This article is more than 1 year old

Social networks have already violated the spirit of GDPR

Closing off researchers’ access to APIs in the name of ‘safety’ means we’ll never know how we’re being screwed

Every morning in recent weeks and for a couple more we’ll wake up to the same slew of emails from online services touting their new terms and conditions, and their “better for our users” privacy arrangements. Before thanking them it might be wise to consider the broader context for these unexpected acts of customer-focused kindness.

None of this has anything to do with the recent grilling Mark Zuckerberg received before the US Congress, an exercise that mostly revealed how few senators even knew the right questions to ask of the billionaire who enriches himself by eroding the privacy of others. Zuckerberg remains the walking, talking proof of Honoré de Balzac’s observation, “Behind every great fortune lies a great crime.”

The European Union, more aware of the dimensions of this theft than its counterparts in the USA, have passed a strict set of laws, together known as the General Data Protection Regulation (GDPR).

GDPR will be much in the news as we approach its 25 May 2018 enforcement date.

GDPR is also the reason for all those emails you’re getting of late, because many data-hungry businesses have been caught on the wrong side of it.

You might suppose these firms, guided by a new regulatory framework for the collection, analysis and disposal of customer data, would take the hint and lift their games, and become more transparent, open, accessible and visible.

Axe Cutting Wood

IETF: GDPR compliance means caring about what's in your logfiles


Of course exactly the opposite has happened. In the wake of and under the fig-leaf cover of the Cambridge Analytica breach of 87 million profiles, Facebook has pulled up the drawbridge, shut down its APIs, and proclaimed themselves just-about-GDPR-compliant - not just in the EU, but throughout the world.

Which sounds very promising - but like so much of what Facebook says publicly, never as good as it seems. Shutting down the APIs terminates third-party misuse of Facebook’s profile data, that part is true, but Facebook has been known to misuse their own data, and these “privacy” changes have now made that harder to detect.

Scores of social media researchers - who spend endless hours performing analyses of Facebook and Twitter and Instagram and all the others, learning how fact, rumor and belief ripple through a connected world - have publicly objected to Facebook’s changes, pointing out that the same changes that block third party commercial organisations also blocks research (as shown by this list of “Publications that could not have existed without access to API data”).

Independent? Yeah, nah, not so much

Facebook has nominated a “research panel” to approve studies within the social network - and despite Facebook calling this an “independent” panel, there’s a broad concern that it will be under the thumb of the behemoth, so any research Facebook doesn’t want to see could be denied approvals - and that will be that. In this, GDPR produces the opposite of intended effect, closing down and hiding things that are best made open and transparent.

We can trust that other social media firms will soon follow Facebook’s lead, looking at how to observe the letter and violate the spirit of the GDPR, using legislation to rewrite the social contract between data provider (us) and data monetiser (them) to make it even more of a one-way affair. All in the name of safety.

In an age of pervasive surveillance capitalism, transparency is the only real safety. If you can’t see what’s being collected, if you can’t examine it in detail, if you can’t block or delete any part of that record, then it’s not a contract - it’s slavery, for your data is being forcibly expropriated and put to work in algorithmic salt mines.

It is not enough to trust the self-serving statements of any trillion-dollar corporation. We need to be able to verify that their actions are as good as their words, and we need to be able to inspect, interrogate, and reflect upon their acts in real-time, not in some years-later reveal of a massive data breach.

Demanding less than this from these data vultures would be to surrender all rights - not just to privacy but to anything else that can be measured about us, by anyone anywhere. That’s precisely the world GDPR is meant to avoid, yet we can now see it being twisted, shaped into the jaws of an even-more powerful trap.

Socius cave: sharer beware. ®

More about


Send us news

Other stories you might like