April 12, 2018

Luján Questions Facebook CEO Mark Zuckerberg

Today, during a House Energy and Commerce Committee hearing, Congressman Ben Ray Luján questioned Facebook CEO Mark Zuckerberg on Facebook’s collection of non-user data and his company’s failure to effectively protect the data of Facebook’s two billion users. Following the hearing, Luján released the following statement:

Today was an important discussion. However, it’s not enough for the Committee to merely ask tough questions of CEOs every quarter or so. Whether it’s Facebook or Equifax or Best Buy or Uber, there seems to be no end to the privacy breaches, leaks of personal information, and data mining. As a result, the people we represent are being harmed by Congress’s failure to step in and take real action to protect their privacy and personal information.

“I know that these are hard, complicated issues without simple answers. I know we have strong ideological differences in how we approach these problems. Let me be clear though: doing nothing is not an option. The Committee must begin the process of moving legislation that meaningfully responds to these issues. Doing anything less would, as Mr. Zuckerberg said about Facebook’s failures, represent a ‘massive breach of trust.’”

You can watch the video of Rep. Luján’s exchange with Zuckerberg here.

A transcript has been provided below.

Luján: Thank you, Mr. Chairman. I want to pick up where Mr. Kinzinger dropped off here. Mr. Zuckerberg, Facebook recently announced that a search feature allowed malicious actors to scrape data on virtually all of Facebook's two billion users.

Yes or no– in 2013, Brandon Copley, the CEO of Giftnix, demonstrated that this feature could easily be used to gather information at scale.

Zuckerberg: [Does not respond.]

Luján:Well, the answer to that question is yes. Yes or no – this issue of scraping data was again raised in 2015 by a cybersecurity researcher, correct?

Zuckerberg: Congressman, I'm not specifically familiar with that. The feature that we identified, I think it was a few weeks ago, or a couple weeks ago at this point, was a search feature that allowed people to look up some information that people had publicly shared on their profiles– so names, profile pictures.

Luján: If I may, Mr. Zuckerberg, I will recognize that Facebook did turn this feature off. My question, and the reason I'm asking about 2013 and 2015, is that Facebook knew about this in 2013 and 2015 but you didn't turn the feature off until Wednesday of last week. The same feature that Mr. Kizinger just talked about, where this is essentially a tool for these malicious actors to go and steal someone's identity and put the finishing touches on it.

So again, you know one of your mentors, Roger McNamee, recently said your business is based on trust, and you're losing trust. This is a trust question. Why did it take so long? Especially when we're talking about some of the other pieces that we need to get to the bottom of. Your failure to act on this issue has made billions of people potentially vulnerable to identity theft and other types of harmful malicious actors.

So, onto another subject– Facebook has detailed profiles on people who have never signed up for Facebook. Yes or no?

Zuckerberg: Congressman, in general we collect data from people who have not signed up for Facebook for security purposes to prevent the kind of scraping that you were just referring to.

Luján: So these are called shadow profiles, is that what they've been referred to by some?

Zuckerberg: Congressman, I'm not – I'm not familiar with that –

Luján: I'll refer to them as shadow profiles for today's hearing. On average, how many data points does Facebook have on each Facebook user?

Zuckerberg: I do not know off the top of my head.

Luján: So, the average for non-Facebook platforms is 1,500. It's been reported that Facebook has as many as 29,000 data points for an average Facebook user. Do you know how many points of data Facebook has on the average non-Facebook user?

Zuckerberg: Congressman, I do not off the top of my head but I can have our team get back to you afterwards.

Luján: I appreciate that. It's been admitted by Facebook that you do collect data points on non-average users. So, my question is, can someone who does not have a Facebook account opt out of Facebook's involuntary data collection?

Zuckerberg: Congressman, anyone can turn off and opt out of any data collection for ads, whether they use our services or not, but in order to prevent people from scraping public information, which, again, the search feature you brought up only showed public information, people's names and profiles and things that they'd made public, but nonetheless we don't want people aggregating even public information, we don't want that so we need to know when someone is trying to repeatedly access our services-

Luján: If I may, Mr. Zuckerberg, I'm about out of time. It may surprise you that we've not talked about this a lot today. You've said everyone controls their data, but you're collecting data on people that are not even Facebook users, that have never signed a consent, a privacy agreement, and you're collecting their data.

It may surprise you that, on Facebook's page, when you go to “I don't have a Facebook account and would like to request all my personal data stored by Facebook,” it takes you to a form that says "Go to your Facebook page" and then, on your account settings, you can download your data. So, you're directing people that don't have access – don't even have a Facebook page – to have to sign up for a page to reach their data. We've got to fix that.

The last question that I have is: Have you disclosed to this committee, or to anyone, all the information Facebook has uncovered about Russian interference on your platform?

Zuckerberg: Congressman, we are working with the right authorities on that and I'm happy to answer specific questions here as well.

Chair: The Gentleman's time is expired.

Luján: Thank you, Mr. Chairman.

Video of the complete hearing is available here.