Investors are raising concerns about Facebook’s operations as lawmakers call for investigations into reports that Facebook user data was accessed by a data analytics firm to help President Donald Trump win the 2016 election.
Facebook chief Mark Zuckerberg is facing calls from lawmakers to explain how Cambridge Analytica gained improper access to data on 50 million Facebook users.
Over the weekend it was revealed the data analytics firm had harvested the data in 2014 to profile users and target them with political ads.
It had collected the data through an app that asked users to undertake a personality test for research purposes. Around 270,000 people agreed to take the test, but Facebook's terms of service and API at the time allowed the firm to also collect the data of the participants' friends - or the information of more than 50 million people.
The company's shares closed down nearly 7.0 percent on Monday, wiping nearly US$40 billion off its market value following the revelation.
Cambridge Analytica said it deleted the data after learning the information did not adhere to data protection rules.
“The lid is being opened on the black box of Facebook’s data practices, and the picture is not pretty,” said Frank Pasquale, a University of Maryland law professor who has written about Silicon Valley’s use of data.
The scrutiny presents a fresh threat to Facebook’s reputation, which is already under attack over Russia’s alleged use of Facebook tools to sway US voters with divisive and false news posts before and after the 2016 election.
"We do have some concerns,” said Ron Bates, portfolio manager on the US$131 million 1919 Socially Responsive Balanced Fund, a Facebook shareholder.
“The big issue of the day around customer incidents and data is something that has been discussed among ESG (environmental, social and corporate governance) investors for some time and has been a concern.”
Bates said he was encouraged by the fact that the company has acknowledged the privacy issues and was responding, and thinks it remains an appropriate investment for now.
Facebook on Monday said it had hired digital forensics firm Stroz Friedberg to carry out a comprehensive audit of Cambridge Analytica, and the company had agreed to comply and give the forensics firm complete access to their servers and systems.
“What would be a deal-breaker for us would be if we saw this recurring and we saw significant risk to the consumer around privacy,” Bates said.
New York City comptroller Scott Stringer, who oversees US$193 billion in city pension fund assets, on Monday said that “as investors in Facebook, we’re closely following what are very alarming reports".
Sustainalytics BV, a widely used research service that rates companies on their ESG performance for investors, said it was reviewing its Facebook rating, which is currently “average.”
“We’re definitely taking a look at it to see if there should be some change,” said Matthew Barg, research manager at Sustainalytics.
“Their business model is so closely tied to having access to consumer data and building off that access. You want to see that they understand that and care about that.”
ESG investors had already expressed concerns about Facebook before the Cambridge Analytica reports arose.
Wall Street investors, including ESG funds, have ridden the tech sector to record highs in recent months, betting on further outsized returns from stocks including Facebook, Apple and Google parent Alphabet.
Jennifer Sireklove, director of responsible investing at Parametric, a money manager with US$200 billion in assets, said an increasing number of ethics-focused investors were avoiding Facebook and other social media companies, even before the most recent reports about privacy breaches.
“More investors are starting to question whether these companies are contributing to a fair and well-informed public marketplace, or are we becoming all the more fragmented because of the ways in which these companies are operating,” she said.
New EU privacy rules
Facebook is also facing substantial business risks from new European Union privacy rules set to take effect in May.
Privacy experts said the data harvesting scandal was a prime example of the kinds of practices the new General Data Protection Regulation, or GDPR, is supposed to prevent or punish.
The danger faced by Facebook going forward is two-fold: Complying with the rules means letting European users opt out of the highly targeted online ads that have made Facebook a money machine. Violating GDPR mandates could subject the company to fines of up to 4 percent of annual revenues.
Had the Cambridge Analytica incident happened after GDPR becomes law on May 25, it “would have cost Facebook 4 percent of their global revenue”, said Austrian privacy campaigner and Facebook critic Max Schrems.
Because a UK company (Cambridge Analytica) was involved and because at least some of the people whose data was misused were almost certainly European, the GDPR would have applied.
Schrems first raised concerns in 2011 about how easy it would be for third-party apps to harvest data from the unwitting friends of Facebook users. Facebook says it has tightened its controls on such practices since it discovered the alleged abuses by Cambridge Analytica in 2015.
“The fact of the matter is that Facebook lost control of the data and wasn’t adequately monitoring what third parties were doing,” said Scott Vernick, a partner and an expert in privacy and data security at the Philadelphia law firm Fox Rothschild.
Vernick said the maximum GDPR fine could come into play in an incident like this because of the number of users affected and what appears to have been inadequate monitoring of third-party data practices.
Facebook on Monday said it changed its policies in 2015 to “to give much less data, especially about friends".
“We conduct a robust review to identify potential policy violations and to assess whether the app has a legitimate use for the data,” the company said.
“We actually reject a significant number of apps through this process.”
Compliance with GDPR rules could cost Facebook a significant amount of money. Deutsche Bank analysts in January estimated that Facebook’s overall revenue could be lowered by 4 percent in a scenario in which 30 percent of EU users opt out of targeted ads, reducing the effectiveness and likely price of ads shown by 50 percent.
The EU represents 24 percent of Facebook’s ad revenue, so multiplying those figures, the bank said the regulations could have a 4 percent impact on overall Facebook revenue.
“If this regulatory approach spreads to other countries or if GDPR ever becomes more onerous over the medium or long term, it would pose more risk,” Deutsche Bank warned.
The firestorm over Cambridge Analytica has prompted a furious response from lawmakers on both sides of the Atlantic, raising the prospect of just such an expansion of privacy protections.
GDPR gives users the right to access their data, delete it or transfer it to competing companies. Social networks will also need to regain Europeans’ consent every time they want to use their data in new ways, including for targeted advertising.
Lawmakers had social networks in mind when drafting GDPR, said Helen Dixon, the data protection commissioner of Ireland, which is the lead GDPR regulator for numerous tech companies including Facebook, Twitter and LinkedIn.
“There was very big consideration of these newer types of platforms,” she said.
Tough European rules stand in sharp contrast to the lack of privacy regulation in the United States and many other countries, raising the prospect that Facebook will begin to look much different from one country to the next.
For example, the social media giant in 2017 released new artificial intelligence features that detect when a user is at risk of suicide or when someone else uploads a picture of their face.
The company did not make those features available in Europe. Facebook did not specify a reason. But heightened scrutiny in Europe over such practices with GDPR looming may have been a factor.
Another challenge for social networks are GDPR provisions mandating how companies must obtain permissions. The regulation demands that requests for consent be presented “in an intelligible and easily accessible form, using clear and plain language".
In other words, the days of extensive “terms of service” agreements written in small text will no longer pass muster in Europe, according to privacy lawyers.
In practice, social network users may find themselves seeing more “permissions screens” and being asked to check boxes every time a social network rolls out a new feature.
That could depress usage, Facebook CFO David Wehner said at an investor conference last month.
“Whenever you walk people through permission screens, there’s some potential that people decide they’re not going to use the product,” Wehner said.
"We don’t think it will be big, but there could be some implication there.”