Facebook & Privacy First Mentality

Quite a week for Facebook

It has been quite a few days for Facebook. First, two days ago on Techcrunch:

Facebook has confirmed it does in fact use phone numbers that users provided it for security purposes to also target them with ads.

Specifically a phone number handed over for two factor authentication (2FA) — a security technique that adds a second layer of authentication to help keep accounts secure.

Then, a bombshell was dropped yesterday. Per Wired:

ON FRIDAY, FACEBOOK revealed that it had suffered a security breach that impacted at least 50 million of its users, and possibly as many as 90 million. What it failed to mention initially, but revealed in a followup call Friday afternoon, is that the flaw affects more than just Facebook. If your account was impacted it means that a hacker could have accessed any account that you log into using Facebook.

Facebook’s track record in data security and privacy hasn’t been particularly stellar recently. 2018 is not 2010. Facebook doesn’t have the same dominant position as it used to in the social network market any more. Users have plenty of alternatives and substitutes to spend their time on. These scandals, coupled with its role in the “free speech vs hate speech” row, don’t do any good to Facebook’s image as well as its appeal to users when privacy has become more and more pressing as a concern to users.

Privacy & regulations

I have been resigned to the fact that there is no anonymity on the Internet and that complete privacy isn’t possible. Yet, when users trust a company with their data, whatever the data is, it’s the company’s responsibility to protect such data. As many important aspects of our lives take place on the Internet, the need to feel safe online is more overwhelming than ever. Without feeling safe, how could users feel comfortable using a service? Privacy and data security will be, if not already is, expected by default of companies. It’s not a nice-to-have feature any more. It’s a do-or-see-your-competitors-get-ahead game.

But companies are not in the business to lose money. If they are not legally required to bolster their security, don’t expect them to. That’s why companies fought hard against GDPR or privacy laws passed in California this year. And this is where I don’t understand the criticisms of some towards regulations such as GDPR. Yes, no law is perfect, especially in the beginning. That’s why we have amendments. GDPR is not an exception. It is a great first step to give power back to users and force companies to be liable for their actions/inactions.

A common criticism that I came across towards GDPR is that it makes it too expensive for small companies and startups to comply, widening the moat or competitive advantage gap between giants such as Google/Facebook and SMBs. Well, if a company with a deep pocket and better security measures has 10% of its 500,000 in user base breached, the impact is 50,000 users. If a small company with fewer recourses and much weaker security measures loses all of its 50,000 users, the impact is the same as in the first scenario. Hence, breaches at SMBs can have significant damages and ramifications as well.

Sure, the best case scenario is to have different levels of compliance applied to companies of different size. I’d love to see that happen. Nonetheless, without privacy regulations, imagine how much companies would care about our data and how much of a mess it would be. Despite having HIPAA in place, every year has been a banner year of cybersecurity in healthcare in the US and healthcare organizations spend 3% of their IT budget on cybersecurity. Verizon reported in their 2018 Payment Security Report that only 40% of all interviewed companies in North America maintained full compliance with PCI. Despite all the scandals related to data security in the past, Facebook still lets more unfortunate events happen. To be fair, I don’t imagine having impeccable security is easy. However, would companies even try to secure your data without any legal requirements?

Progress happens when we raise standards. Would cars be more environmentally friendly if we hadn’t enforced regulations on emission quality? If a university wants to raise its standard for incoming students, will it lower or raise the requirement for GMAT/SAT? Will a drug be safer for patients if the FDA enforces more or fewer tests? Big companies have the means to comply with stringent privacy regulations. Small companies/startups, though difficult, have more access to capital funding. Plus, public cloud providers are investing to have their infrastructure compliant with many compliance regulations (See more here for AWS compliance and Azure compliance). Regardless of size, companies have to take privacy seriously and consider it an integral piece of the puzzle, a competitive advantage if done right or a threat to their competitiveness if ignored.