Facebook CEO and chairman Mark Zuckerberg again told media that he made mistakes that lead to privacy violations by third-party developers and tampering in election campaigns around the world, but that he’s not going to step aside as leader of the company he founded as it begins making changes to improve privacy.
In an hour-long call with media that was mostly a question and answer session, Zuckerberg toed the line on what he’s been saying publicly since a whistleblower blew the lid off a data breach involving Cambridge Analytica. At the heart of the controversy is University of Cambridge professor Aleksander Kogan, who collected data on as many as 87 million Facebook users under the guise of academic research. When Kogan supplied that data to Cambridge Analytica for use in political campaigns that included the 2016 U.S. election and Britain’s referendum to exit the European Union, Facebook says he broke its terms of service. But questions remain about what Facebook could have done to prevent the breach, and if it did enough in response to it.
“We’re an optimistic and idealistic company,” Zuckerberg said. “It’s clear now we didn’t do enough thinking through the abuse potential and the harm that could be done with these tools.”
Facebook has been conducting an investigation on the situation with Cambridge Analytica since whistleblower Christopher Wylie revealed the data breach. It’s gained a better understanding of what happened within the last couple of days, Zuckerberg says, and as many as 87 million users could have been affected by the breach (including 622,161 Canadians). But Facebook has no way to know exactly how many accounts Cambridge Analytica originally received, or how many it still has.
“Our view is that Kogan broke the policies,” Zuckerberg said. “We need to take a broader view of our responsibility… clearly we should have done more.”
Facebook is planning to perform audit activities on Cambridge Analytica. But first, it is waiting for the U.K. privacy commissioner’s office to complete its investigation. The office requested that Facebook not interfere with Cambridge Analytica’s systems until it had a chance to perform an audit.
Despite admitting mistakes, Zuckerberg blew off questions from reporters about whether he’s still the best leader for Facebook. The board hasn’t discussed replacing him as chairman, he says. “Life is about figuring out what to do about mistakes and how to move forward.”
At the beginning of the call, a Facebook communications lead said that Facebook chief technology officer Mike Schroepfer and a couple of other business leads were available on the call to answer questions. But Zuckerberg did all the talking.
He announced that Facebook is introducing new restrictions on how developers can access user data using its APIs. In a blog post, Schroepfer goes over the changes in detail:
- The Events API will no longer provide access to the guest list or posts on the event wall. In the future, only apps approved by Facebook and agree to strict requirements will be allowed to use the Events API.
- The Groups API will restrict third-party apps, requiring approval before they can be provided access to a group. Apps will no longer be able to access the member list of a group. Approved apps won’t be able to see names and profile photos attached to posts and comments in a group.
- The Pages API will also require Facebook’s approval for developers to access.
- Facebook Login: Starting on Wednesday, Facebook required approval for all apps that request access to information such as check-ins, likes, photos, posts, videos, events, and groups. Apps must agree to new, stricter requirements, and will no longer be able to access religious or political views, relationship status and other profile information.
- Instagram platform API: Is deprecated immediately.
- Search and account recovery: Because malicious actors have used these tools to scrape public profile information (Zuckerberg guessed that if you use the default settings in Facebook, your information has been scraped in this way), the search by phone or email feature has been disabled. Account recovery has also been changed to mitigate scraping.
- Call and text history: Will limit the amount of data uploaded to servers, and all logs older than one year will be deleted.
- Data providers and partner categories: Partner categories will be shut down.
- App Controls: Starting April 9, Facebook will provide a link at the top of their News Feed so they can see what apps they use. They will be able to remove apps, and see if their information was improperly shared with Cambridge Analytica.
On the call, Zuckerberg didn’t address the investigation launched by the Privacy Commissioner of Canada, the latest examination of whether Facebook is in breach of PIPEDA, Canada’s privacy law that governs the private sector.
He also said that fixing problems at Facebook is going to take a long time.
“I wish that in three months or six months I could snap my fingers and fix all these issues,” he says. “This is a multi-year effort.”
Zuckerberg will testify before U.S. Congress April 11.