2001 was not a good year for Microsoft. Its servers were ravaged by the Code Red and Nimda worms. In 2002, Bill Gates responded with his seminal ‘security memo’ to staff. He talked about security and trust — that customers should be able to trust the security of Microsoft. Since then, Microsoft has made great strides on delivering this new secure model.
2018 was not a good year for Facebook. It was fined the maximum possible £500,000 by the UK’s Information Commissioner for its role in the Cambridge Analytica scandal. It was described as a ‘digital gangster‘ by a British parliamentary committee. Multiple GDPR investigations were opened by the Irish data protection regulator. And the FTC opened an investigation that is now rumored could lead to a multi-billion dollar fine. In 2019, Facebook CEO Mark Zuckerberg responded with his own ‘privacy memo’. Only history will tell whether it becomes as seminal as the Gates memo.
“In this note,” says the Zuckerberg memo, “I’ll outline our vision and principles around building a privacy-focused messaging and social networking platform. There’s a lot to do here, and we’re committed to working openly and consulting with experts across society as we develop this.”
Zuckerberg outlines five areas of focus for the new privacy-centric Facebook: private interactions, encryption, reducing permanence, safety, interoperability, and secure data storage.
In private interactions, Zuckerberg describes a distinction between broadcast messages (posts, widely available), and intimate conversations (messaging). He expects Facebook messaging to coalesce around Messenger and WhatsApp, to be protected by end-to-end encryption, and for those services to be expanded. “If this evolution is successful, interacting with your friends and family across the Facebook network will become a fundamentally more private experience.”
The need for encryption is expanded in the second focus area. Encryption “limits services like ours from seeing the content flowing through them and makes it much harder for anyone else to access your information.” He talks about unlawful government demands for data, and the potential for saving the lives of dissidents. But he also talks about the need to cooperate with law enforcement on the detection of “truly terrible things like child exploitation, terrorism, and extortion.” He hints at improving the ability to detect bad actors by detecting patterns of activity — which implies an increased use of algorithms. This is potentially the most difficult area for a privacy focused Facebook — the balance between privacy and law enforcement requirements has not yet been solved.
Reducing permanence is designed to increase users’ confidence that old posts won’t come back to embarrass them. “I believe there’s an opportunity to set a new standard for private communication platforms — where content automatically expires or is archived over time,” says Zuckerberg. He adds, “It also makes sense to limit the amount of time we store messaging metadata.” This is the only mention of metadata in the memo.
Interoperability is designed to enable different Facebook services to work together. The memo focuses on Messenger and WhatsApp, and cites use of Marketplace as an example of increased privacy during buying and selling. “With interoperability, you’d be able to use WhatsApp to receive messages sent to your Facebook account without sharing your phone number,” he says.
The fifth area of focus is ‘secure data storage’. This is primarily a statement that Facebook will not build data centers “in countries that have a track record of violating human rights like privacy or freedom of expression.” Zuckerberg adds, “Upholding this principle may mean that our services will get blocked in some countries, or that we won’t be able to enter others anytime soon. That’s a tradeoff we’re willing to make.”
These five principles are, however, merely the first step. “Beyond that,” says Zuckerberg, “significant thought needs to go into all of the services we build on top of that foundation — from how people do payments and financial transactions, to the role of businesses and advertising, to how we can offer a platform for other private services.” One of those new services, incidentally, is expected to be the launch of Facebook’s own cryptocurrency possibly during 2019. The potential is enormous, with users in one country being able to securely transfer funds to users in another country without leaving the platform.
A Facebook cryptocurrency has not yet been confirmed — but the firm is certainly expanding its blockchain engineering force. At the time of writing, the Facebook careers page currently advertises 20 blockchain-related vacancies — although the job descriptions do not specify ‘cryptocurrency’. Typically, they say, “Our ultimate goal is to help billions of people with access to things they don’t have now — that could be things like healthcare, equitable financial services, or new ways to save or share information.”
The Zuckerberg memo is just words; but words are the necessary precursor to action. How effective these words will prove remains to be seen. They are, however, viewed positively by many in the security industry. “What Mark is outlining is a good first step, but Facebook still faces a long road in rebuilding trust,” comments Mukul Kumar, CISO & VP of cyber practice at Cavirin. “Facebook and others are now realizing that internet privacy, including potential action on the federal level, is top-of-mind and can no longer be ignored.”
Attila Tomaschek, digital privacy expert at BestVPN.com, is optimistic. The memo “demonstrated a major pivot towards committing to the privacy of the social media giant’s users,” he said. “Somehow, Zuckerberg’s announcement this week seems different, and more earnest. Time will tell, but perhaps this time we can finally count on Facebook to do what is necessary to truly protect the data and privacy of its users.”
Yuval Ben-Itzhak, CEO at Socialbakers (an AI-powered social media marketing platform with an obvious interest), added, “We welcome Facebook’s latest plans and see it as a step forward as the network continues to mature.”
But not everyone is willing to take the memo at immediate full face value. Raef Meeuwisse is author of ‘How to Hack a Human’, One of his concerns is the ability of advanced marketers to take advantage of peoples’ desire to believe what they are told; and he gave an example of ‘upgrades’ being assumed to be improvements even when they are not. There is a direct parallel within the memo under ‘reducing permanence’, where the ability to take data off the system is described as a new and beneficial option when in reality it is a requirement of many new data protection laws.
Meeuwisse is concerned about what is actually meant by ‘encryption’. “Will that content be secure and encrypted from analysis by technology inside the platform? Or is the platform considered to be inside the circle of privacy trust? For example – it is good to see that they mention that even Facebook would intend for content not to be visible to them — but does that include zero analysis by the technology? I think that would be important to clarify.”
For example, the memo states that metadata will be kept for a ‘limited’ period. But the implication is that it will be kept and it will be analyzed before it is discarded. Partly this may help with the proposed cooperation with law enforcement requirements, but primarily it could be used to maintain the Facebook advertising platform. For advertising, knowing who is talking to whom is almost as important as knowing what they say — and targeted advertising is the Facebook business model.
“Clearly, Facebook has identified that trust by subscribers is important,” continued Meeuwisse. “However, for me, I would like clarity on where exactly they would intend to earn the revenue from; and specifically for clarity on whether all the insights and metadata drawn from interactions and content are included in the privacy statement — because if it is not — then just keeping the content private from human eyes whilst using tech to analyze it and store metadata is not my view of true privacy.”
What is left unsaid in this memo is as important as that which is said. It seems clear that Zuckerberg intends to shift Facebook towards a platform that does not expose so much user content — or at least where exposure is by choice. But if the definition of privacy includes privacy from targeted advertising, that is less likely to happen.
Related: Is Facebook Out of Control? Investigations and Complaints Are Rising
Related: German Competition Watchdog Demands More Control for Facebook Users
Related: Privacy Fears Raised Over Facebook Messaging Apps Integration
Related: Several Bugs Exploited in Massive Facebook Hack
Related: Facebook Taps User Data to Defend Workers From Threats
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
Tags: 
