The pitch of the discussion surrounding Mark Zuckerberg in the jet-wash of the Cambridge Analytica revelations begs attention in and of itself. The reaction doesn’t seem proportional to the potency of the situation but speaks to something more deep-rooted. This is not just a question about Facebook; engaging in a who-can-be-more-angry-at-Zuck competition risks missing the broader and more important question pertaining to our relationship with our data.

If we were to try and identify the single moment where an erroneous decision was made, it would be one of two points. The first might be the decision to allow app developers access to user’s friend’s data, which is actually not the bit which Zuckerberg apologised for, though he did admit to being too idealistic about the good vs bad creations which would transpire from that decision. The second would be to not follow up with Cambridge Analytica, who signed a legal confirmation that they never had access to user’s friends Facebook data, and had deleted any derivative data from their servers, which Zuckerberg did apologise for.

To deal with the second point quickly, I’ll stick my neck out and say having sought legal confirmation Facebook had fulfilled due diligence on the matter. They were lied to by allegedly nefarious actors, and so are arguably victims of Cambridge Analytica’s actions. I don’t think many of us in that situation would have decided to engage in a legal battle to send auditors to a company then not know to be anything more than a small data analytics company on the off chance they might be lying.

To the first point, none of the journalists who managed to get an interview with Zuckerberg have asked exactly what user’s friend’s data was made available through the app connection. Was it just the number of friends? Their location? Their demographic data? Equally there seems to be no reporting on whether we, as users, agreed to this data use in the terms and conditions we all accept without reading. The reason, one suspects, is because everyone was primed to be angry at Facebook and only sought enough information to justify that anger. Once a justification was landed on it was considered the finish line of reporting.

Our responsibility

Every time Facebook gets in trouble over data there are two elephants in the room. Firstly, it’s worth noting that the media like to get very angry with Facebook, because it’s one of the companies that has made life very difficult for them over the last decade or so. Facebook is one of the reasons there is no more ‘proper journalism’ especially given the recent News Feed updates. The second much bigger elephant was entertainingly reported by Reply All last November. The presenters decided to find out how much is behind the assertion that many suspect Facebook is using the mic on our phones to listen in to our conversations and advertise to us.

What they found out is that Facebook already has enough data on us, without hijacking our microphones, to target advertisements very accurately. What became clear during the episode, as the presenters spoke to users, is that none of us realise how much data we’ve willingly given up to Facebook. To the point where those they spoke to, who believed Facebook was using their microphones, are so firm in their belief they can’t be convinced otherwise. At the end of last week I took a quick poll in the office of how many apps people had granted access to their Facebook profile through Facebook Connect (logging in to other sites using Facebook). Of the 17 who responded nearly half had given access to more than 80 apps, and many were surprised at how many. The highest was 205 – the COO confidently told me before checking that his would number around 20, he found out it was 113. There was only one person who had not granted access to any apps. I had given 131 apps access and after a purge managed to get it down to 65.

In addition, how many of us are aware of Facebook Pixel and its capabilities – their tag which they can insert on other websites (like the New York Times, The Guardian, The Observer, Wired and Recode) which collects data from your use of those sites and sends it back to Facebook? If you’re logged in to any of these sites at the same time as being logged in to Facebook it can send your data back to Facebook linked to your profile. The publications which broke the Cambridge Analytica story are part of Facebook’s data collection machine, and though many websites do this and have some fairly ambiguous terms and conditions referring to it, it’s a functionality – one suspects – which would be unacceptable in many other walks of life. And simply sticking something in the Ts & Cs can’t be the solution to everything.

Through incremental improvements, what Facebook and others have done, is build a Sherlock Holmes data collection and processing engine which can make accurate deductions about what you might want to purchase. We’ve agreed to hand over a creepy amount of data and while we might want to argue that Facebook should have made that clearer, we can’t ignore the fact that we did agree to it (or at least most of it). The fact that Facebook was also scraping call and text data from Android phones is further proof that this is a general issue, since Google must take their share of responsibility as well.

We also have to admit how much we love Facebook. Of course, we could #deletefacebook, but the vast majority of us don’t want to because we enjoy it. Part of the reason we’re so angry at Zuckerberg is because the solution isn’t as simple as not using the platform anymore; most of us consider a display of indignation at Zuckerberg, such that he fixes the situation, preferable to deleting our account.

To further deflate the situation, we already have the answer to the problem. Zuckerberg should, out of respect to the jurisdictions he operates in, appear before US Congress and UK Parliament to answer questions. The former he’s agreed to, the latter he’s declined. Which shows a clear lack of respect for the notion that Facebook is a global company. But we don’t need some long period of rumination to figure out what to do here, the EU will be implementing GDPR in May and it contains all the legislation we need to provide a regulatory framework to be able to deal with a situation like this in future. The core of GDPR is worth committing to memory:

1. Breach Notifications – Any data breach must be reported to users within 72 hours if it is likely to “result in a risk for the rights and freedoms of individuals”.
2. Right to Access – All users have a right to which of their data are being process, where and for what purpose. Companies must provide on request a free copy of this information in digital form.
3. Right to be Forgotten – Companies must delete any data, draw a stop to its dissemination and halt third party processing upon user request. This also applies to any data no longer relevant to its original purpose.
4. Data Portability – Companies must provide user data in a commonly used and “machine readable” format should users want to switch services.
5. Privacy by Design – Companies must build their systems to be secure from the ground up (as opposed to add security features on as afterthoughts). This also involves “data minimisation” which means companies cannot hold any more data than are required for the processing of its duties.

Number 1., 3. and 5. would all have been relevant to the Facebook case and would provide clear legislation under which Facebook, Google and Cambridge Analytica could have been held to account.

Credit where progress is due

To say a kind word about Mark Zuckerberg is not the done thing right now. I have my criticism of Facebook, that their advertising model and product have become too blended, that Zuckerberg has not developed a product vision which reconciles the need to generate revenue, but has rather unwittingly exploited his own product to generate revenue. Which is part of the reason we are where we are now.

Facebook need to go back to their core product and draw a line around the areas where the advertising model can operate, and which leaves the majority of the product to be enjoyed in and of itself. Part of the reason people are so angry with him seems to be because their dissatisfaction with Facebook has been building for some time, they’ve watched the advertising model creep into their social media platform more and more to the point where the product they once loved has become overrun with creepy ad-algorithms. I don’t know at this point whether I’d refer to Facebook as a social media company or a data advertising company. They need to go back to their roots and find a way to earn sustainable revenue.

But, equally, this serves as a wake-up call to all of us who use any such platform. We protested too late, despite the hallmarks being perfectly apparent.

That being said, Zuckerberg has previously promised to double his platform’s safety and security team from 10,000 to 20,000, such an increase that he had to warn Wall St that it would dent profit. And since the Cambridge Analytica story has broken he has displayed a willingness to testify before Congress, has offered to pay to audit all of Facebook’s apps (to the point where they wondered whether there were enough auditors in the world), and apologised fairly emphatically. The last time UK newspaper advertising space was taken up by an apology it was from Rupert Murdoch following the phone-hacking scandal. The headline of the advert was a simple “We are sorry” – compare this to Facebook’s “We have a responsibility to protect your information. If we can’t, we don’t deserve it”.

All in all, I would argue that Zuckerberg has reacted as one might hope a CEO in hot water might react. And we should be careful, as a society, not to go after to him too hard lest we create a future situation where CEOs presiding over a tough situation, whether it’s their fault or not, think “well look what happened to Zuck, I’m going to get torn apart anyway so I might as well try and cover it up”.