In May 2019, the National Secretariat for Consumer Affairs (Senacon, for its Brazilian acronym) initiated an administrative process to investigate an alleged violation regarding brazilian citizens personal data, supposedly committed by Facebook in two cases of worldwide repercussion. The first case was the improper sharing of information in the scandal known as Cambridge Analytica. The second one was the alleged hacking of the social network in last September, that would have resulted in illegal access of personal pages of millions of people worldwide.
Senacon seeks to understand if there was an exposure of information regarding Brazilians citizens and if the Brazilian Code of Consumer Defense and Protection (CDC, for its Brazilian acronym) could be applied to both cases.
Facebook sent its manifestations to Senacon on May 27 of this year. In general, the two documents do not present any new information about what happened in both the Cambridge Analytica case and the hacker invasion. There are, however, curious details about the different practices of the company in Brazil and the USA.
The documents reveals, for example, the existence of “two Facebooks”, the American one, located in California and considered to be the actual responsible for the platform. There is, however, a quite different one, which is the Brazilian version of the social network.
“Facebook currently is the ‘Facebook platform’ provider for users located in Brazil. The platform service is not operated in Brazil. Facebook Brasil is an independent entity of Facebook. Facebook Brasil main activity is to provide services related to the rental of advertising space on the platform, placement of advertising pages and sales support, in addition to others services described in its social contract”, highlights the document.
In other words, all of Senacon’s questions were either sent to US Facebook headquarters, or, at least, were evaluated by people close to Mark Zuckerberg himself.
On the Cambridge Analytica scandal, the document sent by Facebook contains a summary of the scandal, the measures taken by the companies and presents data regarding the impact in Brazil.
For example, the document recalls the complaint was made in March 2018 by The New York Times, The Guardian and TV Channel 4 News. At the time, the media reported that Cambridge Analytica had access to people’s data through an app that promised a psychological test supported by Facebook. Users who took part on the test delivered to the company not only their personal information, but also data regarding of all their Facebook friends.
In the report presented to Senacon, the company also admitted it shared these information with Cambridge Analytica, which resulted in the exposure of more than 87 million user’s data. However, Facebook pointed out that the data analysis company used no data from Brazilian users, but at the same time, the company claims that there was an exposure of its data from Brazilian users.
According to the company, 84 people in the country (or 0.03% of the total) installed the app with the psychological test between November 2013 and November 17, 2015 – the exact period of the Cambridge Analytica app operated in the social network. Added to this was a large “friends of friends” group from those who download the app, which resulted in an exponential jump of people who had their data exposed.
“This results a total number of maximum 443,117 people in Brazil whose data may have been potentially shared with the app, which represents 0.51% of the global number of people potentially affected”, estimated Facebook in the document.
Facebook also commented the evidence that supposedly proved there was shared data regarding Brazilians. For example, it mentioned the statement regarding the executives at Cambridge Analytica, who supposedly have signed two contracts for the collection of personal data. The first contract covered 11 American states and the second determined the processing of information from people throughout the USA. In other words, the contracts only predicted US citizens.
Theft of Tokens
Another Facebook document sent to Senacon concerns an incident that occurred on September 25 2018. At the time, Facebook reported that suffered a hacker attack, which resulted an unauthorized access to tokens of access of the users of the social network accounts. This led to the use and interaction of third parties in three services within the platform: the “see how” functionalities, the happy birthday composer and the video loader.
According to Facebook, the “see how” mode allows a user to view their own profile from others Facebook users perspective. On other hand, the video uploader authorizes a user to upload videos into Facebook, and the happy birthday composer allows a user to congratulate another user by sending a message, photo or video while on the page of that other user.
The company reported that the FBI was informed of the attack and that the problem was corrected on September 27 2018. According to the document sent to Senacon, approximately 90 million accounts were considered to be invalid as a precaution at first. At the end of an internal investigation, it discovered that around 29 million tokens were effectively stolen.
Once again, the document sent by Facebook does not display new details about the hacker attack. However, Senacon’s technical report 109/2019 (document which issue statements by Senacons’ technical staff) points to unpublished information presented by Facebook about this attack: the estimation of Brazilian users affected by the attack.
“[According to Facebook] The estimation is that 2,546,633 Facebook users’ accounts in Brazil may have had their information accessed improperly. In this sense, Facebook notifies that it immediately adopted measures to tackle the vulnerability that the attackers had exploited, in order to guarantee the security of the user’s accounts, as well as notified the competent authorities”, says the Senacon document.
This information will be analyzed by Senacon, which should present its conclusion on the subject. However, the main goal is to establish a consumer relationship between Facebook and its users. The next step is to check if the Code of Consumer Defense and Protection (CDC) has been disrespected. However, this will not be an easy task.
In both cases, Facebook ruled out any disregard for consumer rights. On the other hand, Facebook did not deny the existence of a consumer relation.
In Senacon’s assessment, the consumer relationship between Facebook and its user exists and occurs when “it is established a relation between the Internet access or content provider, and the user that hires it and wishes to have access to the Internet or respective content, to satisfy a personal need” – informs in the report 109/2019.
Senacon’s report sets out yet another important requirement for a consumer relationship: payment. According to its report, it occurs indirectly and through the so-called cost per click. “The payment of the Facebook service is calculated by the number of clicks on a particular link (cost per click), constituting itself in a business model. In this way, the prices of the advertising contracts are made by the estimation of potential consumers, specified by the information they make available about themselves. This information constitutes a quota of social capital. In fact, the way Facebook operates in the virtual market characterizes an apparent free use of the services provided to consumers on the Internet”, says the document.
These conclusions in the report reinforce a perception of Senacon’s Secretary, Luciano Benetti Timm, in an interview with Consumidor Moderno in February this year.
At the time of the interview, he already showed concern with Facebook and highlighted the aspect of non-profit entity of the Facebook.
“Today, there are companies that operate as meeting places to people, such as Airbnb, Uber and other similar platforms. There are also social networks, which do not appear to have a profit-oriented purpose (access to networks such as Facebook and Instagram does not have a monetary cost). However, they are entities with a profit-oriented purpose. The idea is to understand what each of these companies are doing with this data, and, thus, making money.”
Business or Charity?
Another point that also reinforces the consumer relation concerns Facebook’s position as a company. Secretary Timm said the company needs to be more transparent about using consumer data for business purposes.
In the document sent to Senacon, for example, Facebook says that “it is a sharing platform,” and “its mission is to give people power to build communities and, ultimately, to have a more united world”. Such a statement does not make clear Facebook’s commercial appeal.
Senacon is also interested in this change in Facebook’s stance not just from the point of view of the consumer. It is also imperative for Brazil to meet the transparency requirements for the use of personal consumer data imposed by OECD members. Fortunately for Senacon, the yaw in Facebook’s speech has already begun to occur in other countries.
In Europe, the Cambridge Analytica scandal has accentuated this debate about the need for Facebook to be more transparent. In April 2019, the discussion gave the first result: the social network announced that it would change the user access agreement in order to make it clear that the company uses the user data for business purposes.
This debate could transcend Senacon’s walls. There are Procons (local consumer protection entities) in Brazil willing to discuss this type of relationship. In addition to this, the Brazilian judiciary has been discussing the issue in a growing number of cases on the matter, even though there is no consensus on it.