The fact that we (the UK) only fined Facebook £500k [1] is an utter scandal. You can probably say $529bn is too much, but the appropriate amount might be somewhere in the middle of the two...
The reality is that putting the blame on Facebook instead of Cambridge Analytica is more of a stretch than people think.
Remember Cambridge Analytica's main founder, Aleksandr Kogan, was working at the psychology department of Cambridge University. Facebook had program to allow academic use of user data which it granted to Kogan. Kogan subsequently violated stipulations that this data not be used for commercial and political access, and upon learning of this Facebook terminated his access to this data and demanded that he delete the data that he already collected.
I'm not sure how one comes away from this thinking that Facebook is the culprit here. Sure, you can say that they were naive to believe in the integrity academics. But at no point did they willingly violate their user privacy policies, and when they discovered that a third party was abusing data they terminated access.
It's sufficient if Australia believes that Facebook's existence itself is in violation of Australian law. In this case, an fine that is too much to be paid would force Facebook to exit Australia entirely.
Cease operation in that territory and refuse connections from Australian IP Addresses? And possibly pull the related Apps from the Australian AppStore & GooglePlay.
Additionally, Australia would probably come down hard on any attempts for Facebook to market or solicit customers within their nation.
Everyone in Australia loves Facebook, Instagram, Whatsapp. It won't even need to make it to the intelligence agencies, the people will be the ones who cry first if anyone does any crying.
Facebook's revenue in 2019 was $70bn. $529bn is 7 times this. I don't think Facebook even generated close to $529bn during the entirety of its lifetime. This is not "probably say": $529bn would just not work.
EDIT: If the goal of the fine is to just kill Facebook's presence in Australia, then yeah, I guess it works. But in this case, Facebook won't pay that fine. They'll just stop operating in Australia - in other words, they'll stop taking advertiser money from there. At worst, Australia's govt will block access to FB.
If the fine structure's purpose is to prevent companies from doing extremely illegal things. Then it seems to work just fine. Facebook would be unable to repeat this mistake.
It's not like there are such things as corporate death sentences in much of the world. So there does need to be a mechanism to ensure that a company that repeatedly flagrantly violates the law is stopped from doing so eventually. Excessive fines are a way to do that, to make it so economically non-viable that it is avoided.
Now again, one can argue whether this violation is worthy of that. But on the face of it there is no reason why feasibility of payment is necessary for deciding the amount of a fine.
Capitalism has problems with pricing external costs to society. The more common example being things like pollution and climate change (something ironically that Australia is particularity bad at). The price for privacy violations here might be a bit high, but it is an externality worth pricing. The amount of money the government will need to spend fighting identity theft in response to this is just the first order effect. Economic damage from both the identity theft and loss of trust. Mental health damage done from the identity theft and leaked data being used. According to the article the government of Australia prices that at 1,700,000 per person. Which actually sounds like a reasonable amount once one considers paying police to track down thieves, prosecution, jail time, the potential for social services to have to help that person while their life is put back together, and so on.
It's the multiplication that screwed them here. That's the part that might not track quite correctly.
Fines are not maxed out at the amount of money the culprit can give, which in and itself can be quite difficult to determine (I don't want to enter the merit of the amount requested being right/wrong).
Somewhere in the middle? Can they just name any amount and the company HAS to pay? What if it doesn’t? Will they somehow try to claw the money into Australia 🇦🇺 from US 🇺🇸 banks? Maybe Australia can’t do it but Let’s say the US government said some company owes them that much. What happens?
Never mind that this exceeds the company’s entire revenue by far.
Violating privacy by publishing personally identifying information. There’s a hefty fine per occurrence, and the plaintiff is alleging that there were over three hundred thousand occurrences.
This information was not published by Facebook - Facebook's data sharing agreement was that this information would be used only for academic purposes and not shared with any third parties. After discovering that Kogan had violated these restrictions Facebook terminated his access to Facebook's API and ultimately terminated this program of giving academic institutions access to Facebook data.
Facebook was responsible for that information, they shared it with someone they shouldn’t have and then tried to cover their butts when the inevitable data breach occurred.
This is Australian privacy law we’re dealing with, not a Facebook EULA.
No, they shared it with university researchers for academic purposes which is what users agreed to. Said researchers turned around and used it for commercial and political purposes.
Sharing the data with Cambridge Analytica (for the purported use) wasn't the problem. Cambridge Analytica lying about what the data was uses for is the problem.
The level of uninformed populism is reaching Trumpian levels.
How anyone thinks that FB should be fined in any of this is ridiculous.
"We hate Facebook, they make too much money, therefore fine them!"
FB had APIs, that everyone in the entire world knew about. There maybe a little 'too open' for some, but nobody was screaming fraud. It seemed reasonable to most.
Then, a sneaky company inevitably came along and used the APIs to break the rules somewhat (arguably even then CA may not have).
As a result, FB did the prudent thing and nudged the APIs a little bit tighter. By the way - FB did the appropriate thing long before there was any scandal, any noise, any blowback.
FB investigated CA to make sure they deleted the data, in turn out CA lied and hid copies of the data.
There wasn't any material harm to anyone - even if CA was able to use the data to help target people (they weren't really), there are innumerable opportunities for companies to do that anyhow.
From the article: "Unless those individuals undertook a complex process of modifying their settings on Facebook, their personal information was disclosed by Facebook to the “This is Your Digital Life” App by default."
This is misrepresentative to the point of being a lie.
Facebook enables users to upload data and will only share such data with apps which the user has given authorization. In this case, users absolutely had to provide CA with the authority to access certain data, in the same way, they would have for any other app.
When Mark Zuckerberg visited Congress for his smackdown, it became clear very quickly that almost none of the Senators had a clue how FB even worked.
Of all the things I don't like Facebook for, there's nothing wrong with what they did here. They had a set of APIs unlike anyone had ever made before, the realized that they were probably a little to lose, so they tightened them up by their own volition.
Well I agree with you a lot of reasoning is very uninformed.
But I don't agree Facebook isn't to blame.
Power comes with responsibility. At least that is what most countries believe.
So if you make money with a very powerful tool that could potentially bring down a government (this is what a judge has to decide) then you are to blame when your APIs where to lose.
A) Facebook did not abuse their power in any way (at least in the case).
B) The notion that the resulting action 'brought down governments' is just beyond false.
Anyone involved in digital marketing knows how absurd these claims are, moreover, there are numerous other, legal, and very common practices being used all the time that are considerably more impactful.
To boot:
C) The suing government's actions are vindictive and biased. A commenter above posted a link to refer to the UK government's damage claims. As part of the countersuit, FB demanded that UK office (ICO) demonstrate it's objectivity in the situation (the judge agreed). So guess what happened? The government made a quick perusal of their own communications and realized they would be destroyed in scandal and moved for a quick resolution with a very small settlement.
FB has good and bad attributes we have to be smart about it, this kind of 'anti information angry mob' stuff should be beneath people.
B: They did not bring down any government. But the question is: is the tool named Facebook powerful enough to do so? And if true: did they do enough to prevent this?
C: Maybe they are biased. That's up to a judge to decide.
> Power comes with responsibility. At least that is what most countries believe.
But the question remains unanswered: what is Facebook to blame for? What responsibility did they shirk?
Cambridge Analytica lied about the purposes of their data and subsequently lied about deleting the data they collected. But Facebook remained true to their agreement to only share this data for academic purposes, and when they discovered that some university researchers were violating this agreement they terminated this data sharing program. With the benefit of hindsight we can say that Facebook should have been more doubtful of the integrity of academics - but without that hindsight I'm not sure what Facebook did wrong.
> FB had APIs, that everyone in the entire world knew about. There maybe a little 'too open' for some, but nobody was screaming fraud. It seemed reasonable to most.
Let's flip this around then: Australia’s Privacy Act 1988 lays out clear rules and penalties. Facebook had a responsibility to learn and follow these rules if they wanted to do business in Australia.
> In this case, users absolutely had to provide CA with the authority to access certain data, in the same way, they would have for any other app.
That is not true, and this is clearly explained by the OIAC statement referenced in the article: 'Most of those individuals did not install the “This is Your Digital Life” App; their Facebook friends did. Unless those individuals undertook a complex process of modifying their settings on Facebook, their personal information was disclosed by Facebook to the “This is Your Digital Life” App by default.'
In general, I agree with your sentiment, but there is one bit of nuance:
"In this case, users absolutely had to provide CA with the authority to access certain data, in the same way, they would have for any other app."
Unfortunately in this case the data also included your friend list and some items about your friends that may have been marked "friends only" .
This was the big mistake that Facebook is being crucified for, sadly. Like you said, they made changes to clamp things down long before any of the media knew of CA.
Ok, well that helps the case of FB even more, but there have been quite a number of reports indicating that CA did not in fact delete the data as requested. If you have a public reference that indicates they did, that'd be great. This entire issue seems to be about 'misinformation and narrative' not actual facts.
Yeah, the Guardian was actually interested in the story because they were mislead by the statements of the CEO of CA and by Christopher Wylie into believing that CA was involved in a campaign for Brexit in 2016. They wanted to delegitimise the outcome of the referendum.
Funnily enough, the newspaper doesn't mention that Wylie didn't work at CA in 2016 - so he can't be considered a first hand witness or a whistleblower concerning the American presidential election or Brexit. He left in 2014 after obtaining the Facebook dataset to start his own political data consultancy, Eunoia Technologies. The company was based on the concept of micro-targeting(, which he falsely believed was a novel idea). He competed with CA for contracts unsuccessfully, and Eunoia was ultimately sued by CA for stealing clients. (This might explain why he was so willing to work with the Guardian to bring the company down.)
All of the information in the above paragraph can be found on Wikipedia, except for the parts in brackets.
You can read the report from QC Julian Malins or the ICO about the whole situation, they're found no evidence of CA retaining the data. But you can't prove a negative.
Why not? Isn't Australia free to not allow Facebook to operate in their country if they don't pay a fine? And if the US prevents them from doing so by retaliation or sanctions, that would actually be closer to warfare.
I know FB isn't really operating in China. (At least no one I knew in Ningbo had it?) So did we sanction China for that or how did that all work? Because, and I don't know if we did or didn't, but if we didn't sanction China, why sanction Australia? Was that situation different somehow? (Other than just "China's richer").
I mean, what would happen is simply that Facebook would shutdown operations in Australia (Making Facebook Australia declare bankruptcy), pay whatever couple millions is in Facebook Australia's coffers, and the rest of the fine would simply go unpaid. It's not like Australia can fine a foreign company - they can only fine the local branch of the company. There's exactly no way for facebook to pay a fine that's equal to 7 times its annual revenue...
What kind of fine do you think would be realistic? I'd be very interested to see Facebook bullied out of a couple billions, although I do think it would be protected somehow, too many people have their interests tied up in it.
Still, a precedent being set on this sort of scale would be a good thing, right?
OTOH, I'd love to see the mental / rhetorical gymnastics demanded of our politicians to defend tech companies from large fines associated with privacy violations while simultaneously excoriating those same companies over privacy violations.
> while simultaneously excoriating those same companies over privacy violations
Has there been excoriation over this? I've seen lots of hand-wringing over election interference and addiction. But the privacy complaints have yet to find footing in America.
Wouldn't whatever legal entity Facebook has set up in Australia just declare bankruptcy? They can't exactly levy fines at a company that's not in their jurisdiction.
Not necessarily. Not everyone uses the same definition of war. The definition I was told in the military is that it's a political tool used when all other methods have failed. So if placing economic sanctions is a last resort, then economic warfare would make sense.
facebook could turn their public perception around in a second by declaring that it is not a political platform and banning political ads. I honestly don't care how much they market me to coke and pepsi, but the impact on democracies is way creepier...
Those aren't rewards. The price goes down at the opposite of the suit and the fine gets priced in with a given risk factor, and if they end up doing better than expected, then the price will adjust to integrate that new knowledge. It's still lower than if they'd never gotten fined (though perhaps not lower than if they hadn't unethically made that money in the first place)
It's a good start to negotiations. Maybe they'll get $2B from FB. FB will likely fund the current politicians' re-election campaigns in a quid-pro-quo to drop/reduce charges.
Either way it's a good move on the part of governments to apply pressure to a known shady actor.
1. https://techcrunch.com/2019/10/30/facebook-agrees-to-pay-uk-...