Facebook Apparently Doesn’t Know What It’s Doing With Your Personal Data

In a leaked memo, the social media giant appears less nefarious and more baffled with how to meet regulator demands (which is no excuse)

Facebook CEO Mark Zuckerberg listens during a joint hearing of the Senate Commerce, Science and Transportation Committee and Senate Judiciary Committee on Capitol Hill April 10, 2018
Facebook CEO Mark Zuckerberg at a 2018 Senate hearing

We’ve been tracking what Facebook has been doing with all the personal data it’s been harvesting for a few years now.

But instead of looking at the social media giant as something evil, perhaps we need to reassess: They aren’t even sure what they’re doing with all this information.

That’s the conclusion reached by Motherboard after it published a leaked internal memo written by Facebook privacy engineers. Titled “ABP Privacy Infra, Long Range Investments,” the document shares several concerns faced by the company, particularly after the EU and India enacted regulatory changes.

“Our past policy enforcement plans were already insufficient,” as the memo notes, which means even before governments got involved, Facebook had issues implementing any sort of workable plan for privacy. They add: “We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation.”

Basically, Facebook built a system with open data systems. The privacy engineers use this analogy: “Imagine you hold a bottle of ink in your hand. This bottle of ink is a mixture of all kinds of user data…You pour that ink into a lake of water (our open data systems; our open culture)…and it flows…everywhere…How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?”

Given that this document was written by the team responsible for Facebook’s ads system — which is how they make money — this is a troubling admission. But it sounds like the company, which did issue a statement regarding the leaked document (“This document does not describe our extensive processes and controls to comply with privacy regulations, it’s simply inaccurate to conclude that it demonstrates non-compliance”), really has little control on the data it collects.

Which might ultimately be good for the company, though not its users. “It gives them the excuse for keeping that much private data simply because at their scale and with their business model and infrastructure design they can plausibly claim that they don’t know what they have,” as one former Facebook employee told Motherboard.

That said, Facebook’s lack of control is in direct conflict with the UK’s General Data Protection Regulation, which limits how collected data is used (and not re-used) on certain platforms; the social media company would, as experts told Motherboard, need to be able to tell users and regulators exactly what they’re doing with your data.

And they seemingly can’t. Whether that’s for insidious reasons or because they simply are unable to tame this monster they created, the end result is still a major concern for users and the protection of their personal info.

The InsideHook Newsletter.

News, advice and insights for the most interesting person in the room.