Marky Mark probably thought getting publicly crucified for presiding over a company that allows Russian bots to spread fake news and enables neo-Nazis to stoke the flames of racial hatred would the low point of his 2018.
And maybe it was.
But losing $16 billion in personal wealth as shareholders call for your head probably still stings just a bit.
Yes, it was a rough day on Wall Street, as Facebook stocks plummetted more than 20 percent, seemingly in response to the company’s recent rash of scandals and bad press.
Of course, even after losing more money in a single day than most people could spend in five lifetimes, Zuck is still worth more than $68 billion, so you probably won’t see him doing the Floss for nickels outside a VA hospital anytime soon.
But the loss puts him below Warren Buffett on the list of the world’s richest people, which is amusing for at least two reasons:
1. People actually like Buffett, whereas the sight of Zuckerberg causes most folks to fantasize about perpetrating a fatal wedgie, and
2. We like to imagine Buffett calling Zuck, saying, “How’s my ass taste, kid?” and promptly hanging up the phone.
Of course, it wasn’t just Facebook’s affiliations with Cambridge Analytica and the Pepe the Frog set that have stocks and profit margins plummeting.
The site’s ongoing efforts to become Snapchat for old people are also causing “unforeseen growth cessations” and other mumbo-jumbo that basically means “we might be f-cked.”
“We plan to grow and promote certain engaging experiences like Stories that currently have lower levels of monetization, and we are also giving people who use our services more choices around data privacy, which may have an impact on our revenue growth,” says CFO David Wehner.
Again, this is all relative, as Facebook’s market cap is still valued at about $120 billion, so your aunt Sharon’s favorite venue for sharing “wine o’clock” memes won’t be going away anytime soon.
But the important thing is that today’s news affirms the increasingly popular theory that Mark Zuckerberg is not the savior of the Western world, but just some code jockey who was in the right place at the right time.
Watch for him and fellow embodiment of the evils of late capitalism Elon Musk to announce a plan for world domination any day now.
Investors are fleeing Facebook’s stock in after-hours trading following the company’s first real post-scandal earnings report missed expectations. Investors are maniacs. Facebook is massive, it’s making massive amounts of money, and it’s practically gobbled up every user it could potentially have.
Facebook said that apps’ data-scraping days ended in 2015. But that wasn’t the end of the story.
In 2015, Facebook says it changed the policy that allowed app developers — such as the Cambridge Analytica-affiliated researcher Aleksandr Kogan — access to the data of app users’ friends. That was the tactic that enabled Kogan to gather data on 87 million Facebook users, which he sold to Cambridge Analytica.
Now, in a document submitted to the U.S. House of Representatives, Facebook has said that 61 app developers had access to users’ friends data for nearly 6 months after the policy change. Facebook says it allowed the extension to give these companies time to comply with the new policy. Read more…
Facebook knows the historical app audit it’s conducting in the wake of the Cambridge Analytica data misuse scandal is going to result in a tsunami of skeletons tumbling out of its closet.
It’s already suspended around 200 apps as a result of the audit — which remains ongoing, with no formal timeline announced for when the process (and any associated investigations that flow from it) will be concluded.
CEO Mark Zuckerberg announced the audit on March 21, writing then that the company would “investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity”.
But you do have to question how much the audit exercise is, first and foremost, intended to function as PR damage limitation for Facebook’s brand — given the company’s relaxed response to a data abuse report concerning a quiz app with ~120M monthly users, which it received right in the midst of the Cambridge Analytica scandal.
Because despite Facebook being alerted about the risk posed by the leaky quiz apps in late April — via its own data abuse bug bounty program — they were still live on its platform a month later.
It took about a further month for the vulnerability to be fixed.
And, sure, Facebook was certainly busy over that period. Busy dealing with a major privacy scandal.
Let’s also not forget that, in early April, Facebook quietly confessed to a major security flaw of its own — when it admitted that an account search and recovery feature had been abused by “malicious actors” who, over what must have been a period of several years, had been able to surreptitiously collect personal data on a majority of Facebook’s ~2BN users — and use that intel for whatever they fancied.
So Facebook users already have plenty reasons to doubt the company’s claims to be able to “protect your information”. But this latest data fail facepalm suggests it’s hardly scrambling to make amends for its own stinkingly bad legacy either.
Although it remains to be seen whether Facebook will face any data breach complaints in this specific instance, i.e. for not disclosing to affected users that their information was at risk of being exposed by the leaky quiz apps.
Which Facebook data abuse victim am I?
Writing in a Medium post, the security researcher who filed the report — self-styled “hacker” Inti De Ceukelaire — explains he went hunting for data abusers on Facebook’s platform after the company announced a data abuse bounty on April 10, as the company scrambled to present a responsible face to the world following revelations that a quiz app running on its platform had surreptitiously harvested millions of users’ data — data that had been passed to a controversial UK firm which intended to use it to target political ads at US voters.
De Ceukelaire says he began his search by noting down what third party apps his Facebook friends were using — finding quizzes were one of the most popular apps. Plus he already knew quizzes had a reputation for being data-suckers in a distracting wrapper. So he took his first ever Facebook quiz, from a brand called NameTests.com, and quickly realized the company was exposing Facebook users’ data to “any third-party that requested it”.
He also found it was providing an access token that allowed it to grant even more expansive data access permissions to third party websites — such as to users’ Facebook posts, photos and friends.
He reckons people’s data had been being publicly exposed since at least the end of 2016.
On Facebook, NameTests describes its purpose thusly: “Our goal is simple: To make people smile!” — adding that its quizzes are intended as a bit of “fun”.
It doesn’t shout so loudly that the ‘price’ for taking one of its quizzes, say to find out what Disney princess you ‘are’, or what you could look like as an oil painting, is not only that it will suck out masses of your personal data (and potentially your friends’ data) from Facebook’s platform for its own ad targeting purposes but was also, until recently, that your and other people’s information could have been exposed to goodness knows who, for goodness knows what nefarious purposes…
The Facebook-Cambridge Analytica data misuse scandal has underlined that ostensibly frivolous social data can end up being repurposed for all sorts of manipulative and power-grabbing purposes. (And not only can end up, but that quizzes are deliberately built to be data-harvesting tools… So think of that the next time you get a ‘take this quiz’ notification asking ‘what is in your fact file?’ or ‘what has your date of birth imprinted on you’? And hope ads is all you’re being targeted for… )
De Ceukelaire found that NameTests would still reveal Facebook users’ identity even after its app was deleted.
“In order to prevent this from happening, the user would have had to manually delete the cookies on their device, since NameTests.com does not offer a log out functionality,” he writes.
“I would imagine you wouldn’t want any website to know who you are, let alone steal your information or photos. Abusing this flaw, advertisers could have targeted (political) ads based on your Facebook posts and friends. More explicit websites could have abused this flaw to blackmail their visitors, threatening to leak your sneaky search history to your friends,” he adds, fleshing out the risks for affected Facebook users.
As well as alerting Facebook to the vulnerability, De Ceukelaire says he contacted NameTests — and they claimed to have found no evidence of abuse by a third party. They also said they would make changes to fix the issue.
We’ve reached out to NameTests’ parent company — a German firm called Social Sweethearts — for comment. Its website touts a “data-driven approach” — and claims its portfolio of products achieve “a global organic reach of several billion page views per month”.
Update: It has now sent the following statement: “As the data protection officer of social sweethearts, I would like to inform you that the matter has been carefully investigated. The investigation found that there was no evidence that personal data of users was disclosed to unauthorised third parties and all the more that there was no evidence that it had been misused. Nevertheless, data security is taken very seriously at Social Sweethearts and measures are currently being taken to avoid risks in the future.”
After De Ceukelaire reported the problem to Facebook, he says he received an initial response from the company on April 30 saying they were looking into it. Then, hearing nothing for some weeks, he sent a follow up email, on May 14, asking whether they had contacted the app developers.
A week later Facebook replied saying it could take three to six months to investigate the issue (i.e. the same timeframe mentioned in their initial automated reply), adding they would keep him in the loop.
Yet at that time — which was a month after his original report — the leaky NameTests quizzes were still up and running, meaning Facebook users’ data was still being exposed and at risk. And Facebook knew about the risk.
The next development came on June 25, when De Ceukelaire says he noticed NameTests had changed the way they process data to close down the access they had been exposing to third parties.
Two days later Facebook also confirmed the flaw in writing, admitting: “[T]his could have allowed an attacker to determine the details of a logged-in user to Facebook’s platform.”
It also told him it had confirmed with NameTests the issue had been fixed. And its apps continue to be available on Facebook’s platform — suggesting Facebook did not find the kind of suspicious activity that has led it to suspend other third party apps. (At least, assuming it conducted an investigation.)
Facebook paid out a $4,000 x2 bounty to a charity under the terms of its data abuse bug bounty program — and per De Ceukelaire’s request.
We asked it what took it so long to respond to the data abuse report, especially given the issue was so topical when De Ceukelaire filed the report. But Facebook declined to answer specific questions.
Instead it sent us the following statement, attributed to Ime Archibong, its VP of product partnerships:
A researcher brought the issue with the nametests.com website to our attention through our Data Abuse Bounty Program that we launched in April to encourage reports involving Facebook data. We worked with nametests.com to resolve the vulnerability on their website, which was completed in June.
Facebook also claims it received De Ceukelaire’s report on April 27, rather than April 22, as he recounts it. Though it’s possible the former date is when Facebook’s own staff retrieved the report from its systems.
Beyond displaying a disturbingly relaxed attitude to other people’s privacy — which risks getting Facebook into regulatory trouble, given GDPR’s strict requirements around breach disclosure, for example — the other core issue of concern here is the company’s apparent failure to enforce its own developer policy.
The underlying issue is whether or not Facebook performs any checks on apps running on its platform. It’s no good having T&Cs if you don’t have any active processes to enforce your T&Cs. Rules without enforcement aren’t worth the paper they’re written on.
Historical evidence suggests Facebook did not actively enforce its developer T&Cs — even if it’s now “locking down the platform”, as it claims, as a result of so many privacy scandals.
The quiz app developer at the center of the Cambridge Analytica scandal, Aleksandr Kogan — who harvested and sold/passed Facebook user data to third parties — has accused Facebook of essentially not having a policy. He contends it is therefore Facebook who is responsible for the massive data abuses that have played out on its platform — only a portion of which have so far come to light.
Fresh examples such as NameTests’ leaky quiz apps merely bolster the case Kogan made for Facebook being the guilty party where data misuse is concerned. After all, if you built some stables without any doors at all would you really blame your horses for bolting?
CEOs of funded startups tend to be a well-educated bunch, at least when it comes to university degrees.
Yes, it’s true college dropouts like Mark Zuckerberg and Bill Gates can still do well. But Crunchbase data shows that most startup chief executives have an advanced degree, commonly from a well-known and prestigious university.
In this next installment of our CEO series, we narrowed the data set. Specifically, we looked at CEOs of U.S. companies funded in the past three years that have raised at least $100 million in total venture financing. Our intent was to see whether educational backgrounds of unicorn and near-unicorn leaders differ markedly from the broad startup CEO population.
Sort of, but not really
Here’s the broad takeaway of our analysis: Most CEOs of well-funded startups do have degrees from prestigious universities, and there are a lot of Harvard and Stanford grads. However, chief executives of the companies in our current data set are, educationally speaking, a pretty diverse bunch with degrees from multiple continents and all regions of the U.S.
In total, our data set includes 193 private U.S. companies that raised $100 million or more and closed a VC round in the past three years. In the chart below, we look at the universities most commonly attended by their CEOs:1
The rankings aren’t hugely different from the broader population of funded U.S. startups. In that data set, we also found Harvard and Stanford vying for the top slots, followed mostly by Ivy League schools and major research universities.
For heavily funded startups, we also found a high proportion of business school degrees. All of the University of Pennsylvania alum on the list attended its Wharton School of Business. More than half of Harvard-affiliated grads attended its business school. MBAs were a popular credential among other schools on the list that offer the degree.
Where the most heavily funded startup CEOs studied
When it comes to the most heavily funded startups, the degree mix gets quirkier. That makes sense, given that we looked at just 20 companies.
In the chart below, we look at alumni affiliations for CEOs of these companies, all of which have raised hundreds of millions or billions in venture and growth financing:
One surprise finding from the U.S. startup data set was the prevalence of Canadian university grads. Three CEOs on the list are alums of the University of Waterloo . Others attended multiple well-known universities. The list also offers fresh proof that it’s not necessary to graduate from college to raise billions. WeWork CEO Adam Neumann just finished his degree last year, 15 years after he started. That didn’t stop the co-working giant from securing more than $7 billion in venture and growth financing.
Several CEOs attended more than one university on the list.
Mark Zuckerberg got to cherry-pick the questions he wanted to answer from EU Parliament after it spent an hour taking turns rattling off queries in bulk before leaving just a half-hour for his batched responses. Zuckerberg immediately trotted out his dorm room story of not expecting Facebook’s current duty to safety and democracy, and repeated his pledge to broaden the company’s responsibility. While he’s vowed to have his team follow-up with point-by-point replies, he managed to escape the televised testimony without any newsworthy gaffes.
The public will have to wait for canned, written responses to the toughest questions about why Facebook didn’t disclose the Cambridge Analytica issue immediately, how it uses shadow profiles and what he thinks about Facebook, Instagram and WhatsApp being broken up. If Zuckerberg played it safe during his U.S. congressional testimony by being boring, he dodged scandal here by using the abbreviated format to bend the testimony toward his most defensible positions.
Asked how the format was selected, a Facebook spokesperson tells me it was decided by the European Parliament. Facebook apparently only gave some guidelines about Mark Zuckerberg’s time. A UK member confirmed this is the standard format for Parliament meetings
Future testimonies by technology industry executives will be much more productive for the public if officials keep questions succinct and only ask the hard ones, executives are given ample time to answer them all and they use a question-answer format. No more of this question-question-question-question-answer-answer-goodbye.
Zuckerberg initially resisted the Brussels meeting with Parliament (technically not a “testimony”). Then it was slated to be private before public outcry led to the livestreaming of the session. While the questions were more pointed than those asked by U.S. congress, the overall feel with Zuckerberg seated next to Parliament members rather than in the hotseat before them gave the meeting a less consequential tone.
The Facebook CEO used his short answer period to explain that he feels like there’s plenty of new competition for Facebook, and that it actually aids competition by offering tools to enable small businesses to challenge big brands online. He cited that “dozens of percents” of European users have gone through Facebook’s GDPR settings, rolling them early so they’re dismissible until the May 25th deadline because, “The last thing we want is for people to go through the flows quicker than they need to and just hit OK.” That ignores the dark pattern designs built into that GDPR privacy flow, that while temporarily dismissible, does coerce users to consent by visually downplaying the buttons to opt out of giving Facebook data.
Zuckerberg laid out his thoughts about the future of regulation for social networks, noting that “Some sort of regulation is important and inevitable, and the important thing is to get this right.” He said that regulations would need to “allow for innovation, don’t inadvertently prevent new technologies like AI from being able to develop, and of course to make sure that new startups — the next student sitting in a college dorm room like I was — doesn’t have an undue burden in being able to build the next great product.” That’s positive, since blunt regulation could create a moat for Facebook.
But when Zuckerberg concluded his testimony, noting “I want to be sensitive to time because we are 15 minutes over” the scheduled 75-minute session length, several EU officials spoke up, angry that they felt their questions had been ignored. “Will you allow users to escape targeted advertising? I asked you six yes-or-no questions and got not a single answer, and of course, well, you asked for this format for a reason,” stated one member of Parliament. “I’ll make sure we follow up and get you answers to those,” Zuckerberg coldly responded. “We’re going to have someone come to do a full hearing soon to answer more of the technical questions as well.”
The combative atmosphere at the conclusion of the testimony means Facebook could encounter soured regulators in the future who might be emboldened by their disappointment in his appearance. Zuckerberg might have avoided losing the minds of the EU by dodging damning topics, but he sure didn’t win the hearts of Europe’s lawmakers.
Speaking in front of EU lawmakers today Facebook’s founder Mark Zuckerberg namechecked the GDPR’s core principles of “control, transparency and accountability” — claiming his company will deliver on all that, come Friday, when a new European Union data protection framework, GDPR, starts being applied, finally with penalties worth the enforcement.
However there was little transparency or accountability on show during the session, given the upfront questions format which saw Zuckerberg cherry-picking a few comfy themes to riff on after silently absorbing an hour of MEPs’ highly specific questions with barely a facial twitch in response.
The questions MEPs asked of Zuckerberg were wide ranging and often drilled deep into key pressure points around the ethics of Facebook’s business — ranging from how deep the app data misuse privacy scandal rabbithole goes; to whether the company is a monopoly that needs breaking up; to how users should be compensated for misuse of their data.
Made clear to Mark Zuckerberg that digital platforms have to guarantee full protection of our citizens' privacy. We cannot accept illicit use of personal data to manipulate elections. Democracy cannot be turned into a marketing operation. pic.twitter.com/Nk0MB5IK8u
Why did it refuse a public meeting with the EU parliament? Why has it spent “millions” lobbying against EU privacy rules? Will the company commit to paying taxes in the markets where it operates? What’s it doing to prevent fake accounts? What’s it doing to prevent bullying? Does it regulate content or is it a neutral platform?
Zuckerberg made like a sponge and absorbed all this fine-grained flak. But when the time came for responses the data flow was not reciprocal; Self-serving talking points on self-selected “themes” was all he had come prepared to serve up.
But when it comes to Facebook’s own operations, the company maintains a highly filtered, extremely partial ‘newsfeed’ on its business empire — keeping a tight grip on the details of what data it collects and why.
Yes, you can download the data you’ve willingly uploaded to Facebook. Just don’t expect Facebook to give you a download of all the information it’s gathered and inferred about you.
The EU parliament’s political group leaders seemed well tuned to the myriad concerns now flocking around Facebook’s business. And were quick to seize on Zuckerberg’s dumbshow as further evidence that Facebook needs to be ruled.
Thing is, in Europe regulation is not a dirty word. And GDPR’s extraterritorial reach and weighty public profile looks to be further whetting political appetites.
So if Facebook was hoping the mere appearance of its CEO sitting in a chair in Brussels, going through the motions of listening before reading from his usual talking points, that looks to be a major miscalculation.
“It was a disappointing appearance by Zuckerberg. By not answering the very detailed questions by the MEPs he didn’t use the chance to restore trust of European consumers but in contrary showed to the political leaders in the European Parliament that stronger regulation and oversight is needed,” Green MEP and GDPR rapporteur Jan Philipp Albrecht told us after the meeting.
The MEP had also asked Zuckerberg to commit to no exchange of data between the two apps. Zuckerberg determinedly made no such commitment.
Claude Moraes, chair of the EU parliament’s civil liberties, justice and home affairs (Libe) committee, issued a slightly more diplomatic reaction statement after the meeting — yet also with a steely undertone.
“Trust in Facebook has suffered as a result of the data breach and it is clear that Mr. Zuckerberg and Facebook will have to make serious efforts to reverse the situation and to convince individuals that Facebook fully complies with European Data Protection law. General statements like ‘We take privacy of our customers very seriously’ are not sufficient, Facebook has to comply and demonstrate it, and for the time being this is far from being the case,” he said.
“The Cambridge Analytica scandal was already in breach of the current Data Protection Directive, and would also be contrary to the GDPR, which is soon to be implemented. I expect the EU Data Protection Authorities to take appropriate action to enforce the law.”
Damian Collins, chair of the UK parliament’s DCMS committee, which has thrice tried and failed to get Zuckerberg to appear before it, did not mince his words at all. Albeit he has little reason to, having been so thoroughly rejected by the Facebook founder — and having accused the company of a pattern of evasive behavior to its CTO’s face — there’s clearly not much to hold out for now.
“What a missed opportunity for proper scrutiny on many crucial questions raised by the MEPs. Questions were blatantly dodged on shadow profiles, sharing data between WhatsApp and Facebook, the ability to opt out of political advertising and the true scale of data abuse on the platform,” said Collins in another reaction statement after the meeting. “Unfortunately the format of questioning allowed Mr Zuckerberg to cherry-pick his responses and not respond to each individual point.
“I echo the clear frustration of colleagues in the room who felt the discussion was shut down,” he added, ending with a fourth (doubtless equally forlorn) request for Zuckerberg to appear in front of the DCMS Committee to “provide Facebook users the answers they deserve”.
In the latter stages of today’s EU parliament session several MEPs — clearly very exasperated by the straightjacked format — resorted to heckling Zuckerberg to press for answers he had not given them.
“Shadow profiles,” interjected one, seizing on a moment’s hesitation as Zuckerberg sifted his notes for the next talking point. “Compensation,” shouted another, earning a snort of laughter from the CEO and some more theatrical note flipping to buy himself time.
Then, appearing slightly flustered, Zuckerberg looked up at one of the hecklers and said he would engage with his question — about shadow profiles (though Zuckerberg dare not speak that name, of course, given he claims not to recognize it) — arguing Facebook needs to hold onto such data for security purposes.
Zuckerberg did not specify, as MEPs had asked him to, whether Facebook uses data about non-users for any purposes other than the security scenario he chose to flesh out (aka “keeping bad content out”, as he put it).
He also ignored a second follow-up pressing him on how non-users can “stop that data being transferred”.
“On the security side we think it’s important to keep it to protect people in our community,” Zuckerberg said curtly, before turning to his lawyer for a talking point prompt (couched as an ask if there are “any other themes we wanted to get through”).
His lawyer hissed to steer the conversation back to Cambridge Analytica — to Facebook’s well-trodden PR about how they’re “locking down the platform” to stop any future data heists — and the Zuckbot was immediately back in action regurgitating his now well-practiced crisis PR around the scandal.
What was very clearly demonstrated during today’s session was the Facebook founder’s preference for control — that’s to say control which he is exercising.
Hence the fixed format of the meeting, which had been negotiated prior to Facebook agreeing to meet with EU politicians, and which clearly favored the company by allowing no formal opportunity for follow ups from MEPs.
Zuckerberg also tried several times to wrap up the meeting — by insinuating and then announcing time was up. MEPs ignored these attempts, and Zuckerberg seemed most uncomfortable at not having his orders instantly carried out.
Instead he had to sit and watch a micro negotiation between the EU parliament’s president and the political groups over whether they would accept written answers to all their specific questions from Facebook — before he was publicly put on the spot by president Antonio Tajani to agree to provide the answers in writing.
Although, as Collins has already warned MEPs, Facebook has had plenty of practice at generating wordy but empty responses to politicians’ questions about its business processes — responses which evade the spirit and specifics of what’s being asked.
The self-control on show from Zuckerberg today is certainly not the kind of guardrails that European politicians increasingly believe social media needs. Self-regulation, observed several MEPs to Zuckerberg’s face, hasn’t worked out so well has it?
The first MEP to lay out his questions warned Zuckerberg that apologizing is not enough. Another pointed out he’s been on a contrition tour for about 15 years now.
Facebook needs to make a “legal and moral commitment” to the EU’s fundamental values, he was told by Moraes. “Remember that you’re here in the European Union where we created GDPR so we ask you to make a legal and moral commitment, if you can, to uphold EU data protection law, to think about ePrivacy, to protect the privacy of European users and the many millions of European citizens and non-Facebook users as well,” said the Libe committee chair.
But self-regulation — or, the next best thing in Zuckerberg’s eyes: ‘Facebook-shaped regulation’ — was what he had come to advocate for, picking up on the MEPs’ regulation “theme” to respond with the same line he fed to Congress: “I don’t think the question here is whether or not there should be regulation. I think the question is what is the right regulation.”
“The Internet is becoming increasingly important in people’s lives. Some sort of regulation is important and inevitable. And the important thing is to get this right,” he continued. “To make sure that we have regulatory frameworks that help protect people, that are flexible so that they allow for innovation, that don’t inadvertently prevent new technologies like AI from being able to develop.”
He even brought up startups — claiming ‘bad regulation’ (I paraphrase) could present a barrier to the rise of future dormroom Zuckerbergs.
Of course he failed to mention how his own dominant platform is the attention-sapping, app gobbling elephant in the room crowding out the next generation of would-be entrepreneurs. But MEPs’ concerns about competition were clear.
Instead of making friends and influencing people in Brussels, Zuckerberg looks to have delivered less than if he’d stayed away — angering and alienating the very people whose job it will be to amend the EU legislation that’s coming down the pipe for his platform.
Ironically one of the few specific questions Zuckerberg chose to answer was a false claim by MEP Nigel Farage — who had wondered whether Facebook is still a “neutral political platform”, griping about drops in engagement for rightwing entities ever since Facebook’s algorithmic changes in January, before claiming, erroneously, that Facebook does not disclose the names of the third party fact checkers it uses to help it police fake news.
So — significantly, and as was also evident in the US Senate and Congress — Facebook was taking flak from both left and right of political spectrum, implying broad, cross-party support for regulating these algorithmic platforms.
Actually Facebook does disclose those fact checking partnerships. But it’s pretty telling that Zuckerberg chose to expend some of his oh-so-slender speaking time to debunk something that really didn’t merit the breath.
Farage had also claimed, during his three minutes, that without “Facebook and other forms of social media there is no way that Brexit or Trump or the Italian elections could ever possibly have happened”.
Funnily enough Zuckerberg didn’t make time to comment on that.
After two years coming down the pipe at tech giants, Europe’s new privacy framework, the General Data Protection Regulation (GDPR), is now being applied — and long time Facebook privacy critic, Max Schrems, has wasted no time in filing four complaints relating to (certain) companies’ ‘take it or leave it’ stance when it comes to consent.
The complaints have been filed on behalf of (unnamed) individual users — with one filed against Facebook; one against Facebook-owned Instagram; one against Facebook-owned WhatsApp; and one against Google’s Android.
Schrems argues that the companies are using a strategy of “forced consent” to continue processing the individuals’ personal data — when in fact the law requires that users be given a free choice unless a consent is strictly necessary for provision of the service. (And, well, Facebook claims its core product is social networking — rather than farming people’s personal data for ad targeting.)
“It’s simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’,” Schrems writes in a statement.
“Facebook has even blocked accounts of users who have not given consent,” he adds. “In the end users only had the choice to delete the account or hit the “agree”-button — that’s not a free choice, it more reminds of a North Korean election process.”
We’ve reached out to all the companies involved for comment and will update this story with any response. Update: Facebook has now sent the following statement, attributed to its chief privacy officer, Erin Egan: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. Our work to improve people’s privacy doesn’t stop on May 25th. For example, we’re building Clear History: a way for everyone to see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.”
Schrems most recently founded a not-for-profit digital rights organization to focus on strategic litigation around the bloc’s updated privacy framework, and the complaints have been filed via this crowdfunded NGO — which is called noyb (aka ‘none of your business’).
As we pointed out in our GDPR explainer, the provision in the regulation allowing for collective enforcement of individuals’ data rights in an important one, with the potential to strengthen the implementation of the law by enabling non-profit organizations such as noyb to file complaints on behalf of individuals — thereby helping to redress the imbalance between corporate giants and consumer rights.
That said, the GDPR’s collective redress provision is a component that Member States can choose to derogate from, which helps explain why the first four complaints have been filed with data protection agencies in Austria, Belgium, France and Hamburg in Germany — regions that also have data protection agencies with a strong record defending privacy rights.
Given that the Facebook companies involved in these complaints have their European headquarters in Ireland it’s likely the Irish data protection agency will get involved too. And it’s fair to say that, within Europe, Ireland does not have a strong reputation for defending data protection rights.
But the GDPR allows for DPAs in different jurisdictions to work together in instances where they have joint concerns and where a service crosses borders — so noyb’s action looks intended to test this element of the new framework too.
Under the penalty structure of GDPR, major violations of the law can attract fines as large as 4% of a company’s global revenue which, in the case of Facebook or Google, implies they could be on the hook for more than a billion euros apiece — if they are deemed to have violated the law, as the complaints argue.
That said, given how freshly fixed in place the rules are, some EU regulators may well tread softly on the enforcement front — at least in the first instances, to give companies some benefit of the doubt and/or a chance to make amends to come into compliance if they are deemed to be falling short of the new standards.
However, in instances where companies themselves appear to be attempting to deform the law with a willfully self-serving interpretation of the rules, regulators may feel they need to act swiftly to nip any disingenuousness in the bud.
“We probably will not immediately have billions of penalty payments, but the corporations have intentionally violated the GDPR, so we expect a corresponding penalty under GDPR,” writes Schrems.
Only yesterday, for example, Facebook founder Mark Zuckerberg — speaking in an on stage interview at the VivaTech conference in Paris — claimed his company hasn’t had to make any radical changes to comply with GDPR, and further claimed that a “vast majority” of Facebook users are willingly opting in to targeted advertising via its new consent flow.
“We’ve been rolling out the GDPR flows for a number of weeks now in order to make sure that we were doing this in a good way and that we could take into account everyone’s feedback before the May 25 deadline. And one of the things that I’ve found interesting is that the vast majority of people choose to opt in to make it so that we can use the data from other apps and websites that they’re using to make ads better. Because the reality is if you’re willing to see ads in a service you want them to be relevant and good ads,” said Zuckerberg.
He did not mention that the dominant social network does not offer people a free choice on accepting or declining targeted advertising. The new consent flow Facebook revealed ahead of GDPR only offers the ‘choice’ of quitting Facebook entirely if a person does not want to accept targeting advertising. Which, well, isn’t much of a choice given how powerful the network is. (Additionally, it’s worth pointing out that Facebook continues tracking non-users — so even deleting a Facebook account does not guarantee that Facebook will stop processing your personal data.)
Asked about how Facebook’s business model will be affected by the new rules, Zuckerberg essentially claimed nothing significant will change — “because giving people control of how their data is used has been a core principle of Facebook since the beginning”.
“The GDPR adds some new controls and then there’s some areas that we need to comply with but overall it isn’t such a massive departure from how we’ve approached this in the past,” he claimed. “I mean I don’t want to downplay it — there are strong new rules that we’ve needed to put a bunch of work into into making sure that we complied with — but as a whole the philosophy behind this is not completely different from how we’ve approached things.
“In order to be able to give people the tools to connect in all the ways they want and build committee a lot of philosophy that is encoded in a regulation like GDPR is really how we’ve thought about all this stuff for a long time. So I don’t want to understate the areas where there are new rules that we’ve had to go and implement but I also don’t want to make it seem like this is a massive departure in how we’ve thought about this stuff.”
So EU regulators are essentially facing a first test of their mettle — i.e. whether they are willing to step up and defend the line of the law against big tech’s attempts to reshape it in their business model’s image.
Privacy laws are nothing new in Europe but robust enforcement of them would certainly be a breath of fresh air. And now at least, thanks to GDPR, there’s a penalties structure in place to provide incentives as well as teeth, and spin up a market around strategic litigation — with Schrems and noyb in the vanguard.
Schrems also makes the point that small startups and local companies are less likely to be able to use the kind of strong-arm ‘take it or leave it’ tactics on users that big tech is able to use to extract consent on account of the reach and power of their platforms — arguing there’s a competition concern that GDPR should also help to redress.
“The fight against forced consent ensures that the corporations cannot force users to consent,” he writes. “This is especially important so that monopolies have no advantage over small businesses.”
If members of the European Parliament thought they could bring Mark Zuckerberg to heel with his recent appearance, they underestimated the enormous gulf between 21st century companies and their last-century regulators.
Zuckerberg himself reiterated that regulation is necessary, provided it is the “right regulation.”
But anyone who thinks that our existing regulatory tools can reign in our digital behemoths is engaging in magical thinking. Getting to “right regulation” will require us to think very differently.
The challenge goes far beyond Facebook and other social media: the use and abuse of data is going to be the defining feature of just about every company on the planet as we enter the age of machine learning and autonomous systems.
So far, Europe has taken a much more aggressive regulatory approach than anything the US was contemplating before or since Zuckerberg’s testimony.
The European Parliament’s Global Data Protection Regulation (GDPR) is now in force, which extends data privacy rights to all European citizens regardless of whether their data is processed by companies within the EU or beyond.
But I’m not holding my breath that the GDPR will get us very far on the massive regulatory challenge we face. It is just more of the same when it comes to regulation in the modern economy: a lot of ambiguous costly-to-interpret words and procedures on paper that are outmatched by rapidly evolving digital global technologies.
Crucially, the GDPR still relies heavily on the outmoded technology of user choice and consent, the main result of which has seen almost everyone in Europe (and beyond) inundated with emails asking them to reconfirm permission to keep their data. But this is an illusion of choice, just as it is when we are ostensibly given the option to decide whether to agree to terms set by large corporations in standardized take-it-or-leave-it click-to-agree documents.
There’s also the problem of actually tracking whether companies are complying. It is likely that the regulation of online activity requires yet more technology, such as blockchain and AI-powered monitoring systems, to track data usage and implement smart contract terms.
As the EU has already discovered with the right to be forgotten, however, governments lack the technological resources needed to enforce these rights. Search engines are required to serve as their own judge and jury in the first instance; Google at last count was doing 500 a day.
The fundamental challenge we face, here and throughout the modern economy, is not: “what should the rules for Facebook be?” but rather, “how can we can innovate new ways to regulate effectively in the global digital age?”
The answer is that we need to find ways to harness the same ingenuity and drive that built Facebook to build the regulatory systems of the digital age. One way to do this is with what I call “super-regulation” which involves developing a market for licensed private regulators that serve two masters: achieving regulatory targets set by governments but also facing the market incentive to compete for business by innovating more cost-effective ways to do that.
Imagine, for example, if instead of drafting a detailed 261-page law like the EU did, a government instead settled on the principles of data protection, based on core values, such as privacy and user control.
Private entities, profit and non-profit, could apply to a government oversight agency for a license to provide data regulatory services to companies like Facebook, showing that their regulatory approach is effective in achieving these legislative principles.
These private regulators might use technology, big-data analysis, and machine learning to do that. They might also figure out how to communicate simple options to people, in the same way that the developers of our smartphone figured that out. They might develop effective schemes to audit and test whether their systems are working—on pain of losing their license to regulate.
There could be many such regulators among which both consumers and Facebook could choose: some could even specialize in offering packages of data management attributes that would appeal to certain demographics – from the people who want to be invisible online, to those who want their every move documented on social media.
The key here is competition: for-profit and non-profit private regulators compete to attract money and brains the problem of how to regulate complex systems like data creation and processing.
Zuckerberg thinks there’s some kind of “right” regulation possible for the digital world. I believe him; I just don’t think governments alone can invent it. Ideally, some next generation college kid would be staying up late trying to invent it in his or her dorm room.
The challenge we face is not how to get governments to write better laws; it’s how to get them to create the right conditions for the continued innovation necessary for new and effective regulatory systems.
There is no degree required to be a CEO of a venture-backed company. But it likely helps to graduate from Harvard, Stanford or one of about a dozen other prominent universities that churn out a high number of top startup executives.
That is the central conclusion from our latest graduation season data crunch. For this exercise, Crunchbase News took a look at top U.S. university affiliations for CEOs of startups that raised $1 million or more in the past year.
Harvard fares better in its rivalry with Stanford when it comes to educating future CEOs than founders. The two universities essentially tied for first place in the CEO alum ranking. (Stanford was well ahead for founders.)
Business schools are big. While MBA programs may be seeing fewer applicants, the degree remains quite popular among startup CEOs. At Harvard and the University of Pennsylvania, more than half of the CEOs on our list graduated as business school alum.
University affiliation is influential but not determinative for CEOs. The 20 schools featured on our list graduated CEOs of more than 800 global startups that raised $1M or more in roughly the past year, a minority of the total.
Below, we flesh out the findings in more detail.
Where startup CEOs went to school
First, let’s start with school rankings. There aren’t many big surprises here. Harvard and Stanford far outpace any other institutions on the CEO list. Each counts close to 150 known alum among chief executives of startups that raised $1 million or more over the past year.
MIT, University of Pennsylvania, and Columbia round out the top five. Ivy League schools and large research universities constitute most of the remaining institutions on our list of about twenty with a strong track record for graduating CEOs. The numbers are laid out in the chart below:
Traditional MBA popular with startup CEOs
Yes, Bill Gates and Mark Zuckerberg dropped out of Harvard. And Steve Jobs ditched college after a semester. But they are the exceptions in CEO-land.
The typical path for the leader of a venture-backed company is a bit more staid. Degrees from prestigious universities abound. And MBA degrees, particularly from top-ranked programs, are a pretty popular credential.
Top business schools enroll only a small percentage of students at their respective universities. However, these institutions produce a disproportionately large share of CEOs. Wharton School of Business degrees, for instance, accounted for the majority of CEO alumni from the University of Pennsylvania . Harvard Business School also graduated more than half of the Harvard-affiliated CEOs. And at Northwestern’s Kellogg School of Management, the share was nearly half.
CEO alumni background is really quite varied
While the educational backgrounds of startup CEOs do show a lot of overlap, there is also plenty of room for variance. About 3,000 U.S. startups and nearly 5,000 global startups with listed CEOs raised $1 million or more since last May. In both cases, those startups were largely led by people who didn’t attend a school on the list above.
Admittedly, the math for this is a bit fuzzy. A big chunk of CEO profiles in Crunchbase (probably more than a third) don’t include a university affiliation. Even taking this into account, however, it looks like more than half of the U.S. CEOs were not graduates of schools on the short list. Meanwhile, for non-U.S. CEOs, only a small number attended a school on the list.
So, with that, some words of inspiration for graduates: If your goal is to be a funded startup CEO, the surest path is probably to launch a startup. Degrees matter, but they’re not determinative.