Nothing Up My FB Sleeve

Two weeks ago,  Mark Zuckerberg penned an essay detailing Facebook’s shift towards a more privacy-focused platform. “As I think about the future of the internet,” he writes, “I believe a privacy-focused communications platform will become even more important than today’s open platforms.” For Zuckerberg, this predominantly means focusing efforts more on his private messaging services (Facebook Messenger, Instagram Direct, and Whatsapp) by including end-to-end encryption across all platforms.

 

But given mirad privacy scandals plaguing Facebook over the past few years, it is important to look critically at what Zuckerberg is outlining. Many of the critiques of Zuckerberg that have been written focus primarily on the monopolistic power-grab that he introduces under the term “interoperability.” For Zuckerberg, this means integrating private communications across all of Facebook’s messaging platforms. From a security perspective, the idea is to be able to standardize end-to-end encryption across a diversity of messaging platforms (including SMS), but, as the MIT Technology Review points out, this amounts to little more than a heavy-handed centralization of power: “If his plan succeeds, it would mean that private communication between two individuals will be possible when Mark Zuckerberg decides that it ought to be, and impossible when he decides it ought not to be.”

 

However, without downplaying this critique, what seems just as if not more concerning is concept of privacy that Zuckerberg is advocating for. In the essay, he speaks about his turn towards messaging platforms as a shift from the town square to the “digital equivalent of a living room,” in which our interactions are more personal and intimate. Coupled with end-to-end encryption, the idea is that Facebook will create a space in which our communications are kept private.

 

But they won’t, because Zuckerberg fundamentally misrepresents how privacy works. Today, the content of what you say is perhaps the least important aspect of your digital identity. Instead, it is all about the metadata. In terms of communication, the who, the when, and the where can tell someone more about you then simply the what. Digital identities are constructed less by what we think and say about ourselves, and far more through a complex network of information that moves and interacts with other elements within that network. Zuckerberg says that “one great property of messaging services is that even as your contacts list grows, your individual threads and groups remain private,” but who, for example, has access to our contact lists? These are the type of questions that Zuckerberg sidesteps in his essay, but are the ones that show how privacy actually functions today.

 

Like a living room, we can concede that end-to-end encryption will give users more confidence that their messages will only be seen by the person or people within that space. But digital privacy does not function on a “public vs. private sphere” model. If it is a living room, it has the equivalent of a surveillance team stationed outside, recording who enters, how long they stay there for, how that room is accessed, etc. For all his failings, we would be wrong to assume that Zuckerberg is ignorant of the importance of metadata. In large part he has built is fortune on it. What we see in his essay, then, is little more than a not-so-subtle misdirect.

Privacy is coming out of the shadows. Should businesses be scared?

Just a few months after Facebook’s highly-publicized data breach California passed the strongest regulations on the collection and sale of personal information that the U.S. has ever seen. Around the same time, the EU passed the General Data Protection Regulation (GDPR) that even surpass the new regulations in California. Then, late last month, Google admitted to a breach of information on their Google+ platform that potentially affected over 500,000 users.

What businesses now need to realize is that such high-profile scandals will likely have direct impacts not simply in Silicon Valley, but on a national and even global scale.

In fact, on October 22, Google, Facebook, Apple and Microsoft are endorsing a federal privacy law based upon a framework developed by the Information Technology Industry Council.

To help businesses better understand the impact privacy regulation may have for them, we have put together the top three implications these new regulations could have on businesses in the coming months.

Consumers will play an active role in how companies collect and use personal information

Perhaps the strictest aspect of California’s new regulations is the central role consumers will now play in deciding how (or if at all) their information is used. Consumers now have the right to request from companies not only what information is being collected (even allowing the consumer to request an accessible copy of that data), but also for what purpose. Moreover the law allows consumers to request that companies deleted their personal information and can even opt-out of the sale of such information.

A broader definition of protected private data.

The California Privacy Act substantially broadens what is considered ‘personal information’ and therefore increases the scope of regulations beyond what we generally consider tech companies. Under the new regulations, ‘personal information’ now includes the consumers’ internet activity, biometric data, education and employment information, as well as information on the consumer’s purchases and personal property. Broadening the definition of personal information therefore implicates far more businesses than the likes of Facebook and Google. Now, any company that collects or uses such consumer data will be subject to regulation.

Targeted advertising will become less effective

 The effectiveness of targeted online advertising campaigns relies on the extreme specificity enabled by access to consumer data. As Dipayan Ghosh of the Harvard Business Review points out, these regulations will have any impact on any business that makes use of online advertising. Targeted campaigns will become less precise and may therefore “significantly cut into the profits [ ] firms currently enjoy, or force adjustments to [ ] revenue-growth strategies.”

 Any business that has customers in California need to be seriously considering how they will now comply will these new regulations. What’s more, discussions of putting in place federal regulations are well underway and it is possible that California’s new private information laws could form the basis of such regulations. It is therefore in the best interest of any business that makes use of consumer data to seriously consider what impact such regulations could have in the coming months and years.

 What should businesses be doing now, even if they don’t fall into under California or GDPR privacy regulations?

  1. Know what data you are capturing and where it is stored.  Review your data flows in your customer, accounting, employee and other databases so you know what you are capturing, the reason you are capturing it and where you are storing it.  Keeping an accurate data inventory is critical. And, it makes good sense.
  2. Be Transparent to your users with what you are doing with their data.  Review your privacy policies.  Make sure they are free of legalese and clearly explains what you will doing with the data, who (if any) will you share the data with and what rights the user has if they want to have the data changed or removed.  Try not to think of this as a compliance exercise. Think of it as customer engagement. By doing so, you can create a better relationship with your customers because you show that you respect them and their information.
  3. Ask before you Capture — Where possible, get the user’s consent prior to capturing the data.  You will have better customers if they opt in to the relationship rather than finding themselves in one.

Privacy does not have to be viewed as compliance or even a restriction on doing business.  In fact, successful businesses going forward will use privacy as a tool for increased customer engagement.