The data-sharing at the heart of Facebook’s latest scandal isn’t an anomaly — it’s how Facebook does business

One hundred cardboard cutouts of Facebook founder and CEO Mark Zuckerberg stand outside the U.S. Capitol in April.
(Saul Loeb / AFP/Getty Images)

Facebook’s business model has always been simple: acquire as much personal information from users as possible, then find a way to make money off of it.

For more than a decade, it proved to be a remarkably successful strategy, bringing to the social platform 2 billion monthly users to friend, feud and play Farmville.

But as the year comes to a close, Facebook is facing a pair of major lawsuits in the U.S. and reeling from a string of public relations disasters. The company’s stock has lost over 25% of its value since January and took another 7% hit on Wednesday after a report that it shared the power to read and delete users’ private messages with companies such as Netflix and Spotify.


Surprisingly, this fall from grace hasn’t been defined by deviation from the practices that made it one of the most valuable companies in the world. The scandals that have pummeled the company in 2018 have largely kept with the fundamentals of Facebook’s business model.

“For many companies, including but not limited to Facebook, there is a business model of harvesting as much personal information from technology users as possible and then monetizing it, and doing so without getting real consent from the users,” said Adam Schwartz, senior staff attorney at the privacy advocacy group the Electronic Frontier Foundation.

To bring more users in, keep them spending more time on the platform, and urge them to share more information, Facebook opened its platform to other companies interested in accessing its user base.

It gave access to third-party app developers, such as political consulting firm Cambridge Analytica, which created a personality quiz app for Facebook users as a way to gain access to the private information of all of their Facebook friends, and then used that data to serve political clients like Donald Trump’s 2016 campaign, and the campaign in favor of Britain leaving the European Union.

And it built integration with companies like Spotify and Netflix to keep tabs on users everywhere they went.

Then, as always, it used that larger reach and deeper trough of data to sell more ads to more people.


The problem is that users are only now coming to realize what Facebook and other tech companies are doing with their data.

Google famously used its Gmail email service in a similar way, offering it for free, which brought in a huge user base. By tracking the content of users’ emails and linking them to Google searches performed on the same browser, the company acquired reams of personal data, which it then used to improve its lucrative ad-targeting business.

Google discontinued tracking email content in 2017, but third-party app developers can still read the emails of millions of Gmail users.

As the inner workings of the growth and monetization strategies underpinning the internet’s biggest companies come to light, more users are deciding they don’t like what they see.

“When I agree to be friends with someone on Facebook,” Schwartz said, “what I don’t expect is that it results in all of my information being sucked into an app that one of my friends is using.”

That question of consent lies at the heart of Facebook’s legal troubles.

On Wednesday, Washington D.C.’s attorney general filed suit against the company for failing to inform users that Cambridge Analytica was accessing their data and the data of their entire friend list when they installed the personality quiz app on Facebook’s platform.


Facebook is also facing a class-action lawsuit over its use of facial recognition software to identify people in images uploaded to the platform, which the plaintiffs claim violates an Illinois law against collecting biometric information in the absence of opt-in consent.

An investigation published by the New York Times on Tuesday found that the social media giant gave corporate partners like Netflix, Spotify and the Royal Bank of Canada the ability to read and delete users’ private messages as part of an integration that kept users plugged into the Facebook ecosystem. Facebook also allowed Microsoft, Sony, and Amazon to obtain the email addresses of users’ friends, according to the investigation.

The lack of clear user consent may pose a problem for a company that faced a 2011 Federal Trade Commission consent order requiring Facebook to obtain user consent before sharing data with other companies.

A bigger problem, however, may be dwindling consumer confidence in their basic relationship with Facebook.

An October study by the Baker Center at Georgetown University asked respondents to rank American companies and institutions by how much confidence they inspired. Facebook ranked third to last, ahead of only “Political Parties” and “Congress.”

Alex Stamos, Facebook’s former chief security officer, said some of the data-sharing arrangements detailed in the report could actually be good for consumers.


“Users need to have the right to bring their accounts to different devices and different services — we don’t want Facebook, Microsoft, Google, and other giants building completely impenetrable walls so users have no choice.”

But he said the company has failed to adapt to its own success.

“A lot of these things are from a different era, when Facebook was a different product,” said Stamos, who joined Facebook in 2015 and left earlier this year. “When people had been using it for fun, and then all of a sudden it became the world’s most important communications platform, the security and privacy decisions you made are no longer valid.”

Some of the data-sharing arrangements date back to 2010, according to the New York Times; Cambridge Analytica began gathering data in 2014.

In a blog post, Facebook said that it handled the data sharing relationships in accordance with the law, citing an exception in the consent agreement for moving data to service providers.

Schwartz questioned that interpretation, saying it was intended for situations where Facebook might need to rent space on other companies’ servers for data storage.

“We think that’s a misuse of the service provider exception,” Schwartz said.

British lawmakers, who are investigating the company for anti-competitive practices, also weighed in on Wednesday.


“We have to seriously challenge the claim by Facebook that they are not selling user data,” said member of Parliament Damian Collins in a statement. “They may not be letting people take it away by the bucket load, but they do reward companies with access to data that others are denied, if they place a high value on the business they do together.”

Follow me on Twitter: @samaugustdean