If there’s one choice that Facebook has made repeatedly over the past 15 years, it’s been to prioritize growth over privacy. Users were consistently encouraged to make more of their information public than they were comfortable with. The settings to make things public were always a bit easier to use than the ones to make things private. Data was collected that you didn’t have any idea was being collected and shared in ways you had no idea it was being shared. Sometimes data was just suddenly made public all at once. They were the choices of a young man, secure in himself, and confident in the goodwill of the rest of the Internet. They were the choices of someone building out an advertising business on the collection of infinite data.
Now Mark Zuckerberg, the CEO of Facebook, is 34. He’s a public figure who is attacked relentlessly in the press and by politicians around the world. He has two children, a house he blocks from view, and a cover on his laptop camera. He’s also seen his company get burned for ignoring user privacy, and he’s seen that the platform he built to make the world more open and connected can also be used by harassers, racists, trolls, bullies, and Vladimir Putin. His company’s reputation has faltered; growth on the main platform has slowed, and employee morale has dropped. It seems like a good time for a change.
And so on Wednesday, the company pulled the emergency brake, yanked the steering wheel, and turned in reverse. Zuckerberg published a roughly 3,000-word treatise laying out “a privacy-focused vision” for his company. “Public social networks will continue to be very important in people’s lives—for connecting with everyone you know, discovering new people, ideas and content, and giving people a voice more broadly,” Zuckerberg wrote. “But now, with all the ways people also want to interact privately, there’s also an opportunity to build a simpler platform that’s focused on privacy first.”
In the post, Zuckerberg made a litany of promises about enhancing encryption on Facebook and Instagram, keeping servers out of authoritarian countries whose leaders seek to spy on their citizens, and reducing the “permanence” of messages or stories. No one wants their bong photos circulating when they apply for jobs. Zuckerberg also described in detail how the company will integrate its three messaging platforms: Facebook Messenger, Instagram Direct, and WhatsApp. The systems, according to Zuckerberg, will be interoperable but not merged. “With the ability to message across our services,” he wrote, “you’d be able to send an encrypted message to someone’s phone number in WhatsApp from Messenger.” In other words, end-to-end encryption will exist across three platforms, though privacy advocates have pointed out potential hurdles to this approach.
Zuckerberg listed six privacy principles, but there was one glaring omission: He said nothing about how Facebook plans to approach data sharing and ad targeting in this privacy-focused future. The free flow of data between Facebook and third-party developers is, after all, the issue that caused the jaws of the national media to snap onto the company’s leg. One year ago this month, news broke that a man named Aleksandr Kogan had misappropriated the data of tens of millions of users and sent it to a shady political consulting firm called Cambridge Analytica. It soon became clear that Cambridge Analytica was not alone and that Facebook had allowed thousands of developers to collect data for years.
The company’s loose policies on data collection over the years are also what allowed it to build one of the most successful advertising businesses in history. All the data the company collects helps advertisers segment and target people. And it’s the relentless pursuit of that data that has led to Facebook being accused of making inappropriate deals for data with device manufacturers and software partners. This is a history that Zuckerberg knows well, and one that he acknowledged in his post. “I understand that many people don’t think Facebook can or would even want to build this kind of privacy-focused platform—because frankly we don’t currently have a strong reputation for building privacy protective services,” he wrote.
The changes Zuckerberg announced Wednesday will improve privacy for Facebook’s 2.3 billion monthly users. End-to-end encryption can be, as Zuckerberg notes, crucial to physical safety. It’s not a good idea to have servers in Venezuela or Syria. Facebook shouldn’t be allowed to keep user data forever. Privacy advocates have long called for these fixes, and it’s to Zuckerberg’s credit that he has said he plans to address them. And it’s to his credit, too, that he has hired experts who know all about them.
The move should also please the regulators that have been circling Facebook like lions around a pack of gazelles. In January of 2020, a sweeping privacy law in California is set to go into effect. Meanwhile, Congress has been holding hearings and working on federal privacy legislation that could soon give consumers more rights over their data and limit businesses’ unchecked ability to collect and use that data. The European Union has already implemented these changes through its General Data Protection Regulation. Zuckerberg, one former Facebook employee surmised to WIRED, is just trying to get out ahead of the cops. Another former Facebook employee pointed out on Twitter that this surely limits the company’s ambitions to expand into China.
But the question is what Facebook’s priorities are now. Privacy isn’t free. If you prioritize it, you are often forced to deprioritize other things. Zuckerberg acknowledges this in his post by pointing out that it’s harder to police systems that are encrypted end to end. But he doesn’t address the biggest trade-off: Are these changes compatible with Facebook’s fundamental business model, which relies on a steady supply of user data? If these changes are truly implemented, there will be a substantial business cost to bear. Until he fully answers that, Zuckerberg’s vision of privacy will be incomplete.
More Great WIRED Stories