In a December 18, 2018 bombshell expose, the New York Times admits it as well as more than 150 companies — “most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organizations”, received special access to Facebook user and friend information.  For example, Microsoft was granted access to user names, Yahoo was able to view posts, Amazon could obtain contact information, and Netflix could even read, write and delete Facebook private messages as well as see all users on a particular thread. Today, these companies either deny the claims outright, claim they were not kept in the loop as to their access capabilities, or simply suggest that such practices terminated.

Facebook today posted a blog post to “clear up” what is set forth in the article.  According to Facebook, most of the features that gave rise to such usage “are now gone”:

We shut down instant personalization, which powered Bing’s features, in 2014 and we wound down our partnerships with device and platform companies months ago, following an announcement in April. Still, we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs. We’re already in the process of reviewing all our APIs and the partners who can access them.

Netflix told the Times it was “unaware of the broad powers Facebook had granted.”  It further said:  “At no time did we access people’s private messages on Facebook, or ask for the ability to do so.”  A Microsoft spokesperson told CNBC in a statement:  “Throughout our engagement with Facebook, we respected all user preferences.”  In another statement to CNBC, Amazon said: “We only use information in accordance with our privacy policy.”  Indeed, in the New York Times article, there is this self-reference: “The Times — one of nine media companies named in the documents — had access to users’ friend lists for an article-sharing application it also had discontinued in 2011.  A spokeswoman for the news organization said it was not obtaining any data.”

Pushing aside the pristine parsing of words now being used, the fact remains Facebook users were never explicitly made aware of this massive exchange of consumer data between Facebook and its partners.

Not far different from this latest Facebook entangle, Vanderbilt University computer science professor Douglas C. Schmidt, in a study released in August 2018, found that:  “A major part of Google’s data collection occurs while a user is not directly engaged with any of its products. And while such information is typically collected without identifying a unique user, Google distinctively possesses the ability to utilize data collected from other sources to de-anonymize such a collection.” Indeed, Android mobile devices send 10 times more data to Google than iPhones.

On August 13, 2018, the AP Newswire released an expose on Google’s geo-data collection practices – but only after retaining Princeton researchers to confirm exactly how Google was able to gather this data.   Stemming from this usage of consumer information, there is a newly consolidated Google class action suit.  Not surprisingly, Google is defending by claiming its data collection could be stopped by changing certain settings – users would simply need to turn off “web and app activity” settings that would, in effect, disrupt full usage of many of their apps.

Once upon a time, Google’s Code of Conduct was built on the motto “Don’t be evil”.  It’s parent company – Alphabet, however, chose not to even use the motto in its own Code after forming in 2015.  And, Google earlier this year explicitly removed the “Don’t be evil” motto from its Code of Conduct.  Instead, Google’s current Code of Conduct reads:  “And remember… don’t be evil, and if you see something that you think isn’t right – speak up!”  The fact those who do actually speak up are being fired or resign – such as one whistleblower on the company’s lack of gender diversity or another who left based on Google’s plans for Chinese censorship, this glib new wording should not instill much confidence going forward.

Given Google’s masterful ability to silence class action lawyers with buckets of cash and consumer cy pres funds, it is not expected the pending consolidation will effectuate any real change.  Moreover, despite Facebook’s numerous congressional representations regarding how it complies with GDPR on a global level, if not for the likes of EPIC and Max Schrems there would be no real pressure on either Facebook or Google to change any of their practices.

With 2019 coming closer into view, it becomes clear that many companies using and maintaining consumer data will likely continue into the New Year with their existing practices given they do not really care about compliance risk – nor do users apparently really care about privacy risk.  Until such time as the compliance and privacy risks are superseded by even greater risks – or overtaken by demonstrated economic benefits to both users and owners of data, it seems likely this status quo will remain intact in the coming year.

The first new business that can address this current apathy by creating tangible and easily understood economic benefits for all participants might very well succeed in modifying an entire ecosystem.  The motivation for launching such an enterprise is readily apparent. As recognized in the Times article:  “Personal data is the oil of the 21st century, a resource worth billions to those who can most effectively extract and refine it.”