© jbareham/facebook
Facebook is beginning to realize how little control it has over its ability to regulate data collection and ad operation.
A recently leaked
internal memo from
Facebook revealed that the company has no idea where its user data are going or what it is doing with them. This revelation could complicate the company's future as
a growing number of countries attempt to regulate and protect user privacy and digital ad sales.Facebook's privacy engineers, in a 2021 memo according to
Motherboard, wrote:
"We do not have an adequate level of control and explainability over how our systems use data, and thus we can't confidently make controlled policy changes or external commitments such as 'we will not use X data for Y purpose'. And yet, this is exactly what regulators expect us to do."
The memo addressed the growing pressure from the European Union and India over the company's use of private data in advertising and claims that past policy attempts were "insufficient."
The reason for problems is what the engineers call "data lineage." Regulators have attempted to control what data are gathered and how they are used. For example, the EU's
General Data Protection Regulation requires that
any collected personal data be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes." This means that any data a company collects for a specific purpose, such as identity authentication,
must only be used for that purpose and not for anything else.
However, Facebook's privacy engineers claim that they do not have enough control to maintain those standards, which makes adherence to federal regulations increasingly tricky and
could expose the company to fines over its data control.A Meta spokesperson told Motherboard:
"Considering this document does not describe our extensive processes and controls to comply with privacy regulations, it's simply inaccurate to conclude that it demonstrates non-compliance. New privacy regulations across the globe introduce different requirements, and this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations."
European regulators have begun taking additional steps to regulate Facebook and Twitter. The EU established the
final wording for the
Digital Markets Act, which would combat any potential concerns about antitrust that could arise amid the various social media companies.
There are also concerns regarding how Facebook's and Instagram's handling of data transfers could lead to the social media networks being shut down in Europe.
Comment: Do you know where your data is?
Neither does Facebook!
Facebook is facing what it describes internally as a "tsunami" of privacy regulations all over the world, which will force the company to dramatically change how it deals with users' personal data.
A document was written last year by Facebook privacy engineers on the Ad and Business Product team, whose mission is "to make meaningful connections between people and businesses," and which "sits at the center of our monetization strategy and is the engine that powers Facebook's growth.".
This is the team that is tasked with building and maintaining Facebook's sprawling ads system, the core of the company's business. And in this document, the team is both sounding an alarm, and making a call to change how Facebook deals with users' data to prevent the company from running into trouble with regulators in Europe, the US, India, and other countries that are pushing for more stringent privacy constraints on social media companies.
"Facebook has a general idea of how many bits of data are stored in its data centers.Where [the data] goes part is, broadly speaking, a complete shitshow. It is a damning admission, but also offers Facebook legal cover because of how much it would cost Facebook to fix this mess. It gives them the excuse for keeping that much private data simply because at their scale and with their business model and infrastructure design they can plausibly claim that they don't know what they have."
Johnny Ryan, a privacy activist and senior fellow at the Irish Council for Civil Liberties, told Motherboard in an online chat:
"This document admits what we long suspected: that there is a data free-for-all inside Facebook, and that the company has no control whatsoever over the data it holds. It is a black and white recognition of the absence of any data protection. Facebook details how it breaks each principle of data protection law. Everything it does to our data is illegal. You're not allowed to have an internal data free-for-all."
Jason Kint, CEO of Digital Content Next, a trade organization that represents journalism publishers and an outspoken critic of Facebook, said that
"consumers and regulators would and should be shocked at the magnitude and disorder of the data inside of Facebook's systems."
The leaked document also refers to a new, unreleased, product called "Basic Ads," which the document authors refer to as a "short term" response to requirements of regulations around the world.
Original Document (PDF)
Comment: Do you know where your data is? Neither does Facebook! Original Document (PDF)