Following the data privacy breaches resulting from the Cambridge Analytica incident, Mark Zuckerberg, founder-CEO Facebook, was questioned by the elected officials of the Federal government. As Zuckerberg braved 10 hours of questioning over two days, a large number things emerged.

How Facebook likely invades the privacy of its users – and non-users – was not the only thing that was exposed.

The April 10 and 11 hearings more than once showed how poor an understanding do some Senators have when it comes to new-age businesses and technology platforms.

Wikipedia credits Thomas M Cooley for coining the earliest recorded definition of privacy (“the right to be left alone”) but the Facebook CEO’s hearings showed modern technology forces lawmakers and businesses to go way beyond that. The way Facebooks, Googles or Ubers track every single action raises too many questions to be answered in couple hearings.

Thankfully, the situation may not be as bad as kids spying on parents and teachers in Nicolae Ceausescu’s Romania but the all-pervading tools appear eerie enough. Should someone decide to misuse personal information internet giants like Facebook are capable of harvesting and analyzing – assuming it has not already being done – the impact could range from sinister to cataclysmic.

This post explores the concept of data privacy, beginning with the 4th Amendment, checks out and tries to make sense of the new Facebook privacy policy.

The GDPR of the EU

The General Data Protection Regulation (GDPR), adopted by the European Union (EU) in April 2016 and set to come in force on May 25, 2018, is a set of data privacy regulations that seeks to place the control back in the hands of the people the data refers to. The GDPR also aims to make consistent the various data protections policies and laws across the EU.

The GDPR squarely puts the onus on corporates as regards the responsibility of data is concerned. Considering its text as well as the penalty is strong – 10 million Euros or 2% of the violating company’s global turnover, whichever’s higher – the GDPR is considered both tough and well-timed.

The European Commission began in 1995 its efforts to standardize data privacy laws and these efforts were partially inspired by the 1980 recommendations of Organization for Economic Cooperation and Development (OECD). In 2012, the EU read the writing on the wall – privacy was a bigger challenge in the digital world.

So it set out to majorly revise the then-prevalent rules. Finally, after the European Parliament garnered huge support in 2014, the EU officially adopted the GDPR in May 2016, with May 2018 being the target date of GDPR implementation.

We have done a detailed post on what is GDPR and how it impacts your business.

Meanwhile, Facebook is moving is data of its 1.5 billion+ non-EU citizens from Ireland, Europe to the USA. This clearly to reduce considerably Facebook’s legal liabilities since there’s no US law that comes even close to the GDPR.

US federal laws on data privacy

If you study the GDPR, US laws on data privacy pale in comparison.

Or, put more bluntly, there’s no single comprehensive law on data privacy.

If you guessed Facebook’s data collection policy thrives on this, you’d see more than one attorney agree with you.

The closest is The Privacy Act of 1974, but it stops short of covering the modern day requirements, because it primarily deals with federal agencies.

The legal system has a network of laws that sometimes overlap in some areas and leave other areas open to multiple interpretations. Best practices often prevail where there are gaps.

The following are some of the major federal acts that relate to data privacy:

  1. The Privacy Act of 1974. As the US DoJ website explains, this act “establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies” [italicization added]. Note the words federal agencies.
  2. The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act). This act deals with collection, storing, usage and transfer of email addresses of individuals. It dictates email marketing within the US.
  3. The Judicial Redress Act 2016. This grants to foreign citizens the right to judicial redress. This does not apply to citizens of every nation in the world.
  4. The 4th amendment. This amendment offers protection to people a right against unreasonable searches and seizures of their houses, papers and so on.
  5. The Financial Services Modernization Act (Gramm-Leach-Bliley Act (GLB)), and The Health Insurance Portability and Accountability Act. These acts govern the collection, use and disclosure of financial information and medical information respectively.

As for state laws, not surprisingly California (read Silicon Valley) leads the forming of state laws. In fact, it was a first of sorts because the California Civil Code 1798.82 clearly covers computerized data that includes personal data and unencrypted personal information.

Facebook’s new Privacy policy

Early on into the 4,200-plus words of Facebook’s new Privacy Policy (that doesn’t include the cookie policy), one gets to know that the information “you provide [includes]…. the location of a photo or the date a file was created… can include what you see through features that we provide, such as our camera”.

In simpler words, if you’re using Facebook camera, you are providing – rather than Facebook is collecting – information on your whereabouts and the date and time you were there.

You may provide, voluntarily, your address book, call log and text messages log. Not feeling particularly comfortable sharing your own contact details? No problem, Facebook will get it anyway when other people upload their own address book.

Read "The 5 most important questions at Mark Zuckerberg’s Senate hearing"

Among the other information collected includes (the standard phrase “includes but not limited to” is conspicuous by its absence)

  • Operating System
  • Hardware and software versions
  • Battery level
  • Signal strength
  • Available storage space (eh?)
  • Browser type
  • App and file names and types (ahem).
  • Whether a window is foregrounded or backgrounded, or mouse movements (seriously?)
  • Device IDs and other identifiers
  • Bluetooth signals (duh)
  • Information about nearby Wi-Fi access points, beacons and mobile phone masts (huh?)
  • Information that you allow us to receive through device settings that you turn on, such as access to your GPS location, camera or photos.
  • The name of your mobile operator or ISP
  • Language
  • Time zone
  • Mobile phone number
  • IP address
  • Connection speed and, in some cases, information about other devices that are nearby or on your network (huh? again)

Rest assured, this is by no means the only information collected.

What Facebook’s new Data Privacy Policy actually means

The Facebook Privacy Policy turns creepy if you revisit it from a technology point of view. Have a look at the following three facts.

  1. Logged out? No problem, Facebook traces you.

External website and app developers, sometimes unwittingly, share your data activity with Facebook if they are using Facebook Business tools or plugins. That means even if you’ve logged out of your Facebook account, you may still be well within Facebook’s radar.

  1. Deleted your Facebook account? You’re still traceable.

Senator John Cornyn pointedly asked “If I choose to terminate my Facebook account, can I bar Facebook or any third parties from using the data that I had previously supplied for any purpose whatsoever?” Zuckerberg’s answer was non-committal, which might, just might, imply your data stays long after you deactivate your account.

  1. No Facebook account? No problem, Facebook can still trace you using third-party analytics.

The policy clearly says “Advertisers, app developers and publishers can send us [Facebook] information …about your activities off Facebook – including …websites you visit, purchases you make, the ads you ….whether or not you have a Facebook account or are logged in to Facebook.” You don’t need a lawyer to understand this, right?

For complete details, you might want to see this WSJ post where Katherine Bindley and Wilson Rothman clinically analyze the Facebook Data Privacy Policy.

Final words

While most of us may have read about or seen a short video footage of the hearing, like this BBC video covering the key moments of Zuckerberg’s hearing, a relatively small number may have gone through everything. And fewer still might have tried to interpret everything that Zuckerberg said.

During the Joint Commerce and Judiciary Committee hearing of Mark Zuckerberg, to many he appeared part naïve, part secretive, part under-informed, part non-committal and part tentative, depending upon whether you’re a Facebook employee, a stock analyst or a data privacy activist.

This is the end of our 1st of the 3-part series on Facebook hearings, its Privacy Policy, Zuckerberg hearings and the Cambridge Analytica incident.

The second part, which we hope to bring up by Friday, will cover a detailed understanding of Zuckerberg’s hearing and how the incident impacts Facebook in particular and the industry in general including whether there’s going to be a paid version of Facebook anytime soon.

The third part will cover the Cambridge Analytica incident.