Memo to Matt Hancock - don't bother toasting Zuck's toes, just ask the right questions

UK Digital Minister Matt Hancock was doing his patented tough guy act yesterday as the U.S Congress was quizzing Facebook CEO Mark Zuckerberg over the data privacy/Cambridge Analytica/Fake News scandals.

After a closed session with Facebook staffers,  Hancock pledged to “hold their feet to the fire” if the company didn’t buck up its ideas. He talked about regulation being brought in, but failed to explain what this might be or what sort of timescales we’re talking about here, so no-one’s any the wiser.

As this is a government that’s claimed to have introduced new data protection laws when in fact it’s just rolled out the legislative requirements of the EU’s General Data Protection Regulation (GDPR), I’m not holding my breath for much clarity coming any time soon.

Zuckerberg was asked to attend the UK version of these hearings, a session in front of a commitee in the House of Commons. He declined, choosing to send along other execs to deputise for him. While not attempting to paint UK politicians as a whole with much more tech nous - again, with all due deference to those who demonstrably do have it - Select Committees in the UK tend to be far tougher than the fawning over the American Dream that we saw this week from some in Congress.

It seems pretty much universally-agreed that the two day grilling of Mark Zuckerberg by U.S. politicians in Congress this was was a hugely wasted opportunity. The politicos grandstanded or flagged up their lack of tech savvy - with some notable credible exceptions - while the Facebook CEO seemed happy to admit to not having answers, parroting, “My team will follow up with you.”

As Zuck won’t get on a plane for a dressing down by UK MPs, the government isn’t able to put the right questions to him. But in the event that Facebook doesn’t want its toes set on fire by Hancock, here are ten topics that the Minister could ask Zuckerberg - even if it’s only via Messenger…

(1) How much is a lot of data?

You said to Congress,  ’We limit a lot of the data that we collect and use.” What does this mean in practice? How much is “a lot”? How do you determine what should be collected and what should not? Isn’t this just another way of saying that you could be harvesting a lot more data but you (currently) don’t choose to?

(2) Why track logged-out users?

Facebook is said to track users even after they’ve logged out of the app/service. You gave two different reasons for this when questioned by Congress. First you said that this was for security reasons. But 24 hours later, you said it was for advertising purposes. Which is it? Why did you change your story?

(3) Why collect data on non-users?

Facebook also gathers data on people who are not Facebook users. This can happen when, for example, Facebook pulls data out of contact books. These are known as ‘shadow profiles’, a term that you claim not to be familiar with. Why did you tell Congress when asked about getting data from non-Facebook users that, “I’m not sure. I don’t think that that’s what we’re tracking.” You’re the CEO - why don’t you know the answer? And do you really expect us to believe that the concept of the ‘shadow profile’ isn’t something you know about?

(4) Didn't you do your homework?

You went to the Congressional hearings with some embarrassing gaps in your knowledge, mostly around subjects that your advisors should clearly have expected you to be asked about. For example, it’s inconceivable that you wouldn't have been asked how many fake accounts Facebook has removed to date or to provide a list of apps that you’ve banned for passing on data to third parties. Equally, how many Facebook 'Like' and ‘Share’ buttons are there on non-Facebook websites? Why didn’t you come prepared? Did you hope just to wing it? And do you now have answers to those questions that you are able to share?

(5) To Russia with love?

You stated that you do not know whether it's possible that the data given to Cambridge Analytica might be stored in Russia. Let’s take that from a different angle - you've said Facebook co-operates with “valid law enforcement requests”. Can you guarantee that Facebook itself has not shared any information/data with the Russian authorities? On a related question, why are you unable to confirm or deny whether Facebook staffers worked with Cambridge Analytica when it was working with the Trump election campaign in 2016?

(5.1ish) Er...Brexit?

You have said that Facebook now takes electoral tampering as a top priority, having in 2016 dismissed the idea. While attention in the U.S has obviously focused on Trump v Clinton, have you made any attempt to determine whether any external influence was exerted during the Brexit referendum in the U.K. earlier in 2016?

(6) How long does it take to get out?

When asked how long Facebook retains user data after an account is deleted, you were unable to provide a specific guarantee of how many hours/days/weeks it takes, saying only “I think we try to move as quickly as possible.” Will you put in place a maximum timescale for deletion? And if not, why not? How many times has Facebook conducted an audit to ensure the deletion of improperly transferred data?

(7) Let's talk about minimum standards

Many commentators have called on Facebook to have default privacy settings that ensure that you collect the absolute minimum amount of users’ personal information possible. When asked by Congress if you’d do this, you stalled by saying., “This is a complex issue that deserves more than a one-word answer.” You can have as many words as you like - explain what the issue is here? Other than causing bottom line pain to your targetted advertising revenue model.

(8) Are you seriously picking a fight with Cambridge University?

You’ve suggested to Congress that you’re exploring whether there was “there was something bad going on at Cambridge University overall that will require a stronger action from us”. The University has issued a very robust rebuttal., stating “We would be surprised if Mr Zuckerberg was only now aware of research at the University of Cambridge looking at what an individual’s Facebook data says about them. Our researchers have been publishing such research since 2013 in major peer-reviewed scientific journals, and these studies have been reported widely in international media. These have included one study in 2015 led by Dr Aleksandr Spectre (Kogan) and co-authored by two Facebook employees.” Are you trying to divert blame away from Facebook and onto one of the UK’s most globally-respected academic institutions?

(9) What's today's GDPR policy?

Last week you told Reuters in an interview that while Facebook would comply with GDPR in the European Union, U.S. customers should not expect all the same protections and benefits. Since then you’ve reversed your position and told Congress that American users will get the same rights, although you were not able to state that this would happen on 25 May when GDPR kicks in. Why not? It seems that your GDPR policy/position is not set in stone with just over 30 working days to go. Why? Is this just another data-related question that Facebook hoped no-one would ask? And assuming you do put a GDPR-avatar in place, will this then permit EU users to insist that no personal data is processed in the U.S.?

(10) The really big question 

How the hell did you get yourself into this mess?

My take

There you go Minister Hancock - a few questions to get you started. Do let us know what you find out.