Editor’s Note: Alexander J. Urbelis is a lawyer and self-described hacker with more than 20 years’ experience with information security. He has worked as a graduate fellow in the Office of General Counsel of the Central Intelligence Agency, as a law clerk at the US Court of Appeals for the Armed Forces and as an associate in the New York and Washington offices of Steptoe & Johnson. He was also information security counsel and chief compliance officer of one of the world’s largest luxury conglomerates. He is currently a partner in the Blackstone Law Group and CEO of a separate information security consultancy. Follow him on Twitter @aurbelis. The views expressed in this commentary are his own. View more opinion articles on CNN.
The UK Parliament published more than 200 pages of internal Facebook documents and communications on Wednesday after employing a series of bold and unprecedented moves against the social media company. The revelations in the documents only add to mounting reports of Facebook’s questionable practices, which will no doubt lead to additional government inquiries.
The documents reveal Facebook routinely rewarded friendly companies with access to users’ data while withholding it from other organizations that were seen as potential threats, according to Damian Collins, a member of Parliament who chairs the Digital, Culture, Media and Sport Committee.
What follows are a few of the juiciest revelations that could have significant repercussions for Facebook.
When Facebook was planning to change its Android mobile app to collect highly sensitive user data – i.e., records of telephone calls and text messages – a product manager acknowledged the move “was a pretty high-risk thing to do from a PR perspective.” But the product manager went on to write that “the growth team will charge ahead and do it.” To avoid public scrutiny, Facebook considered rolling out an update that would not include an explicit notification of data collection.
The documents also reveal that Facebook gave certain companies, such as Netflix, Badoo, Bumble, HotorNot, Lyft and AirBnb access to users’ friend data. In one February 2015 email, Netflix wrote to Facebook to confirm it would be “whitelisted for getting all friends, not just connected friends.”
While Facebook “whitelisted” some companies, it also limited its competitors’ access to data. The documents reveal Facebook CEO Mark Zuckerberg personally agreed to do this to Vine, a video sharing app that Twitter acquired in 2012.
Facebook responded to the release on Wednesday with a statement that read, “The documents were selectively leaked to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we’ve never sold people’s data.”
Regardless, the bizarre series of events and the aggressive tactics Collins used to obtain the documents have serious implications for Facebook’s future.
British authorities obtained the documents – which were sealed in California – after serving several orders on Ted Kramer, founder of the company Six4Three, while he was on a business trip in London. Kramer eventually turned the documents over to Collins after the Parliament’s sergeant-at-arms personally delivered an order at his hotel.
Six4Three filed a lawsuit against Facebook in California after its bikini photo-finder app shut down. The app relied on users’ friend data, but the social media company restricted this information to third-party apps in 2015. While Facebook cited privacy concerns for this change, Six4Three claims Facebook wanted to use the data to bring in advertising money.
Given these highly unusual circumstances, one has to ask the obvious question of cui bono – who benefits – because the release of these documents only strengthens Six4Three’s litigation position by dragging Facebook through the mud. The relationship between Collins and Kramer is a perfect example of the aphorism that “my enemy’s enemy is my friend.”
Clearly, Parliament does not trust Facebook. The DCMS committee could have sought the same documents from Facebook’s UK offices. But instead of trusting Facebook to provide full and accurate responses, the DCMS resorted to high-pressure tactics directed at Kramer. The DCMS won the bet when it wagered Kramer would eventually fold.
In doing so, the DCMS prioritized the acquisition and publication of the Facebook documents over international norms of comity. The DCMS committee was well aware the documents were subject to a protective order of a California court.
In choosing to publish what it did, the DCMS committee must believe that the revelations contained in these documents outweigh any fallout with the US legal system as well as attendant diplomatic consequences with the United States. When a Parliamentary committee acts so aggressively, you know they have it out for Facebook and will stop at nothing to unearth the truth.
Last week, Canadian lawmaker Charles Angus blasted Facebook during a hearing in London attended by politicians from nine countries as part of an international inquiry into disinformation and fake news. Angus, who said Facebook had “lost the trust of the international community to self-police,” also called for regulation. “Perhaps the best regulation is antitrust. Perhaps the simplest form of regulation would be to break Facebook up or treat it as a utility,” he said.
The die, however, is not yet cast, and antitrust action would be a slow-moving process. It’s more likely that Facebook will continue to try evading governmental regulation and break itself into subsidiary components before any sovereign power orders them to do so.
In the meantime, each company that appears to have received favorable data access from Facebook can expect to receive subpoenas and equivalent legal process from Congress, Parliament and perhaps other foreign legislative bodies. Most of these legislative bodies are comprised of former lawyers, and a good lawyer knows how to ask probing questions.
Compelling executives from companies like Lyft or Airbnb to testify about Facebook’s data access program may be the most effective way to uncover what Facebook knew about the data it shared with developers, and how that led to the Cambridge Analytica fiasco.
If there’s anything these hearings have shown, it’s that Facebook can no longer resist government scrutiny without suffering major repercussions. Lawmakers at last week’s hearing in the UK made it clear that they were extremely disappointed with Zuckerberg’s refusal to attend and answer their questions directly.
If Facebook continues to thumb its nose at government inquiries, it is highly likely that Congress and other foreign bodies will take a page from the DCMS committee playbook and start targeting third parties.
If this is the path of least resistance to the truth, it is a path of Facebook’s own making. Facebook is likely to learn that its internal information will be made available to the public – it is simply a matter of how and when.
Parliament’s decision to publish Facebook’s emails and other sensitive information will no doubt lead to further inquiries in the UK and abroad, embroiling Facebook’s partners along the way. As stewards of our personal data, the public and elected officials are right to demand direct answers to hard questions that Facebook has thus far evaded. If Zuckerberg intends to do right by the public – and Facebook’s shareholders – it would behoove him to show up at the next hearing.