best approach. Because it would have been extremely important to have him in London. But I just don’t see why he would do that. And I’m sure there’s an element of him understanding that the European Union and parliament in particular is a better forum,” he suggests.

“We have more Facebook users than the US, we have the regulatory framework that is significant to Facebook — the UK is simply implementing GDPR and following Brexit it will have an adequacy agreement with the EU so I think there’s an understanding in Facebook where the regulation, the legislation and the audience is.”

“I think the quaint ways of the British House of Commons need to be thought through,” he adds. “Because I really don’t think that would have engendered much enthusiasm in [Zuckerberg] to come and really interact with the House of Commons which would have been a very positive thing. Particularly on the specifics of Cambridge Analytics, given that that company is in the UK. So that locus was quite important, but the approach… was not positive at all.”

Zuckerberg will meet with European parliament in private next week

Who says privacy is dead? Facebook’s founder Mark Zuckerberg has agreed to take European parliamentarians’ questions about how his platform impacts the privacy of hundreds of millions of European citizens — but only behind closed doors. Where no one except a handful of carefully chosen MEPs will bear witness to what’s said.

The private meeting will take place on May 22 at 17.45CET in Brussels. After which the president of the European Parliament, Antonio Tajani, will hold a press conference to furnish the media with his version of events.

It’s just a shame that journalists are being blocked from being able to report on what actually goes on in the room.

And that members of the public won’t be able to form their own opinions about how Facebook’s founder responds to pressing questions about what Zuckerberg’s platform is doing to their privacy and their fundamental rights.

Because the doors are being closed to journalists and citizens.

Even the intended contents of the meeting is been glossed over in public — with the purpose of the chat being vaguely couched as “to clarify issues related to the use of personal data” in a statement by Tajani (below).

The impact of Facebook’s platform on “electoral processes in Europe” is the only discussion point that’s specifically flagged.

Given Zuckerberg has thrice denied requests from UK lawmakers to take questions about his platform in a public hearing we can only assume the company made the CEO’s appearance in front of EU parliamentarians conditional on the meeting being closed.

Zuckerberg did agree to public sessions with US lawmakers last month, following a major global privacy scandal related to user data and political ad targeting.

But evidently the company’s sense of accountability doesn’t travel very far. (Despite a set of ‘privacy principles’ that Facebook published with great fanfare at the start of the year — one of which reads: ‘We are accountable’. Albeit Facebook didn’t specify to who or what exactly Facebook feels accountable.)

We’ve reached out to Facebook to ask why Zuckerberg will not take European parliamentarians questions in a public hearing. And indeed whether Mark can find the time to hop on a train to London afterwards to testify before the DCMS committee’s enquiry into online disinformation — and will update this story with any response.

As Vera Jourova, the European commissioner for justice and consumers, put it in a tweet, it’s a pity the Facebook founder does not believe all Europeans deserve to know how their data is handled by his company. Just a select few, holding positions of elected office.

A pity or, well, a shame.

Safe to say, not all MEPs are happy with the arrangement…

And according to an EU parliament source, around half the groups wanted an open hearing with the Committee on Civil Liberties, Justice and Home Affairs — with only a small majority of the Conference of Presidents agreeing to a closed meeting.

But let’s at least be thankful that Zuckerberg has shown us, once again, how very much privacy matters — to him personally

Facebook faces fresh criticism over ad targeting of sensitive interests

Is Facebook trampling over laws that regulate the processing of sensitive categories of personal data by failing to ask people for their explicit consent before it makes sensitive inferences about their sex life, religion or political beliefs? Or is the company merely treading uncomfortably and unethically close to the line of the law?

An investigation by the Guardian and the Danish Broadcasting Corporation has found that Facebook’s platform allows advertisers to target users based on interests related to political beliefs, sexuality and religion — all categories that are marked out as sensitive information under current European data protection law.

And indeed under the incoming GDPR, which will apply across the bloc from May 25.

The joint investigation found Facebook’s platform had made sensitive inferences about users — allowing advertisers to target people based on inferred interests including communism, social democrats, Hinduism and Christianity. All of which would be classed as sensitive personal data under EU rules.

And while the platform offers some constraints on how advertisers can target people against sensitive interests — not allowing advertisers to exclude users based on a specific sensitive interest, for example (Facebook having previously run into trouble in the US for enabling discrimination via ethnic affinity-based targeting) — such controls are beside the point if you take the view that Facebook is legally required to ask for a user’s explicit consent to processing this kind of sensitive data up front, before making any inferences about a person.

Indeed, it’s very unlikely that any ad platform can put people into buckets with sensitive labels like ‘interested in social democrat issues’ or ‘likes communist pages’ or ‘attends gay events’ without asking them to let it do so first.

And Facebook is not asking first.

Facebook argues otherwise, of course — claiming that the information it gathers about people’s affinities/interests, even when they entail sensitive categories of information such as sexuality and religion, is not personal data.

In a response statement to the media investigation, a Facebook spokesperson told us:

Like other Internet companies, Facebook shows ads based on topics we think people might be interested in, but without using sensitive personal data. This means that someone could have an ad interest listed as ‘Gay Pride’ because they have liked a Pride associated Page or clicked a Pride ad, but it does not reflect any personal characteristics such as gender or sexuality. People are able to manage their Ad Preferences tool, which clearly explains how advertising works on Facebook and provides a way to tell us if you want to see ads based on specific interests or not. When interests are removed, we show people the list of removed interests so that they have a record they can access, but these interests are no longer used for ads. Our advertising complies with relevant EU law and, like other companies, we are preparing for the GDPR to ensure we are compliant when it comes into force.

Expect Facebook’s argument to be tested in the courts — likely in the very near future.

As we’ve said before, the GDPR lawsuits are coming for the company, thanks to beefed up enforcement of EU privacy rules, with the regulation providing for fines as large as 4% of a company’s global turnover.

Facebook is not the only online people profiler, of course, but it’s a prime target for strategic litigation both because of its massive size and reach (and the resulting power over web users flowing from a dominant position in an attention-dominating category), but also on account of its nose-thumbing attitude to compliance with EU regulations thus far.

The company has faced a number of challenges and sanctions under existing EU privacy law — though for its operations outside the US it typically refuses to recognize any legal jurisdiction except corporate-friendly Ireland, where its international HQ is based.

And, from what we’ve seen so far, Facebook’s response to GDPR ‘compliance’ is no new leaf. Rather it looks like privacy-hostile business as usual; a continued attempt to leverage its size and power to force a self-serving interpretation of the law — bending rules to fit its existing business processes, rather than reconfiguring those processes to comply with the law.

The GDPR is one of the reasons why Facebook’s ad microtargeting empire is facing greater scrutiny now, with just weeks to go before civil society organizations are able to take advantage of fresh opportunities for strategic litigation allowed by the regulation.

“I’m a big fan of the GDPR. I really believe that it gives us — as the court in Strasbourg would say — effective and practical remedies,” law professor Mireille Hildebrandt tells us. “If we go and do it, of course. So we need a lot of public litigation, a lot of court cases to make the GDPR work but… I think there are more people moving into this.

“The GDPR created a market for these sort of law firms — and I think that’s excellent.”

But it’s not the only reason. Another reason why Facebook’s handling of personal data is attracting attention is the result of tenacious press investigations into how one controversial political consultancy, Cambridge Analytica, was able to gain such freewheeling access to Facebook users’ data — as a result of Facebook’s lax platform policies around data access — for, in that instance, political ad targeting purposes.

All of which eventually blew up into a major global privacy storm, this March, though criticism of Facebook’s privacy-hostile platform policies dates back more than a decade at this stage.

The Cambridge Analytica scandal at least brought Facebook CEO and founder Mark Zuckerberg in front of US lawmakers, facing questions about the extent of the personal information it gathers; what controls it offers users over their data; and how he thinks Internet companies should be regulated, to name a few. (Pro tip for politicians: You don’t need to ask companies how they’d like to be regulated.)

The Facebook founder has also finally agreed to meet EU lawmakers — though UK lawmakers’ calls have been ignored.

Zuckerberg should expect to be questioned very closely in Brussels about how his platform is impacting European’s fundamental rights.

Sensitive personal data needs explicit consent

Facebook infers affinities linked to individual users by collecting and processing interest signals their web activity generates, such as likes on Facebook Pages or what people look at when they’re browsing outside Facebook — off-site intel it gathers via an extensive network of social plug-ins and tracking pixels embedded on third party websites. (According to information released by Facebook to the UK parliament this week, during just one week of April this year its Like button appeared on 8.4M websites; the Share button appeared on 931,000 websites; and its tracking Pixels were running on 2.2M websites.)

But here’s the thing: Both the current and the incoming EU legal framework for data protection sets the bar for consent to processing so-called special category data equally high — at “explicit” consent.

What that means in practice is Facebook needs to seek and secure separate consents from users (such as via a dedicated pop-up) for collecting and processing this type of sensitive data.

The alternative is for it to rely on another special condition for processing this type of sensitive data. However the other conditions are pretty tightly drawn — relating to things like the public interest; or the vital interests of a data subject; or for purposes of “preventive or occupational medicine”.

None of which would appear to apply if, as Facebook is, you’re processing people’s sensitive personal information just to target them with ads.

Ahead of GDPR, Facebook has started asking users who have chosen to display political opinions and/or sexuality information on their profiles to explicitly consent to that data being public.

Though even there its actions are problematic, as it offers users a take it or leave it style ‘choice’ — saying they either remove the info entirely or leave it and therefore agree that Facebook can use it to target them with ads.

Yet EU law also requires that consent be freely given. It cannot be conditional on the provision of a service.

So Facebook’s bundling of service provisions and consent will also likely face legal challenges, as we’ve written before.

“They’ve tangled the use of their network for socialising with the profiling of users for advertising. Those are separate purposes. You can’t tangle them like they are doing in the GDPR,” says Michael Veale, a technology policy researcher at University College London, emphasizing that GDPR allows for a third option that Facebook isn’t offering users: Allowing them to keep sensitive data on their profile but that data not be used for targeted advertising.

“Facebook, I believe, is quite afraid of this third option,” he continues. “It goes back to the Congressional hearing: Zuckerberg said a lot that you can choose which of your friends every post can be shared with, through a little in-line button. But there’s no option there that says ‘do not share this with Facebook for the purposes of analysis’.”

Returning to how the company synthesizes sensitive personal affinities from Facebook users’ Likes and wider web browsing activity, Veale argues that EU law also does not recognize the kind of distinction Facebook is seeking to draw — i.e. between inferred affinities and personal data — and thus to try to redraw the law in its favor.

“Facebook say that the data is not correct, or self-declared, and therefore these provisions do not apply. Data does not have to be correct or accurate to be personal data under European law, and trigger the protections. Indeed, that’s why there is a ‘right to rectification’ — because incorrect data is not the exception but the norm,” he tells us.

“At the crux of Facebook’s challenge is that they are inferring what is arguably “special category” data (Article 9, GDPR) from non-special category data. In European law, this data includes race, sexuality, data about health, biometric data for the purposes of identification, and political opinions. One of the first things to note is that European law does not govern collection and use as distinct activities: Both are considered processing.

“The pan-European group of data protection regulators have recently confirmed in guidance that when you infer special category data, it is as if you collected it. For this to be lawful, you need a special reason, which for most companies is restricted to separate, explicit consent. This will be often different than the lawful basis for processing the personal data you used for inference, which might well be ‘legitimate interests’, which didn’t require consent. That’s ruled out if you’re processing one of these special categories.”

“The regulators even specifically give Facebook like inference as an example of inferring special category data, so there is little wiggle room here,” he adds, pointing to an example used by regulators of a study that combined Facebook Like data with “limited survey information” — and from which it was found that researchers could accurately predict a male user’s sexual orientation 88% of the time; a user’s ethnic origin 95% of the time; and whether a user was Christian or Muslim 82% of the time.

Which underlines why these rules exist — given the clear risk of breaches to human rights if big data platforms can just suck up sensitive personal data automatically, as a background process.

The overarching aim of GDPR is to give consumers greater control over their personal data not just to help people defend their rights but to foster greater trust in online services — and for that trust to be a mechanism for greasing the wheels of digital business. Which is pretty much the opposite approach to sucking up everything in the background and hoping your users don’t realize what you’re doing.

Veale also points out that under current EU law even an opinion on someone is their personal data… (per this Article 29 Working Party guidance, emphasis ours):

From the point of view of the nature of the information, the concept of personal data includes any sort of statements about a person. It covers “objective” information, such as the presence of a certain substance in one’s blood. It also includes “subjective” information, opinions or assessments. This latter sort of statements make up a considerable share of personal data processing in sectors such as banking, for the assessment of the reliability of borrowers (“Titius is a reliable borrower”), in insurance (“Titius is not expected to die soon”) or in employment (“Titius is a good worker and merits promotion”).

We put that specific point to Facebook — but at the time of writing we’re still waiting for a response. (Nor would Facebook provide a public response to several other questions we asked around what it’s doing here, preferring to limit its comment to the statement at the top of this post.)

Veale adds that the WP29 guidance has been upheld in recent CJEU cases such as Nowak — which he says emphasized that, for example, annotations on the side of an exam script are personal data.

He’s clear about what Facebook should be doing to comply with the law: “They should be asking for individuals’ explicit, separate consent for them to infer data including race, sexuality, health or political opinions. If people say no, they should be able to continue using Facebook as normal without these inferences being made on the back-end.”

“They need to tell individuals about what they are doing clearly and in plain language,” he adds. “Political opinions are just as protected here, and this is perhaps more interesting than race or sexuality.”

“They certainly should face legal challenges under the GDPR,” agrees Paul Bernal, senior lecturer in law at the University of East Anglia, who is also critical of how Facebook is processing sensitive personal information. “The affinity concept seems to be a pretty transparent attempt to avoid legal challenges, and one that ought to fail. The question is whether the regulators have the guts to make the point: It undermines a quite significant part of Facebook’s approach.”

“I think the reason they’re pushing this is that they think they’ll get away with it, partly because they think they’ve persuaded people that the problem is Cambridge Analytica, as rogues, rather than Facebook, as enablers and supporters. We need to be very clear about this: Cambridge Analytica are the symptom, Facebook is the disease,” he adds.

“I should also say, I think the distinction between ‘targeting’ being OK and ‘excluding’ not being OK is also mostly Facebook playing games, and trying to have their cake and eat it. It just invites gaming of the systems really.”

Facebook claims its core product is social media, rather than data-mining people to run a highly lucrative microtargeted advertising platform.

But if that’s true why then is it tangling its core social functions with its ad-targeting apparatus — and telling people they can’t have a social service unless they agree to interest-based advertising?

It could support a service with other types of advertising, which don’t depend on background surveillance that erodes users’ fundamental rights.  But it’s choosing not to offer that. All you can ‘choose’ is all or nothing. Not much of a choice.

Facebook telling people that if they want to opt out of its ad targeting they must delete their account is neither a route to obtain meaningful (and therefore lawful) consent — nor a very compelling approach to counter criticism that its real business is farming people.

The issues at stake here for Facebook, and for the shadowy background data-mining and brokering of the online ad targeting industry as a whole, are clearly far greater than any one data misuse scandal or any one category of sensitive data. But Facebook’s decision to retain people’s sensitive personal data for ad targeting without asking for consent up-front is a telling sign of something gone very wrong indeed.

If Facebook doesn’t feel confident asking its users whether what it’s doing with their personal data is okay or not, maybe it shouldn’t be doing it in the first place.

At very least it’s a failure of ethics. Even if the final judgement on Facebook’s self-serving interpretation of EU privacy rules will have to wait for the courts to decide.

Zuckerberg again snubs UK parliament over call to testify

Facebook has once again eschewed a direct request from the UK parliament for its CEO, Mark Zuckerberg, to testify to a committee investigating online disinformation — without rustling up so much as a fig-leaf-sized excuse to explain why the founder of one of the world’s most used technology platforms can’t squeeze a video call into his busy schedule and spare UK politicians’ blushes.

Which tells you pretty much all you need to know about where the balance of power lies in the global game of (essentially unregulated) U.S. tech platforms giants vs (essentially powerless) foreign political jurisdictions.

At the end of an 18-page letter sent to the DCMS committee yesterday — in which Facebook’s UK head of public policy, Rebecca Stimson, provides a point-by-point response to the almost 40 questions the committee said had not been adequately addressed by CTO Mike Schroepfer in a prior hearing last month — Facebook professes itself disappointed that the CTO’s grilling was not deemed sufficient by the committee.

“While Mark Zuckerberg has no plans to meet with the Committee or travel to the UK at the present time, we fully recognize the seriousness of these issues and remain committed to providing any additional information required for their enquiry into fake news,” she adds.

So, in other words, Facebook has served up another big fat ‘no’ to the renewed request for Zuckerberg to testify — after also denying a request for him to appear before it in March, when it instead sent Schroepfer to claim to be unable to answer MPs’ questions.

At the start of this month committee chair Damian Collins wrote to Facebook saying he hoped Zuckerberg would voluntarily agree to answer questions. But the MP also took the unprecedented step of warning that if the Facebook founder did not do so the committee would issue a formal summons for him to appear the next time Zuckerberg steps foot in the UK.

Hence, presumably, that addendum line in Stimson’s letter — saying the Facebook CEO has no plans to travel to the UK “at the present time”.

The committee of course has zero powers to comply testimony from a non-UK national who is resident outside the UK — even though the platform he controls does plenty of business within the UK.

Last month Schroepfer faced five hours of close and at times angry questions from the committee, with members accusing his employer of lacking integrity and displaying a pattern of intentionally deceptive behavior.

The committee has been specifically asking Facebook to provide it with information related to the UK’s 2016 EU referendum for months — and complaining the company has narrowly interpreted its requests to sidestep a thorough investigation.

More recently research carried out by the Tow Center unearthed Russian-bought UK targeted immigration ads relevant to the Brexit referendum among a cache Facebook had provided to Congress — which the company had not disclosed to the UK committee.

At the end of the CTO’s evidence session last month the committee expressed immediate dissatisfaction — claiming there were almost 40 outstanding questions the CTO had failed to answer, and calling again for Zuckerberg to testify.

It possibly overplayed its hand slightly, though, giving Facebook the chance to serve up a detailed (if not entirely comprehensive) point-by-point reply now — and use that to sidestep the latest request for its CEO to testify.

Still, Collins expressed fresh dissatisfaction today, saying Facebook’s answers “do not fully answer each point with sufficient detail or data evidence”, and adding the committee would be writing to the company in the coming days to ask it to address “significant gaps” in its answers. So this game of political question and self-serving answer is set to continue.

In a statement, Collins also criticized Facebook’s response at length, writing:

It is disappointing that a company with the resources of Facebook chooses not to provide a sufficient level of detail and transparency on various points including on Cambridge Analytica, dark ads, Facebook Connect, the amount spent by Russia on UK ads on the platform, data collection across the web, budgets for investigations, and that shows general discrepancies between Schroepfer and Zuckerberg’s respective testimonies. Given that these were follow up questions to questions Mr Schroepfer previously failed to answer, we expected both detail and data, and in a number of cases got excuses.

If Mark Zuckerberg truly recognises the ‘seriousness’ of these issues as they say they do, we would expect that he would want to appear in front of the Committee and answer questions that are of concern not only to Parliament, but Facebook’s tens of millions of users in this country. Although Facebook says Mr Zuckerberg has no plans to travel to the UK, we would also be open to taking his evidence by video link, if that would be the only way to do this during the period of our inquiry.

For too long these companies have gone unchallenged in their business practices, and only under public pressure from this Committee and others have they begun to fully cooperate with our requests. We plan to write to Facebook in the coming days with further follow up questions.

In terms of the answers Facebook provides to the committee in its letter (plus some supporting documents related to the Cambridge Analytica data misuse scandal) there’s certainly plenty of padding on show. And deploying self-serving PR to fuzz the signal is a strategy Facebook has mastered in recent more challenging political times (just look at its ‘Hard Questions’ series to see this tactic at work).

At times Facebook’s response to political attacks certainly looks like an attempt to drown out critical points by deploying self-serving but selective data points — so, for instance, it talks at length in the letter about the work it’s doing in Myanmar, where its platform has been accused by the UN of accelerating ethnic violence as a result of systematic content moderation failures, but declines to state how many fake accounts it’s identified and removed in the market; nor will it disclose how much revenue it generates from the market.

Asked by the committee what the average time to respond to content flagged for review in the region, Facebook also responds in the letter with the vaguest of generalized global data points — saying: “The vast majority of the content reported to us is reviewed within 24 hours.” Nor does it specify if that global average refers to human review — or just an AI parsing the content.

Another of the committee’s questions is: ‘Who was the person at Facebook responsible for the decision not to tell users affected in 2015 by the Cambridge Analytica data misuse scandal?’ On this Facebook provides three full paragraphs of response but does not provide a direct answer specifying who decided not to tell users at that point — so either the company is concealing the identity of the person responsible or there simply was no one in charge of that kind of consideration at that time because user privacy was so low a priority for the company that it had no responsibility structures in place to enforce it.

Another question — ‘who at Facebook heads up the investigation into Cambridge Analytica?’ — does get a straight and short response, with Facebook saying its legal team, led by general counsel Colin Stretch, is the lead there.

It also claims that Zuckerberg himself only become aware of the allegations that Cambridge Analytica may not have deleted Facebook user data in March 2018 following press reports.

Asked what data it holds on dark ads, Facebook provides some information but it’s also being a bit vague here too — saying: “In general, Facebook maintains for paid advertisers data such as name, address and banking details”, and: “We also maintain information about advertiser’s accounts on the Facebook platform and information about their ad campaigns (most advertising content, run dates, spend, etc).”

It does also confirms it can retain the aforementioned data even if a page has been deleted — responding to another of the committee’s questions about how the company would be able to audit advertisers who set up to target political ads during a campaign and immediately deleted their presence once the election was over.

Though, given it’s said it only generally retains data, we must assume there are instances where it might not retain data and the purveyors of dark ads are essentially untraceable via its platform — unless it puts in place a more robust and comprehensive advertiser audit framework.

The committee also asked Facebook’s CTO whether it retains money from fraudulent ads running on its platform, such as the ads at the center of a defamation lawsuit by consumer finance personality Martin Lewis. On this Facebook says it does not “generally” return money to an advertiser when it discovers a policy violation — claiming this “would seem perverse” given the attempt to deceive users. Instead it says it makes “investments in areas to improve security on Facebook and beyond”.

Asked by the committee for copies of the Brexit ads that a Cambridge Analytica linked data company, AIQ, ran on its platform, Facebook says it’s in the process of compiling the content and notifying the advertisers that the committee wants to see the content.

Though it does break out AIQ ad spending related to different vote leave campaigns, and says the individual campaigns would have had to grant the Canadian company admin access to their pages in order for AIQ to run ads on their behalf.

The full letter containing all Facebook’s responses can be read here.

Facebook suspends ~200 suspicious apps out of “thousands” reviewed so far

Did you just notice a Facebook app has gone AWOL? After reviewing “thousands” of apps on its platform following a major data misuse scandal that blew up in March, Facebook has announced it’s suspended around 200 apps — pending what it describes as a “thorough investigation” into whether or not their developers misused Facebook user data.

The action is part of a still ongoing audit of third party applications running on the platform announced by Facebook in the wake of the Cambridge Analytica data misuse scandal where a third party developer used quiz apps to extract and pass Facebook user data to the consultancy for political ad targeting purposes.

CEO Mark Zuckerberg announced the app audit on March 21, writing that the company would “investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity”.

Apps that would not agree to a “thorough audit” would also be banned, he said then.

Just under two months on and the tally is ~200 ‘suspicious’ app suspensions, though the review process is ongoing — and Facebook is not being more specific about the total number of apps it’s looked at so far (beyond saying “thousands”) — so expect that figure to rise.

In the Cambridge Analytica instance, Facebook admitted that personal information on as many as 87 million users may have been passed to the political consultancy — without most people’s knowledge or consent.

Giving an update on the app audit process in a blog post, Ime ArchibongFacebook’s VP of product partnerships, writes that the investigation is “in full swing”.

“We have large teams of internal and external experts working hard to investigate these apps as quickly as possible,” he says. “To date thousands of apps have been investigated and around 200 have been suspended — pending a thorough investigation into whether they did in fact misuse any data. Where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website. It will show people if they or their friends installed an app that misused data before 2015 — just as we did for Cambridge Analytica.”

Archibong does not confirm how much longer the audit will take — but does admit there’s a long way to go, writing that: “There is a lot more work to be done to find all the apps that may have misused people’s Facebook data – and it will take time.”

“We are investing heavily to make sure this investigation is as thorough and timely as possible,” he adds.

Where Facebook does have concerns about an app — such as the ~200 apps it has suspended pending a fuller probe — Archibong says it will conduct interviews; make requests for information (“which ask a series of detailed questions about the app and the data it has access to”); and perform audits “that may include on-site inspections”.

So Facebook will not be doing on site inspections in every suspicious app instance.

We’ve asked Facebook a series of follow up questions about the ~200 suspicious apps it’s identified, and more broadly about the ongoing audit process and will update this post with any response.

For instance it’s not clear whether the company will publish a public list of every app that it suspends or deems to have misused user data — or whether it will just notify affected individuals.

Given the likely scale of data misuse by developers on its platform there is an argument for Facebook to publish a public list of suspensions.