Mark Zuckerberg's 3,000 word blog post about his plan to create a parallel set of Facebook services that contain long-overdue privacy protections has plenty to please both the regulators who are increasingly ready to fine the company billions and possibly even break it up, but also privacy advocates who will rightly cheer the announcement that the service will be increasing its end-to-end encryption offerings, only storing data in countries with good track records on human rights and the rule of law, and allowing users to mark some of their conversations as ephemeral, designed to be permanently deleted after a short while.
But Zuckerberg's promises contain one important omission, as Wired's Issie Lapowsky and Nicholas Thompson point out: Zuck does not mention his company's future plans for data sharing and ad-targeting, two of the company's most controversial and potentially compromising activities.
It's likely that Facebook plans to earn money from its end-to-end encrypted services by analyzing the metadata — who sends things to whom, where, and in what context — while ignoring the payloads of the messages, which it will no longer be able to access. This will severely limit the service's userfulness to law enforcement, spies, and other parties who might nonconsensually seek access to your conversations, but it still affords an enormous wealth of metadata that Facebook will likely mine to target ads to you.
After all, the NSA's primary bulk-data collection focuses on metadata, not "data" (though in truth there is no firm line delineating the two) — computers are really good at analyzing the kinds of metadata that other computers generate, after all, and struggle with the messy, unstructured data that messy, unstructured human beings generate.
A cynic might wonder whether Facebook's much-vaunted AI-based text analysis tools have born little fruit and so Facebook can safely jettison all the "sentiment analysis" and "natural language parsing" stuff that it sells to advertisers and focus on tried-and-tried inferences from metadata — scoring a huge PR win and gracefully exiting an expensive R&D boondoggle.
But that said, a Facebook of ephemeral conversations and encrypted payloads would be a massive game-changer in global privacy, affecting billions of people.
…If Facebook goes through with it. These are announcements of future plans, not product rollouts with firm dates, and there is plenty of wiggle room in Zuckerberg's "promises" — for example, will the metadata from ephemeral conversations be just as ephemeral, or will it stick around forever?
What's more, Zuckerberg and Facebook have a well-deserved reputation for reneging on their promises and lying about their privacy practices, and unless they institute independent, third-party audits and open their client sourcecode to public scrutiny, we'll have to take their word for it.
So we need to hold their feet to the fire. The company is battered and demoralized and frankly terrified of what regulators in California, the EU and elsewhere might do to them. These concessions are not enough, but they are a start.
Zuckerberg listed six privacy principles, but there was one glaring omission: He said nothing about how Facebook plans to approach data sharing and ad targeting in this privacy-focused future. The free flow of data between Facebook and third-party developers is, after all, the issue that caused the jaws of the national media to snap onto the company's leg. One year ago this month, news broke that a man named Aleksandr Kogan had misappropriated the data of tens of millions of users and sent it to a shady political consulting firm called Cambridge Analytica. It soon became clear that Cambridge Analytica was not alone and that Facebook had allowed thousands of developers to collect data for years.
The company's loose policies on data collection over the years are also what allowed it to build one of the most successful advertising businesses in history. All the data the company collects helps advertisers segment and target people. And it's the relentless pursuit of that data that has led to Facebook being accused of making inappropriate deals for data with device manufacturers and software partners. This is a history that Zuckerberg knows well, and one that he acknowledged in his post. "I understand that many people don't think Facebook can or would even want to build this kind of privacy-focused platform—because frankly we don't currently have a strong reputation for building privacy protective services," he wrote.
Facebook's Pivot to Privacy Is Missing Something Crucial [Issie Lapowsky and Nicholas Thompson/Wired]