featured

Can a leopard change its spots? Facebook privacy under scrutiny

Opinion | 12 March 2020

Kayleen Manwaring

Senior Lecturer

Facebook is being taken to court over privacy breaches, and this has implications for other companies focused on extracting personal information at the expense of privacy, according to UNSW Sydney's Katharine Kemp and Kayleen Manwaring

The Office of the Australian Information Commissioner (OAIC) recently brought proceedings against Facebook in the Federal Court, asking the court to impose financial penalties for serious interference with the privacy of more than 300,000 Australians.

To our knowledge, this is the first time the privacy regulator has sought civil penalty orders under the Privacy Act.

Facebook responded by saying it had made “major changes” to its platforms “in consultation with international regulators”.

This response is none too comforting, given Facebook’s current data practices (which include collecting data of consumers who have never used Facebook). The company also has a history of misrepresentations regarding data privacy.

What is Facebook being sued for?

In 2014, Facebook users were offered an app called “This is Your Digital Life”, which paid users to take a personality quiz. The app harvested the data not only of the person taking the quiz but also of their Facebook friends, who had no knowledge of the app or the data collection.

The app developer then sold that information to a political lobbying company, Cambridge Analytica, which used the personal data for political profiling. This profiling was apparently used to aid in the election of US President Donald Trump in 2016, among other things.

Worldwide, approximately 87 million Facebook users were affected. In Australia, only 53 users downloaded the app, but still, around 311,000 people were affected.

Cambridge Analytica-min.jpg — The UK privacy regulator fined Facebook GBP500,000 over the Cambridge Analytica breach. Image source: Shutterstock

The OAIC alleges that Facebook contravened the Privacy Act by allowing users’ personal data to be used for purposes that were not properly disclosed, and by failing to take proper steps to protect users’ personal data.

Facebook privacy: better late than never

The OAIC’s action follows similar action against Facebook by regulators around the world. In 2018, the UK privacy regulator fined Facebook the maximum GBP500,000 over the Cambridge Analytica breach. Last year, the US Federal Trade Commission (FTC) settled with Facebook on a record-breaking US$5 billion payment in respect of related conduct.

While the OAIC’s action should be encouraged, we should not overestimate the impact on Facebook.

If the Federal Court finds the alleged contraventions occurred, Facebook could face fines of up to A$1.7 million for each contravention. (There is likely to be debate over what constitutes a single contravention, and therefore how many contraventions there were.) That may sound hefty, but we should put it in context.

When the US$5 billion settlement with the FTC was announced last year, Facebook’s share price went up. The settlement represented only about 7 per cent of Facebook’s 2019 revenue of more than US$70 billion.

Facebook is still collecting data about non-Facebook users

Facebook responded to the announcement of the OAIC action by saying it has upgraded privacy protections: "We’ve made major changes to our platforms, in consultation with international regulators, to restrict the information available to app developers, implement new governance protocols and build industry-leading controls to help people protect and manage their data."

Mark Zuckerberg-min.jpg — Facebook's Mark Zuckerberg said the company has upgraded privacy protections for users. Image source: Shutterstock

But has the leopard changed its spots? While Facebook has made some adjustments to the settings available to Facebook users, it continues, for example, to track the activities of consumers on third-party websites, when a Facebook user is not logged in and even when the consumer has never been a Facebook user.

The social media giant says it collects information about anyone who visits a website or app that uses “Facebook Products”, which includes anywhere you see Facebook “Like” buttons or an option to “sign in with Facebook”.

You don’t need to click on the “Like” button or sign in with Facebook for this to happen. According to Facebook, it collects this information “without any further action from you”.

Facebook does this by placing a cookie on your computer or device when you visit the third-party website. It then collects data about what you do online, including your use of other websites and apps, and information about your device, which can be highly individual.

As the Australian Competition and Consumer Commission pointed out last year, it’s unlikely non-Facebook account users could even find out about this practice.

What could they do with our data?

According to its Cookie Policy, Facebook can broadly use this data to offer you products and to “understand the information we receive about you, including information about your use of other websites and apps, whether or not you are registered or logged in”.

Facebook was fined for making misleading representations when it acquired WhatsApp. Image source: Shutterstock

In 2018, Facebook told the US House of Representatives that it does “not use web browsing data to show ads to non-users or otherwise store profiles about non-users”. However, its Cookie Policy does not reflect these claims, and it has not said it will stop collecting this data.

More than that, Facebook has in the past claimed it will limit data use, before going back on it later. When Facebook acquired WhatsApp in 2014, it told regulators it would be unable to automatically match Facebook and WhatsApp user accounts after the merger. The European Commission has since fined Facebook for making incorrect or misleading representations in this respect.

Similarly, the action brought by the US FTC referred to repeated misrepresentations by Facebook about the extent to which users could control the Facebook privacy settings of their data.

Facebook may have made some changes, but it is still an advertising business with a history of privacy infringements that makes tens of billions of dollars each quarter from collecting and monetising oceans of personal data.

Other companies are similarly focused on extracting personal data at the expense of privacy. Consumers should hope this is only the first of many more actions by the privacy regulator.

Katharine Kemp is a Senior Lecturer, Faculty of Law, UNSW, and Academic Lead, UNSW Grand Challenge on Trust, UNSW. Kayleen Manwaring is a Senior Lecturer, School of Taxation ＆ Business Law, UNSW. A version of this post first appeared on The Conversation.

Privacy Regulation Social media Law

Republish this article

Republish

You are free to republish this article both online and in print. We ask that you follow some simple guidelines.

Please do not edit the piece, ensure that you attribute the author, their institute, and mention that the article was originally published on Business Think.

By copying the HTML below, you will be adhering to all our guidelines.

Press Ctrl-C to copy

<h1>Can a leopard change its spots? Facebook privacy under scrutiny</h1>

<figure><img src="https://assets-us-01.kc-usercontent.com:443/4df0558d-5779-0012-00f2-b3fa06d6c950/0dd854a8-0111-49dc-af31-f9f4507f5811/Facebook%20privacy%20hero-min.jpg?w=1320" alt="Facebook privacy under scrutiny" /><figcaption>Facebook privacy under scrutiny</figcaption></figure>
 The <a href="https://www.oaic.gov.au/about-us/">Office of the Australian Information Commissioner</a> (OAIC) recently <a href="https://www.oaic.gov.au/updates/news-and-media/commissioner-launches-federal-court-action-against-facebook">brought proceedings against Facebook</a> in the Federal Court, asking the court to impose financial penalties for serious interference with the privacy of more than 300,000 Australians.
To our knowledge, this is the first time the privacy regulator has sought civil penalty orders under <a href="http://classic.austlii.edu.au/cgi-bin/sinosrch.cgi/au?method=boolean&rank=on&query=cth%20consol_act%20pa1988108%20s13g">the Privacy Act</a>.
<a href="https://www.smh.com.au/politics/federal/information-commissioner-takes-action-against-facebook-over-cambridge-analytica-scandal-20200309-p548aw.html">Facebook responded</a> by saying it had made “major changes” to its platforms “in consultation with international regulators”.
This response is none too comforting, given Facebook’s current data practices (which include <a href="https://www.facebook.com/policies/cookies">collecting data of consumers who have never used Facebook</a>). The company also has a history of <a href="https://www.ftc.gov/news-events/blogs/business-blog/2019/07/ftcs-5-billion-facebook-settlement-record-breaking-history">misrepresentations</a> regarding data privacy. 
<h4>What is Facebook being sued for?</h4>
In 2014, Facebook users were offered an app called “<a href="https://pix11.com/2018/04/10/what-is-this-is-your-digital-life-the-facebook-app-you-may-be-alerted-about/">This is Your Digital Life</a>”, which paid users to take a personality quiz. The app harvested the data not only of the person taking the quiz but also of their Facebook friends, who had no knowledge of the app or the data collection.
The app developer then sold that information to a political lobbying company, Cambridge Analytica, which used the personal data for political profiling. This profiling was apparently used to aid in the election of US President Donald Trump in 2016, among other things.
Worldwide, approximately 87 million Facebook users were affected. In Australia, only 53 users downloaded the app, but still, around 311,000 people were affected.
<figure class="figure"><img src="https://assets-us-01.kc-usercontent.com:443/4df0558d-5779-0012-00f2-b3fa06d6c950/d5458063-5589-4ef6-87e2-587f03ba9537/Cambridge%20Analytica-min.jpg" class="figure-img" alt="Cambridge Analytica-min.jpg"><figcaption class="figure-caption">The UK privacy regulator fined Facebook GBP500,000 over the Cambridge Analytica breach. Image source: Shutterstock</figcaption></figure>
The OAIC <a href="https://www.oaic.gov.au/updates/news-and-media/commissioner-launches-federal-court-action-against-facebook">alleges that Facebook contravened</a> the Privacy Act by allowing users’ personal data to be used for purposes that were not properly disclosed, and by failing to take proper steps to protect users’ personal data.
<h4>Facebook privacy: better late than never</h4>
The OAIC’s action follows similar action against Facebook by regulators around the world. In 2018, the UK privacy regulator <a href="https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/10/facebook-issued-with-maximum-500-000-fine/">fined Facebook the maximum GBP500,000</a> over the Cambridge Analytica breach. Last year, the <a href="https://www.ftc.gov/news-events/blogs/business-blog/2019/07/ftcs-5-billion-facebook-settlement-record-breaking-history">US Federal Trade Commission</a> (FTC) settled with Facebook on a record-breaking US$5 billion payment in respect of related conduct.
While the OAIC’s action should be encouraged, we should not overestimate the impact on Facebook.
If the Federal Court finds the alleged contraventions occurred, Facebook could face fines of up to A$1.7 million for each contravention. (There is likely to be debate over what constitutes a single contravention, and therefore how many contraventions there were.) That may sound hefty, but we should put it in context.
When the US$5 billion settlement with the FTC was announced last year, <a href="https://www.marketwatch.com/story/facebook-stock-hits-highest-price-in-nearly-a-year-after-reports-of-5-billion-ftc-fine-2019-07-12">Facebook’s share price went up</a>. The settlement represented only about 7 per cent of Facebook’s 2019 revenue of more than <a href="https://www.statista.com/statistics/268604/annual-revenue-of-facebook/">US$70 billion</a>.
<h4>Facebook is still collecting data about non-Facebook users</h4>
<a href="https://www.smh.com.au/politics/federal/information-commissioner-takes-action-against-facebook-over-cambridge-analytica-scandal-20200309-p548aw.html">Facebook responded</a> to the announcement of the OAIC action by saying it has upgraded privacy protections: "We’ve made major changes to our platforms, in consultation with international regulators, to restrict the information available to app developers, implement new governance protocols and build industry-leading controls to help people protect and manage their data."
<figure class="figure"><img src="https://assets-us-01.kc-usercontent.com:443/4df0558d-5779-0012-00f2-b3fa06d6c950/4bd98f44-d82b-4a1e-9060-3bd287b13bff/Mark%20Zuckerberg-min.jpg" class="figure-img" alt="Mark Zuckerberg-min.jpg"><figcaption class="figure-caption">Facebook's Mark Zuckerberg said the company has upgraded privacy protections for users. Image source: Shutterstock</figcaption></figure>
But has the leopard changed its spots? While Facebook has made some adjustments to the settings available to Facebook users, it continues, for example, to track the activities of consumers on third-party websites, when a Facebook <a href="https://www.facebook.com/policies/cookies">user is not logged in and even when the consumer has never been a Facebook user</a>.
The social media giant says it <a href="https://www.facebook.com/policies/cookies">collects information</a> about anyone who visits a website or app that uses “Facebook Products”, which includes anywhere you see Facebook “Like” buttons or an option to “sign in with Facebook”.
You don’t need to click on the “Like” button or sign in with Facebook for this to happen. According to Facebook, it collects this information “<a href="https://www.facebook.com/policies/cookies">without any further action from you</a>”.
Facebook does this by placing a cookie on your computer or device when you visit the third-party website. It then collects data about what you do online, including your use of other websites and apps, and information about your device, which can be highly individual.
As the <a href="https://www.accc.gov.au/publications/digital-platforms-inquiry-final-report">Australian Competition and Consumer Commission</a> pointed out last year, it’s unlikely non-Facebook account users could even find out about this practice.
<h4>What could they do with our data?</h4>
According to its <a href="https://www.facebook.com/policies/cookies">Cookie Policy</a>, Facebook can broadly use this data to offer you products and to “understand the information we receive about you, including information about your use of other websites and apps, whether or not you are registered or logged in”.
<figure class="figure"><img src="https://assets-us-01.kc-usercontent.com:443/4df0558d-5779-0012-00f2-b3fa06d6c950/d7237f14-3a96-464c-8c3e-7875bba2eedc/Whatsapp-min.jpg" class="figure-img" alt="Whatsapp-min.jpg"><figcaption class="figure-caption">Facebook was fined for making misleading representations when it acquired WhatsApp. Image source: Shutterstock</figcaption></figure>
In 2018, <a href="https://docs.house.gov/meetings/IF/IF00/20180411/108090/HHRG-115-IF00-Wstate-ZuckerbergM-20180411.pdf">Facebook told the US House of Representatives</a> that it does “not use web browsing data to show ads to non-users or otherwise store profiles about non-users”. However, its Cookie Policy does not reflect these claims, and it has not said it will stop collecting this data.
More than that, Facebook has in the past claimed it will limit data use, before going back on it later. When Facebook <a href="https://ec.europa.eu/commission/presscorner/detail/en/IP_17_1369">acquired WhatsApp in 2014</a>, it told regulators it would be unable to automatically match Facebook and WhatsApp user accounts after the merger. The European Commission has since fined Facebook for making <a href="https://ec.europa.eu/commission/presscorner/detail/en/IP_17_1369">incorrect or misleading representations</a> in this respect.
Similarly, the action brought by the US FTC referred to <a href="https://www.ftc.gov/news-events/blogs/business-blog/2019/07/ftcs-5-billion-facebook-settlement-record-breaking-history">repeated misrepresentations</a> by Facebook about the extent to which users could control the Facebook privacy settings of their data.
Facebook may have made some changes, but it is still an advertising business with a history of privacy infringements that makes tens of billions of dollars each quarter from collecting and monetising oceans of personal data.
Other companies are similarly focused on extracting personal data at the expense of privacy. Consumers should hope this is only the first of many more actions by the privacy regulator.
<a href="https://www.law.unsw.edu.au/staff/katharine-kemp" data-new-window="true" title="Katharine Kemp" target="_blank" rel="noopener noreferrer">Katharine Kemp</a> is a Senior Lecturer, Faculty of Law, UNSW, and Academic Lead, UNSW Grand Challenge on Trust, UNSW. <a href="https://www.business.unsw.edu.au/our-people/kayleenmanwaring" data-new-window="true" title="Kayleen Manwaring " target="_blank" rel="noopener noreferrer">Kayleen Manwaring</a> is a Senior Lecturer, School of Taxation ＆ Business Law, UNSW. A version of this post first appeared on The Conversation.

Comments

Opinion

featured

Can a leopard change its spots? Facebook privacy under scrutiny

What is Facebook being sued for?

Facebook privacy: better late than never

Facebook is still collecting data about non-Facebook users

What could they do with our data?

Republish

Related

When innovation reinforces gender and salary inequalities

How pay transparency laws have reduced salaries by 2 per cent

Six ways to avoid burnout in the end-of-year holiday rush

How authentic should a business leader really be?

Find an expert

Connect