Mozilla has announced it’s suspending its advertising on Facebook in the wake of the Cambridge Analytica privacy controversy — saying it has concerns the current default privacy settings remain risky, and having decided to take a fresh look at Facebook’s app permissions following the latest user data handling scandal.
This week the New York Times and The Observer of London reported that a researcher’s app had pulled personal information on about 270,000 Facebook users and 50 million of their friends back in 2015, and then passed that data haul to political consulting firm Cambridge Analytica in violation of Facebook’s policies.
Facebook’s policies previously allowed developers to siphon off app users’ Facebook friends data — though Facebook tightened up these permissions in 2014 — “to dramatically reduce data access”, as founder Mark Zuckerberg has now claimed — though evidently not dramatically enough for Mozilla.
Mozilla writes: “This news caused us to take a closer look at Facebook’s current default privacy settings given that we support the platform with our advertising dollars. While we believe there is still more to learn, we found that its current default settings leave access open to a lot of data – particularly with respect to settings for third party apps.”
It is also running a petition calling for Facebook to lock down app permission settings to ensure users’ privacy is “protected by default”, saying the current default settings “leave a lot of questions and a lot of data flying around”.
“Facebook’s current app permissions leave billions of its users vulnerable without knowing it,” it writes. “If you play games, read news or take quizzes on Facebook, chances are you are doing those activities through third-party apps and not through Facebook itself. The default permissions that Facebook gives to those third parties currently include data from your education and work, current city and posts on your timeline.
“We’re asking Facebook to change its policies to ensure third parties can’t access the information of the friends of people who use an app.”
Mozilla says it will “consider returning” to advertising on Facebook when — or presumably if — the company makes adequate changes to bolster default privacy settings.
“We are encouraged that Mark Zuckerberg has promised to improve the privacy settings and make them more protective. When Facebook takes stronger action in how it shares customer data, specifically strengthening its default privacy settings for third party apps, we’ll consider returning,” it writes. “We look forward to Facebook instituting some of the things that Zuckerberg promised today.”
We’ve reached out to Facebook for comment on Mozilla’s action and will update this story with any response.
At the time of writing Mozilla had not responded to questions about the move.
Even setting aside the current Facebook-Cambridge Analytica data handling scandal, big privacy-related changes are incoming to Facebook thanks to the European Union’s updated data protection framework, GDPR, which will apply from May 25 to any company that processes EU citizens’ personal data.
As part of those changes — and as Facebook tries to comply with the new EU privacy standard — in January the company announced it would be rolling out a new privacy center globally that would put core privacy settings in one place. That one-stop hub is yet to launch but must arrive before May 25.
Also in January Facebook published a set of privacy principles — including grand claims that: “We help people understand how their data is used”; “We design privacy into our products from the outset”; “We work hard to keep your information secure”; “You own and can delete your information”; and “We are accountable”.
Given the last of its published principles, it will be interesting to see which executive Facebook chooses to send to testify in front of Congress — to explain things like how it failed to protect the privacy of ~50M users nor even inform people their data had been siphoned off for illicit purposes.
Asked by CNN whether he will personally testify, Zuckerberg said he will do so “if it’s the right thing to do”. So we’ll soon find out how much that privacy accountability ‘principle’ is really worth.