Skip to content
Naked Security Naked Security

Congress grills Zuckerberg, day one: How does this online stuff work?

On Tuesday, senators began their questioning of the virgin-to-Congressional-grilling, Mark Zuckerberg.

Yikes, Facebook CEO Mark Zuckerberg said in prepared remarks for a rare joint hearing of the Senate Judiciary and Commerce Committees on Tuesday and Wednesday: malefactors have used reverse-lookup “to link people’s public Facebook information to a phone number”!
Quelle surprise, according to Zuckerberg’s prepared remarks: Facebook only discovered the incidents a few weeks ago, they claim, and immediately shut down the phone number/email lookup feature that let it happen.
Zuckerberg’s remarks:

When we found out about the abuse, we shut this feature down.

And thus, to borrow the Daily Beast’s phrasing, Zuckerberg gaslighted Congress before the hearings even started.
On Tuesday, senators were ready, though, to grill the virgin-to-Congressional-grilling about that “Well, shucks, we just found out” bit. Sen. Dianne Feinstein was the first to jump in with the fact that Facebook learned about Cambridge Analytica’s (CA’s) misuse of data in 2015 but didn’t take significant steps to address it until the past few weeks.
Zuckerberg’s response, reiterated many times during five hours of testimony: We goofed. CA told us it deleted the data. We believed them. We shouldn’t have. It won’t happen again.
Sen. Chuck Grassley asked the CEO if Facebook has ever conducted audits to ensure deletion of inappropriately transferred data (it seemed to have an audit allergy, at least during whistleblower Sandy Parakilas’s tenure), and if so, how many times?
My people will get back to you on that, Zuckerberg said… Many times, to many questions.

But with regards to app developers’ handling of user data, Facebook will do better, he promised: It will take a more proactive approach to vetting how app developers handle user data, will do spot checks, and will boost the number of audits.
It was the email/phone lookup feature that data-analytics firm CA – one of the multiple rocket thrusters that pushed Zuckerberg into getting this call from Congress – used to scrape users’ public profile information. In CA’s case, we’re talking about profile information of 87 million users – that would be “most people on Facebook”, according to Facebook – who were subjected to data harvesting without their permission.
In response to CA (and Russia, and bot, and fake news) outrage, Tuesday’s testimony was the same litany of apologies and pledges to do better that Facebook’s been singing since its founding, 14 years ago. That’s 14 years of moving fast and breaking things, including any notion that it might choose to protect users from its customers. Wired has called it the “14-year apology tour.”
The more things change, the more things stay the same. Wired:

In 2003, one year before Facebook was founded, a website called Facemash began nonconsensually scraping pictures of students at Harvard from the school’s intranet and asking users to rate their hotness. Obviously, it caused an outcry. The website’s developer quickly proffered an apology. ‘I hope you understand, this is not how I meant for things to go, and I apologize for any harm done as a result of my neglect to consider how quickly the site would spread and its consequences thereafter,’ wrote a young Mark Zuckerberg. ‘I definitely see how my intentions could be seen in the wrong light.’

Tuesday’s testimony was more of the same, on the topics of CA and other Facebook app developers’ use and abuse of Facebook users’ data, on the topic of how Facebook could possibly have been unaware of what Russian actors were up to when using the platform to tinker with the 2016 US presidential election, on Russian bots spreading discord and fake news.
It wasn’t so much a grilling. It was more of a golden toasting. Much of this had to do with the fact that some senators proved themselves to be fairly clueless about the intricacies of technology and online business models.
An example: Sen. Bill Nelson rambled on for a bit about posting about dark chocolate and suddenly having ads for dark chocolate pop up on Facebook. Could it be that Facebook might, as COO Sheryl Sandberg suggested on the Today show, charge people to not see ads about dark chocolate?!
The idea of being charged for Facebook’s “free” services really must have resonated. An exchange between Sen. Orrin Hatch and Zuckerberg:

Hatch: ‘How do you sustain a business model in which users don’t pay for your service?’
Zuckerberg: ‘Senator, we run ads.’

Not all senators proved out of their depth. As CNN notes, Sen. Lindsey Graham was “smart and informed.” The same goes for Sen. Brian Schatz, who nailed Zuckerberg down on what it means when Facebook claims that every user “owns” his or her own information. Sen. Chris Coons highlighted the problems inherent in Facebook’s ad targeting: What if a diet pill manufacturer was able to target teenagers struggling with bulimia or anorexia?
But Zuckerberg stuck to a strict script. He likely made his coaches proud. He had, in fact, been coached like a politician getting ready for a televised debate.
According to the New York Times, Zuck’s been undergoing “a crash course in humility and charm,” including mock interrogations from his staff and outside consultants.
More takeaways from Tuesday’s testimony:

Facebook is open to the “right” regulation.

Sen. Maggie Hassan: Will you commit to working with Congress to develop ways of protecting constituents, even if it means laws that adjust your business model?
Zuck: Yes. Our position is not that regulation is wrong. [Facebook just wants to make sure it’s the “right” regulation.]

Cambridge University professor Aleksandr Kogan shared user data with other firms besides CA.

Sen. Tammy Baldwin asks whether Kogan sold the data to anyone besides Cambridge Analytica?
Zuck: Yes, he did.
He mentioned Eunoia as one of the companies but said there may be others.

Not banning CA in 2015 was “a mistake.”

Zuck corrected an earlier statement: CA was, actually, an advertiser in 2015, so Facebook could have banned the firm when it first learned of its data scraping. Zuck says not doing so was a “mistake”.
Where does Facebook go from here? As New Yorker writer Anna Wiener noted in a roundtable discussion, it’s in a bind:

To ‘fix’ Facebook would require a decision on Facebook’s part about whom the company serves. It’s now in the unenviable (if totally self-inflicted) position of protecting its users from its customers.

Well, we may not know how Facebook is going to figure that one out, but we know where it’s going today: back to Congress for more of the same.


The booster seat is the real news. After being before congress, Zuck had a bah bah of apple juice and a nap!.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!