If the public has learned anything about Mr. Zuckerberg’s trip to Washington, it’s about how brutally honest the committees have been in their critique of Facebook’s global mistake, costing 87 million users their privacy. While Facebook is definitely to blame when it comes to the poor handling of its users data, it became very clear throughout Tuesday and Wednesday’s hearings, that there is an aggressive collision between generations.
On one hand, you have many Senators who are on social media, but don’t understand the aspects of how Facebook actually works, ranging from privacy settings and messaging capabilities, to content sharing and applications integrated throughout the platform. Other Senators, however, have never engaged with social media and have a difficult time even conceptualizing the capabilities this platform has offered America and the rest of the world. Why? They didn’t grow up in this era. This is evident through many of the questions Mr. Zuckerberg attempted to answer, without cracking a smile.
At at the other end of the spectrum, you have Mark Zuckerberg and a plethora of millennials and younger folks who were born into this era of internet-connected devices and social media.
Connecting People Around The World’ Has Serious Privacy Risks
“I think that may be what this is all about…your right to privacy. The limits of your right to privacy. And how much you give away in modern America in the name of, quote, connecting people around the world.” –Senator Richard J. Durbin (D-Illinois)
Zeroing in on the issue at the heart of Facebook’s dilemma, Senator Richard Durbin (D-Illinois), asked Mr. Zuckerberg Tuesday, if he’d be comfortable sharing the name of the hotel he stayed at the night before, to which the CEO responded, “No. I would probably not choose to do that publicly here.”
That’s what this is all about. An individual’s right to privacy. Facebooks’ CEO told Congress that the platform would be investigating tens of thousands of apps, looking for suspicious activity, that would then require a full audit of understanding that data. This statement alone infers that Facebook is not aware of every app approved on its platform and how it affects users at the end of the day.
“If we find that [these apps] are doing anything improper, we’ll ban them on Facebook and will tell everyone affected,” said Zuckerberg.
Obligation In Disclosing Data Breaches
“With a platform like Facebook, Zuckerberg and his executive team, have the opportunity to set an example for corporate America, and really the world, when it comes to a data privacy standard”
–Robert Herjavec, Shark Tank Investor & CEO/Founder of Herjavec Group
Evaluating the steps Facebook took in terms of handling the data breach internally, versus the time it took for Facebook to disclose it to the general public, may present different arguments based on the industry. Yet, those in the cybersecurity fields and legal fields, believe there is a difference between a legal obligation and an ethical obligation, to disclose breaches to the public.
What Do Our Cyber-security Experts Have To Say?
According to cyber-security expert and CEO/Founder of The Herjavec Group, Robert Herjavec, a breach should be made public when there is a risk to people’s safety, whether from a personal or financial perspective. Under the European Union’s General Data Protection Regulation (“GDPR”), breach notification is required within 72 hours, when there is a risk to the rights and freedoms of EU natural persons. This was referenced throughout Zuckerberg’s questioning, in terms of whether Facebook could find a way to match up with the EU’s GDPR model.
Herjavec emphasized to me that far too often, we see companies try and brush data breaches under the rug. But, at the same time, we have seen companies take a proactive approach and communicate clearly, follow an incident response plan, and act transparently, coming out of a breach with their reputation and customer’s confidence intact.
“ In reality, there are two standards to evaluate a data breach and whether to provide notice—what you have to do under the law, and what you should do from an ethical and customer trust perspective ,” explained Scot Ganow, Co-Chair of the Privacy and Data Security practice at Taft Stettinius & Hollister, LLP, an Ohio-based law firm. Under the law, a “breach” is often a narrowly defined event, and a company first has to analyze the facts of any incident or unauthorized use or disclosure, and determine whether it truly is a ‘breach.’
Under the law, an individual or entity may not have to report an unauthorized disclosure or breach, as Facebook had chosen not to do here; however, it remains to be seen whether by disclosing it anyway, a company is choosing the right course of action in maintaining trust with customers. It’s a double-edged sword.
“It is a balancing test every time between what you have to do, and what you should do,” says Ganow. Facebook took the steps it believed were sufficient to resolve the incident, and had, according to them, assurances that the threat to the data was gone. Obviously that wasn’t the case.
Herjavec also agreed that Facebook didn’t take the right steps in its attempts of internal governance–they didn’t notify the Federal Trade Commission (“FTC”), or end-user consumers of the leak; it considered the case ‘closed,'” says Herjavec. With a platform like Facebook, Zuckerberg and his executive team have the opportunity to set an example for corporate America, and really the world, when it comes to a data privacy standard .
This isn’t the first time we’ve heard reference to the EU and their GDPR model. Most assuredly, what we do know, is that it works. Herjavec believes its critical that the U.S. adopt similar policies to the EU’s GDPR model, because “we have to.” He also told me that he envisions the U.S. adopting similar policies over the next two years.
In response to several Senator’s questions, Zuckerberg has affirmed that he would be willing to work with legislators and Senate committees on proposed regulations to make the internet safer for users.
The Mighty ‘Terms of Service’ And Ensuring Its Effectiveness
“ When it comes to enterprise security, the framework that is built to support a process, or attack, is critical ” –Robert Herjavec, on structuring Terms of Service
Everytime we download a new mobile application to our phone; or purchase a new piece of computer software, we spend little to no time scrolling through and reading what seems to be a never ending essay of guidelines surrounding what the application may do with our information. The problem, as Herjavec and Ganow have indicated, is that consumers want convenience and privacy in one basket. With convenience, comes the exploitation of our own privacy, in many respects. Convenience will always trump privacy. Unless and until tech companies like Facebook find a way to seamlessly integrate the two.
As we heard from Senator Lindsey Graham’s (R-South Carolina) rigorous questioning of the Facebook CEO, the average consumer doesn’t read the entire document.
Senator Lindsey Graham: When you look at Facebook’s Terms of Service (“TOS”), this is what you get. (holds up hundreds of pages, compiling the Terms of Service). Do you think the average consumer understands what they are signing up for?
Mark Zuckerberg: I don’t think the average person likely reads that whole document, but there are different ways in which we can communicate that better, and we are obligated to do so.
While acknowledging this, the next question turns to the point in which a companies TOS becomes ineffective and tedious. “Consumers want it both ways, and corporations take advantage of that,” says Herjavec. We don’t read the TOS–we scroll through, click accept, and download the now unauthorized app. But, we also want privacy and security. Without penalty to the organization reinforcing its policy, the TOS is already ineffective.
It’s almost as if these policies are crafted in such a way that is meant to drive consumers away from the superfluous wordings of how our data is to be used, and straight into hitting that download button on our mobile devices and computers. Admittedly enough, we have all done it.
“As an attorney, I completely see the value of having robust terms of service in place to manage the liability and compliance risks a client takes on in offering a good or service,” said Ganow. “That said, I also appreciate that there is a need to be transparent and provide your customers the ‘high points’ that they should easily understand. To that end, sometimes a company can provide both a long form and short form notice of terms and privacy practices . On the subject of brevity and transparency, I often have company leaders ask themselves, ‘what would you want to know if you were using this product?.'”
Like Ganow, Herjavec also believes there is a balance in terms of how a company can provide long and short form notices to consumers about their privacy online. He told me that privacy regulation has to start from the top down. “We need governance to balance the privacy and security mechanisms at a governmental level,” says Herjavec. Then, we need to give consumers the choice–they need to decide whether to opt in or not. The 87 million users who had their data harvested through Cambridge Analytica, did not all give Facebook their permission for their information to be utilized for those means. As consumers, we need choices. As a security professional, it always comes down to a balance of the people, process, and technology at play, which helps drive a situation.
Has Political Bias Infiltrated Facebook’s Mechanisms, Censoring User Content?
“Are you a First Amendment speaker, expressing your views, or are you a neutral public forum, allowing everyone to speak?” –Ted Cruz to Mark Zuckerberg
The twenty-first century has been a plateau, growing closer and closer to defining what our founding fathers were thinking when they drafted The First Amendment to the United States Constitution. The internet has grown from a mere communications platform, to a place where we conduct our everyday lives, demanding new considerations and arguments on free speech and how to privatize this space.
In response to Senator Cruz’s insistence that Facebook has become a politically biased platform, censoring content that doesn’t meet the views of the content teams, Zuckerberg admitted that Silicon Valley “is an extremely left-leaning place,” but ultimately denied Senator Cruz’s assertion that this left-winged bias has infiltrated the systems and beliefs of Facebook.
Facebook isn’t transparent when it bans accounts or kicks people off. They just do it. This is problematic in many instances, because it creates assumptions that the company is restricting user’s freedom of speech, which may associate with certain beliefs or even more extreme organizations. This takes root in the Russian-backed accounts during the 2016 U.S. Presidential Election.
“It’s clear now that we didn’t do enough to prevent these tools from being used for harm.”
–Zuckerberg identifies failure to address hate speech, fake news, and bots, to the Senate Judiciary and Commerce comittees
Hate speech is in the eye of the beholder, or so it may seem, to Zuckerberg. The Facebook CEO stated that he feels hate speech is one of the hardest types of speech to identify, due to its linguistic nuances. “You need to understand what a slur is, and whether something is hateful,” explained Zuckerberg.
Zuckerberg’s plan to address this centers around the deployment of AI, artificial intelligence, tools, which he claims 99% of ISIS and al-Qaeda content is removed from the platform before the public even sees it. The Harvard graduate believes that in a 5-10 year period, Facebook will have the AI tools in place to even address the linguistic nuances to be more accurate in flagging content.
“What turns my stomach, is the opportunity to prevent and plan,” said Herjavec. I see this in our space all the time –when there is a breach, people look around and go ‘how could this happen.’ But, that’s just it–you never think something of this magnitude will occur, until it actually does. And this time, it’s playing out on a global scale.
I asked Herjavec what questions should be asked in situations like this, before and after a breach occurs. He provided me with the following list:
- What would you do in a similar situation?
- What plan do you have for your critical data assets?
- Who has access to those assets?
- How would you communicate a breach or incident in your environment?
“If you’re reading these headlines and not considering at minimum, what your company’s incident response plan is, and ideally an overall evaluation of your privacy policies and data access controls, then shame on you,” emphasized Herjavec.
In Facebook We Trust?
It will be very difficult for Facebook to earn the trust back of legislators, but most importantly, its users. While some may pass this off as “no big deal,” the truth of the matter is that it is a big deal. A massive one.
Despite the global disappointment in the social media giant’s actions, experts like Herjavec, are confident that Facebook can earn back the trust of its users. “People aren’t deleting their accounts, which is good,” says Herjavec. Consumers generally don’t understand the risks here, but that understanding will mature in time. There was a survey done in Times Square, years ago, where people were offered a coupon for a hamburger in exchange for giving away their social security number. Guess what the results were? 50% agreed. We as consumers don’t understand the powers of our identities and data. As a security professional, it terrifies me. As a business professional, I do believe the company can improve, and help to establish a standard for other corporations when it comes to security and privacy.
If there was anything we took away from yesterday’s testimony, it’s that legislator’s are beginning to understand how powerful tech companies, like Facebook, truly are. These are benign forces for innovation, which requires legislation. In Senator Lindsey Graham’s attempts at having Mr. Zuckerberg admit that Facebook has become a monopoly on the industry, Mr. Zuckerberg, ultimately agreed to work with the Senate on proposed regulations to help ensure the safety and privacy of all its users. As Ganow and Herjavec have told me, security isn’t perfect, but these are the steps in thinking about how to move forward.
As Zuckerberg has indicated, he is ready to work with regulators in making Facebook a leading example of what online privacy can and should be. Facebook has already begun to roll out notices to users about watching out for applications that area asking for your information. Let’s hope there isn’t another apology coming anytime soon.
Originally posted on forbes.com