Fawning headlines about Facebook’s 10th birthday in 2014 are unlikely to be repeated as Mark Zuckerberg’s company turns 15. Back then, Facebook was winning the PR war with many of its fundamental privacy flaws failing to undergo sustained and forensic coverage on a global stage, even as its userbase ballooned beyond 1 billion. But the mood music has changed.

Facebook is now under fire so much that the company’s executives are publicly complaining about what is a consistently hostile reception from the press. But much of that is merely a corrective after years in which the world’s largest social network – which has reported a record $6.9 billion profit for the final three months of 2018 – was given an easy ride as it floated its benign conceit that it is only a “platform” upon which life happens.

Taking responsibility for content at last

You may agree with Zuckerberg, who in mid-2017 said Facebook’s mission was to “give people the power to build community and bring the world closer together”. Or you may simply think that Facebook exists in order to make huge amounts of money by serving its ultimate users: advertisers. But in fact both of these things are true and they coexist uneasily.

Social media is a useful place for people to build powerful communities, but during a time when political divisions around the world have been sharpened online by behavior-predicting algorithms, another thing is clear from Zuckerberg’s mission statement: Facebook is telling its users it does not and will not interfere with how those communities are built – even when its own algorithms are instrumental in forging these communities.

Yet this business strategy is underpinned by the law. In the European Union, Facebook uses Article 15 of the Electronic Commerce Directive to state that it will not intervene with the content posted on its site. The directive says that providers, such as Facebook and Google, that act as a “mere conduit”, “caching”, or “hosting” service are not obliged “to monitor the information they transmit or store.” The directive adds there is no “general obligation actively to seek facts or circumstances indicating illegal activity.”

It has taken a major scandal – linked to alleged political interference featuring personalities who would, had they been written in a spy novel, be considered too on-the-nose – for the data shared on Facebook, and what happens to it, to finally come under proper scrutiny. And questions about Facebook’s responsibility to its users have swiftly followed.

When the Cambridge Analytica data scandal rocked the company in April 2018, Zuckerberg admitted: “We didn’t take a broad enough view of what our responsibility is. It was a huge mistake. It was my mistake. […] It’s not enough to have rules that they protect information – we have to ensure that everyone in our ecosystem protects people’s information. We’re broadening our view of our responsibility.”

Our analysis of Google web search behavior in the aftermath of the scandal showed huge spikes in users looking to delete Facebook in the social network’s biggest markets.

CEO Mark Zuckerberg at F8 2018

Mark Zuckerberg at Facebook’s developer conference in 2018

Has GDPR changed Facebook? (No.)

Stronger data protection rules, known as GDPR (General Data Protection Regulation), came into force in Europe just weeks after the Cambridge Analytica story broke. GDPR was described by the UK’s Information Commissioner, Elizabeth Denham, as “an evolution not a revolution” and should bolster the data rights of the individual. Some may consider the timing to be perfect: here is Facebook messing up on privacy and along comes burly data rules that will make Zuckerberg’s company fall into line? But Facebook’s GDPR response has been easy to unpick, according to Eerke Boiten, a cybersecurity professor at De Montfort University.

“I don’t think Facebook has upped its game seriously with the advent of GDPR. It has shoehorned business-as-usual into a GDPR context with only minor tweaks,” he tells Top10VPN.com.

He says Facebook has increased the amount of information it is willing to provide when asked by users for the data it holds on them, but adds “it is still far from complete”. It excludes Facebook browsing and searching history, he says, as well as other factors used to determine friend suggestions and ad-targeting.

“There is no info on which ‘lookalike audiences’ you fit in; the template used to generate the suggestion that you are in someone’s picture is also missing. Nothing at all for the information generated outside the apps [Facebook, Messenger, WhatsApp and Instagram] including for those people who don’t have a Facebook account but are still being tracked through the web and via Facebook users’ phone contacts,” Boiten says.

Facebook screen on how ads are shown

Not so transparent: Facebook doesn’t let users know all the factors used to determine ad targeting.

He adds: “It still cannot justify its advertising infrastructure: bundled-in ‘consent’ with terms and conditions does not count if it is not essential to the users’ view of the service, and offloading the consent obligation to its advertising partners doesn’t work either.

“The return of automated tag suggestions in pictures also implies the processing of biometric data for identification purposes, including of anyone who has opted out of having such suggestions delivered to them and anyone who does not have a Facebook account. Biometric data as ‘special category data’ has more stringent consent requirements which are clearly not satisfied.”

Facebook-land: Larger than ever

But if GDPR is not forcing Facebook to up its game on privacy, then what is? Since Zuckerberg’s latest apology tour (he has a long history of saying sorry), some reported changes may suggest it is attempting to take responsibility for its mistakes. Another view of this would be that Facebook is working hard to avoid regulation or – more radically – to prevent its business from being broken up by competition watchdogs.

Instagram Facebook login screen

With Instagram and WhatsApp under its domain, the Facebook mothership is big enough to draw regulatory attention

It was recently revealed that Facebook was planning to integrate its messaging services, having previously promised to keep its WhatsApp, Instagram and Messenger apps separate from the mothership. Zuckerberg has also reportedly ordered engineers working on Instagram and Messenger apps to incorporate end-to-end encryption (E2EE). A former top Facebook engineer has said that such a move could be a very good thing for privacy if all the apps are upgraded to WhatsApp-level E2EE.

“Facebook Messenger and IG going E2E encrypted would pass up ‘WhatsApp encryption day’ as the most impactful uplift of communications privacy in human history,” tweeted Facebook’s former chief security officer Alex Stamos in response to the news. “We should support the idea and demand transparency in the safety-privacy-UX balancing decisions and technical details.”

On the flip side, Facebook’s seemingly privacy-friendly business move for what it now only describes as its “family of services” will rankle with at least some of its 2.7 billion user base who would perhaps prefer to try to keep those apps separate. After all, if Facebook does knit its apps together, it will have “a much more complete and integrated view” of users’ metadata, says Boiten, which it could use “for all sorts of profiling based purposes.”

Is Facebook really learning the true meaning of the word sorry – and showing it by finally securing two of the most popular apps on the planet – or is it simply saving face before its next big privacy scandal erupts? If Facebook’s most recent data-harvesting hiccup is anything to go by, all is not yet well at 1 Hacker Way.