Facebook Isn’t the (Whole) Problem
It’s Time for Companies to Take Back Control of Their Data.
In recent years, it seems that grumbling about social media giant Facebook has become something of a hobby. Their often cavalier attitude towards data keeps landing them in trouble, and rallying cries from its users to quit Facebook and its subsidiaries are common. Facebook “earned” its reputation justly, but the problem of how data is handled goes far beyond Facebook, and calling on them to enforce their policies isn’t enough. To truly protect user data, we need to go straight to its source.
Third Parties and Your Company’s Data
When companies embed third party tools—such as Facebook’s business tools—into their websites and mobile apps, they’re leaving the door open for those third parties to access their user data. Sometimes that data is relatively benign, such as the purchase of a pair of red shoes. But other times, the data is far more sensitive and includes financial information such as credit card numbers or interest in a mortgage or loan, or details that begin to paint a medical profile, such as a search for a psychologist or fertility tracking.
The problem isn’t limited to Facebook. Third party tools are used everywhere, and established companies use, on average, 12-18 third party tools for their websites and 3-5 for their mobile apps(1). They’re also an unavoidable part of doing business, as the analytics they provide are necessary for companies to understand their user’s experience and to grow. But while users willingly give their data to the websites and apps they visit, what happens to that data when third parties access it is a little murkier.
Unfortunately, most of the time when companies use third party tools, they’re essentially ceding control of their data, giving those third parties the same privileges and access to users’ data as if it is for their own use. Furthermore, once it’s on the third party servers, companies can no longer protect that information from being repurposed, shared, or from data breaches—it’s as if they’ve sent it into a void.
Why We Can’t (Only) Blame Third Parties
There are supposed to be measures in place to stop sensitive data from being transmitted. Facebook’s own policy prohibits web applications that use their business tools from sending data related to health, political and sex preferences, or other personal matters to their servers. Yet that policy isn’t properly enforced, as was recently evident when data from the period tracking app Flo became available, showing when its users were menstruating, ovulating, or pregnant (2). So while companies often rely on the third party providers to maintain their users’ privacy, the reality is that those third parties are failing to do so.
Recently, in what was a fairly damning report, New York State’s Department of Financial Services (NYDFS) called on Facebook to better enforce its own policies and take steps to ensure sensitive and identifying data isn’t transmitted by apps using its business tools. Their proposed solution includes requiring Facebook to use keyword triggers to block certain types of data from being sent to their servers. But while such measures are a step in the right direction, on their own they won’t completely solve the problem.
One issue is that while Facebook may be the most visible third party tool companies use, it’s still only one of many. It’s easy, and maybe even trendy, to blame Facebook for mishandling data. But placing the blame squarely on Facebook’s shoulders, as the NYDFS does, doesn’t address the data accessed by the 15 other third party tools any given website is using. Nor does it address the responsibility that companies themselves have to take in protecting their user data.
Furthermore, putting the responsibility on Facebook shows that the NYDFS doesn’t understand the full scope of how data is collected and transmitted. A trigger that blocks data containing the keyword “ovulating,” for example, only solves part of the problem: Data isn’t only collected in keywords. It’s collected in yes/no surveys, in multiple choice, and in a myriad of other ways that can paint a very full picture of a user without tripping the system. In other words, even if Facebook enacts its own policies to its fullest extent, it may still collect data it doesn’t intend to. So the question remains, who is responsible for securing that data?
In Europe, where General Data Protection Regulation (GDPR) went into effect in May 2018, the answer is clear: companies are responsible for their own data, and any mishandling of it will incur a hefty fine. In the United States, website owners and publishers haven’t had to bear the responsibility, but that’s starting to change, with the California Privacy Rights Act (CPRA) paving the way. And if companies want to get ahead of fast changing regulations, it’s in their best interest to shoulder the responsibility of their data themselves.
Regaining Control of Your Data
Changing regulations aren’t the only reason companies should take responsibility for their own data. In today’s climate of privacy protection, mistrust by users is a reason to abandon a product. It’s what led to a recent wave of downloads of apps such as Signal, as a chat alternative to the Facebook owned Whatsapp. Users are demanding transparency from the companies they use and protection of their personal information—and rightfully so. As more and more of our lives are lived digitally—from how we bank to the way we interact with our friends to our medical records to the food we buy—we need to be able to expect some level of privacy.
How, then, can companies ensure that their data isn’t being used (and misused) by the third party providers they’re utilizing? The answer is to take control of protecting it themselves. After all, website and mobile app builders are the ones with the full picture of their own data. The good news is that solutions like QPrivacy can help companies control what data goes to third parties and how, by ensuring the privacy settings companies put in place are enacted. That means the freedom to continue using third party tools for analytics, without the fear of privacy compromised by data being repurposed, shared, or breached.