Facebook’s new privacy pledge may limit law enforcement and intelligence agencies’ access to data

Jenna McLaughlin
National Security and Investigations Reporter
Facebook CEO Mark Zuckerberg. (Yahoo News photo Illustration; photos: AP, Getty Images)

On Wednesday, Facebook CEO Mark Zuckerberg debuted his grand vision on privacy and the future of Facebook: a place where you will be able to send messages privately, automatically erase sensitive conversations, store your data outside the reach of authoritarian countries and send and receive payments securely.

His proposal was instantly derided by privacy advocates, security journalists and hordes of Facebook critics online, given the tech giant’s track record of prioritizing the monetization of users’ data. If Zuckerberg’s shift toward total privacy is real, however, it could affect the intelligence community and law enforcement, which has spent the last several years warning about criminal and terrorist communications “going dark,” thanks to strong encryption that scrambles messages, making them unreadable to outside parties.

Just a day before Zuckerberg’s post, FBI Director Chris Wray, like his predecessor Jim Comey, argued “it can’t be a sustainable end state for there to be an entirely unfettered space that’s utterly beyond law enforcement for criminals to hide.”

But the implications of Zuckerberg’s pledge would depend on a number of factors, according to former law enforcement and intelligence officials, including how far Facebook will go to limit even the company’s access to its users’ data as well as the continuing usefulness of social media content and data mining to law enforcement and intelligence agencies.

Facebook has over the years proactively shared a large amount of data about threats, including terrorism, according to one tech executive and former intelligence officer, and the intelligence community combined that data with other sources and in some occasions acted on those reports.

“Those referrals have led to a lot of disruptions or even Hellfire missiles launched at certain people or camps,” the source said.

If that kind of data flow ends, “the [intelligence community] is probably going to be grumpy,” the source added.

FBI Director Christopher A. Wray listens to comments during a hearing on Capitol Hill, on Oct. 10, 2018. (Photo: Mark Wilson/Getty Images)

A second former military source confirmed that “this data is some of what is used.” The former military official casted doubt that the privacy pledge would cut the government out of Facebook’s data streams. “Data is the business model, and the government pays mint for it.”

For many years Facebook has provided useful information to national security professionals. Even if Facebook were no longer able to provide content to investigators, its ability to share other information, including open source data, would remain useful, experts argue.

Nearly 10 years ago, Facebook’s algorithms were already sophisticated enough to discover and remove accounts belonging to undercover FBI agents seeking information about crimes online, according to one former bureau source directly familiar with the work. (Facebook later provided law enforcement officials with training on its platforms but refused to bring the offending accounts back online.)

In his blog post on Wednesday, Zuckerberg said he remained committed to working with law enforcement to find ways to allow them to access information — without accessing the content of private messages — “by detecting patterns of activity or through other means.”

While that vague suggestion doesn’t reveal the methods by which Facebook’s machine-learning algorithms track suspicious accounts, it suggests the company would continue to help law enforcement identify “bad actors.”

Facebook spokesperson Dayla Browne told Yahoo News the company does not have further information to offer at this time, pointing to Zuckerberg’s comment that “a lot of this work is in the early stages” and that Facebook would over the “next year and beyond” be working on “details and tradeoffs ... related to each of these principles.”

According to multiple blog posts shared by Facebook about its monitoring and removal of terrorist content, a lot of that propaganda is public facing, and the platform has gotten good at tracking accounts that share it. According to a blog post from Facebook from November 2018, Facebook’s automation had become so advanced that it can detect terrorist content in 19 different languages.

Even without providing law enforcement with the content of private messages, Facebook might still hand over login IP addresses from countries of interest, contact lists and communication metadata, phone numbers linked to public facing accounts that have shared concerning posts publicly or geolocation data.

As for content, another former FBI employee suggested that not much would change involving compliance with law enforcement. Facebook complies, but they “require a lot of process” and “only give what’s specifically asked” for, the former employee said.

Even if the intelligence community and law enforcement lose access to some content, metadata and data generated by connections between accounts is already very powerful. Law enforcement was often able to map “the hierarchy of a terrorist cell” in its entirety just from metadata, said Jim Harris, a former FBI agent who also worked as an engineer for IBM.

Harris said he found Zuckerberg’s privacy pledge, if genuine, “completely and utterly reasonable.”

Some privacy and technical experts expressed concerns about the statement, however, including Facebook’s willingness to track “patterns of activity” to replace content.

“It definitely sounds like they're considering proactive metadata tracking and monitoring for law-enforcement-related purposes,” Jake Laperruque, a senior counsel at the Project on Government Oversight working on privacy and government surveillance, wrote in an email to Yahoo News. “It would certainly be worrisome for a communications company to be playing policeman.”

“Another factor that raises concern is for a private company like Facebook — which certainly doesn't treat all crimes or classes of suspects equally for takedown and reporting,” he wrote, is “if they're going to start deciding who constitutes ‘bad actors’ and monitoring them as a result.”

Regardless, Zuckerberg’s claims of wanting users to have total privacy should be taken with a grain of salt, experts say, given that Facebook’s revenue hinges on its ability to access people’s data. “I'm skeptical in general about this privacy push,” said the tech executive and former intelligence official.

It’s also unclear whether Facebook would eliminate its ability to decrypt users’ messages if served with a law enforcement request. Facebook could maintain access to a master key to decrypt messages.

A member of a pressure group protests as Mark Zuckerberg fails to attend a meeting on fake news held in London on November 27, 2018. (Photo: Toby Melville/Reuters)

Attempts at boosting projects related to privacy have hit snags in the past. Zuckerberg touted the success of WhatsApp, the encrypted messaging application that Facebook acquired for $19 billion in 2014, but then clashed with the application’s co-founders, Brian Acton and Jan Koum.

In March 2018, Acton suggested users should “#deletefacebook.” He followed it up with an interview several months later, telling Forbes magazine, “I sold my users’ privacy to a larger benefit.”

Acton didn’t immediately respond to a request for comment about Facebook’s new pledge.

Koum also chose to move on from Facebook, reportedly over similar privacy concerns, though he was still technically employed and vesting stock, helping to “transition WhatsApp leadership,” according to Facebook.

As users leave Facebook and its popularity falls, it’s possible the privacy pledge and shift toward facilitating payments might be a new business plan. According to one former Facebook executive, this has long been a dream of Zuckerberg’s.

“As an engineer, Mark has always been more interested in encryption,” the source said, but the business and government arms of Facebook proved stumbling blocks. Sheryl Sandberg “pushed him” to cooperate with law enforcement.

One area that might concern law enforcement and intelligence officials the most in Zuckerberg’s proposal is his idea of retaining metadata and content for very short periods of time and allowing for disappearing messages within seconds.

NSA is currently in discussions over winding down its controversial telephone metadata program exposed by former NSA contractor Edward Snowden in 2013, which allowed it to collect information, though not content, from telecoms about Americans’ phone calls. The data that intelligence agencies want may now reside increasingly within social media companies like Facebook or applications like WhatsApp.

In that sense, Zuckerberg’s encryption move appears to be preemptive block to the public outcry that resulted when the NSA’s collection of telecom data was revealed.

“Hopefully the external vision is reflected in internal moves to change product culture that informs thousands of product and engineering decisions per year,” wrote Alex Stamos, the former chief security officer at Facebook, in a tweet.

“Turning a ship that large is difficult.”

_____

Read more from Yahoo News: