This commentary originally appeared in Chief Executive on April 10, 2018.
Facebook CEO Mark Zuckerberg appeared before Congress this week. He voiced profound apologies in his prepared testimony and yes, that got him through both days—far better than it should. He substantively performed at a C grade level but will probably get a B+ /A- market rating. This hearing is a rare joint meeting of the Senate Judiciary and Senate Commerce Committees—44 senators! There were too many legislators in each session who were too eager to sound off on the Congressional Record of privacy issues to meaningfully drill down. Plus only few of them have the technological insight for meaningful inquiry.
Was Zuckerberg truly contrite just because he apologized? No! He volunteered, in his prepared text, “We didn’t take a broad enough view of our responsibility, and that was a big mistake. It was my mistake, and I’m sorry. I started Facebook, I run it, and I’m responsible for what happens here.”
That is nice to say, but genuine contrition requires: 1) specific explanation of just what he did wrong; 2) the forgiveness of victims compensated for any damage, and; 3) a genuine atonement to show this will not happen again.
He has yet to make good on the first requirement. Where is his explicit confession that he and Facebook were in violation of the 2011 Federal Trade Commission Consent Decree with Facebook? Marc Rotenberg and the Electronic Privacy Information Center forced Facebook to face up to serial misconduct in litigation brought to the FCC. In 2007 Facebook’s infamous Beacon program allowed them allowed a Facebook user’s purchases to be publicized on their friends’ News Feed after transacting with third-party sites. Their 2009 Terms of Service agreement had fine print which required all users to allow Facebook full use of all their private data. Anything a user uploaded to the site for any purpose, at any time, even after the user discontinued their Facebook usage. You could not close out a Facebook account, merely deactivate it.
With these and other strategic abuses of trust, the FTC required a halt to such core Facebook practices and a duty to halt unauthorized third-party exploitation of users’ private data and to have an independent audit conducted to assure compliance if there is a breach of such trust. Zuckerberg and Sandberg did not compel such an audit of Cambridge Analytica and the unauthorized malevolent use of the private data of almost 90 million people. In fact, they hid from the public themselves for six days after the news media revealed this misconduct. There is no genuine contrition if the apologist does not even acknowledge what they did wrong.
With unknown personal identity theft issues and witting or unwitting co-conspiratorial undermining of free elections, it is hard to estimate the damages, but even Equifax was shamed into assuming responsibility for identifying victims free of charge.
As for the final requirement, Facebook is suggesting that they can offer protection of the vaults of private information and screen future covert state sponsored advertisers. It may not matter how many controls you create. As Rakesh Looncar of Transmit Security explained, “Once you expose personal data to an actor with bad intent, it’s gone. They have it. So while controls are important, most people will not use them and bad actors can still steal data. All of the suggestions potentially mitigate the extent of a breach like Cambridge Analytica but can’t prevent it.”
Facebook has not acknowledged what it cannot promise. They already bought the best player in identity verification, Confirm.io, but this system is only effective 50 to 70% of the time. There is not yet a good way to screen users that are “bots” or “mules”—American citizens hired by Russia, China, North Korea, Iran or other adversarial players.
Brenda Lee at 73 has sung her plaintiff ballad “I’m Sorry” since she was 16 years old as part of her act. Zuckerberg has a similar act, but don’t confuse it with contrition.