What just happened at Facebook

Facebook CEO Mark Zuckerberg’s apology tour is in full swing, but first some more bad news: Those 50 million profiles “improperly shared” with right-wing political targeting firm? The new number is 87 million, but Facebook doesn’t even seem entirely sure about that.

That was just one of the announcements Zuckerberg made Wednesday as he and COO Sheryl Sandberg finally broke their silence over the Cambridge Analytica scandal, which has triggered a criminal investigation in the U.K. and hearings in Congress and Parliament.

First up, the company announced that Zuckerberg will address Congress — in person — over privacy concerns. Then it announced changes to restrict the type of data app developers and “ecosystem” partners can pull out of Facebook. It also revealed that scammers may have scraped the public profile of “most” of the company’s two billion users using a little-known feature that allows users to match a profile with an email address or phone number. Finally, it launched a reworked data policy and terms of service to make everything clearer.

Facebook has been eager to claim that these changes have been “in the works for some time,” but it also seems Facebook is desperate to prove they can protect data and get a handle on fake news and foreign interference in elections before the 2018 midterms arrive.

Here’s what just happened:

Zuckerberg has finally relented and agreed to face Congress for the first time. He’ll appear on April 11 before the House Energy and Commerce Committee, when lawmakers will take in the scope of the data leak and presumably ask Zuckerberg what he’s doing to fix the problem.

Facebook has previously put other executives in front of committees, most recently general counsel Colin Stretch testified to multiple committees investigating how Kremlin-linked Russians purchased political ads during the 2016 election.

When the CA scandal broke, it was claimed that 50 million Facebook users data was harvested. On Wednesday Facebook updated that figure. “In total, we believe the Facebook information of up to 87 million people — mostly in the U.S. — may have been improperly shared with Cambridge Analytica,” CTO Mike Schroepfer wrote in the blog post.

Key words here: “up to” and “may have.”

Of that total, 70 million were based in the U.S. and the company said that from next Monday it would begin informing the people it believes were targeted.

Given that the Cambridge Analytica scandal has was about an app that harvested data not just on their own users but their users friends (without their knowledge,) changes to that system seemed inevitable.

On Wednesday, Schroepfer detailed those in another blog post.

From now on apps on Facebook will have a much more restricted ability to access the information of people around the person using the app. For example, apps will no longer be granted permission to information about people who attend an event organized on Facebook by the person who created the event.

Facebook will also tighten the process of how it approves all apps that request access to information such as check-ins, likes, photos, posts, videos, events and groups.

Buried in the news was Facebook trying to get ahead of another brewing privacy scandal built right into the product. That’s the ability to search for users using their phone number or email address, common in countries with lots of people with the same name.

But it turns out the feature was really popular with scammers who use it to scrape profiles. Schroepfer explained:

Facebook confirmed to Bloomberg Wednesday that it scans the links and images people send via its Messenger app. It also confirmed that it reads the contents of chats after they have been flagged to moderators to ensure the content abides by the company’s community standards.

Last month it was revealed that Facebook had been collecting call and SMS data from users of its Messenger and Facebook Lite apps on Android. This “opt-in feature” was used to improve its friend recommendation algorithm by requesting access to contacts, SMS data, and call history.

On Wednesday the company announced that it wasn’t getting rid of the feature entirely, but was limiting the amount of data it was collecting, and attempted to reassure users that it wasn’t reading the contents of messages.

“We’ve reviewed this feature to confirm that Facebook does not collect the content of messages — and will delete all logs older than one year,” Schroepfer said.

While the feature had been in use for years, it gained more attention after users began to download the data Facebook held on them and were alarmed by the scale of information the company held about them.

After years of failing to tell people just how their data was being shared, Facebook said Wednesday that “it’s important to show people in black and white how our products work.”

To that end the company updated its terms of service and data policy to make things “clearer.”

The company pointed out that it was “not asking for new rights to collect, use or share your data” and it wasn’t “changing any of the privacy choices you’ve made in the past.”

Having taken the decision to change past behavior and agree to talk to Congress, Zuckerberg continued the trend by making a rare conference call with reporters to answer questions about everything that had been happening in recent weeks.

Zuckerberg admitted he and the company had erred.

“We didn’t take a broad enough view of what our responsibility is and that was a huge mistake," he said during the 50-minute call with reporters. “It was my mistake.”

Facebook published a transcript of the call “Hard Questions” suggesting that Zuckerberg had dealt head-on with the most difficult issues engulfing the company at the moment.

However with issues to deal with in Indonesia, Myanmar, the U.K., India and elsewhere, it’s likely Zuckerberg will have many more difficult questions to answer.

Cover image: Leslie Xia