The UK government has just used an obscure parliamentary mechanism to obtain confidential Facebook documents. It is believed these documents contain “significant revelations” about the internal Facebook policy decisions that allowed the Cambridge Analytica scandal to happen. This includes sensitive emails between senior executives and CEO Mark Zuckerberg himself.
British authorities have become frustrated at their inability to bring the US social media giant to account for allowing political consulting firm Cambridge Analytica to mine the personal details of some 87 million users in order to influence the electoral processes.
So what actually happened?
The files
Six4Three is a machine learning company who developed a classy Facebook app called Pinkini, which let you search friends’ photos for pictures of them in a bikini. Facebook shut the app down after updating its terms of service, causing Six4Three, who had invested some $250,000 in the app, to sue Facebook.
As part of the formal discovery processes, where the plaintive gathers evidence for its lawsuit, Six4Three obtained a cache of internal Facebook documents. Six4Three claims these documents show that, not only did Facebook know its privacy policy could be exploited, but that it actively encouraged Cambridge Analytica to do so!
Needless to say, Facebook rigorously denies this allegation. The lawsuit is ongoing, and all files related to it have been sealed by order of a California judge. Anyone sharing the files or making them public can be charged with contempt of court.
The arrest
The files are clearly of interest to British authorities wanting to bring Facebook to account for its role in the scandal. So when Six4Three CEO Ted Kramer, visited London for business carrying a laptop containing all the discovery documents this week, they pounced.
Damian Collins, the Conservative MP and chair of the culture, media and sport select committee (he also chairs an enquiry into fake news) invoked an obscure Parliamentary mechanism to send a armed guard to escort Kramer to parliament.
There he was threatened with fines and arrest unless he handed over the documents. Which he eventually did. In a statement, Collins said:
“We are in uncharted territory. This is an unprecedented move but it’s an unprecedented situation. We’ve failed to get answers from Facebook and we believe the documents contain information of very high public interest.”
Facebook has sent a letter to parliament demanding that it respect the California sealing order and not look at the documents.
A privacy lesson – why no logs is important
What happens after this frankly extraordinary series of events is anyone's’ guess, but it will no doubt require a lot of popcorn to watch.
It does highlight, how vulnerable data is when individuals are placed under pressure. No matter how good a company's privacy policy, no-one is going to go to jail (or worse) to protect your data.
This is why at ProPrivacy.com we are big fans of no logs VPN providers. It is a cold hard fact that if information exists then it can be coerced from individuals. We usually think in terms of legal repercussions, but violent criminals and despotic regimes can conceivably make their case even more forcibly, should they want the information strongly enough.
But no-one can hand over data that doesn't exist. Just be aware that even the most privacy-activist VPN service can be compelled to start keeping logs at any time by someone in a position to do so.
Which brings us to another important point.
Possession is nine-tenths of the law
Whether or not the UK Parliament had the right to seize and threaten Mr. Kramer, will no doubt come under intense scrutiny and be the subject of heated debate.
But it has happened, and Parliament got what it wanted. Because it could. And whatever the legal technicalities of a situation might or might not be, it is clear that Kramer felt he had no choice but to cooperate with the demands made of him.
A similar situation exists with VPN services which are incorporated in exotic places such as the Seychelles or British Virgin Islands.
In some ways these locations are ideal because they have very relaxed data retention laws and are highly resistant to overseas governments enforcing their will on companies registered there.
But in most situations, VPN companies theoretically located in such places will not have the majority of their staff or central server infrastructure based there.
The company might therefore be very resistant to legal threats, but this is of little use when local police smash down office doors, arrest staff, and seize servers. In such situations, and no matter what the legal niceties are, staff will cooperate with the local authorities who are threatening their freedom.
Conclusion
The UK government's seizure of Facebook’s files is a fascinating development on many different levels, and this story is far from over. It does highlight, however, that data is never safe if it can be physically seized and/or its possessors threatened with personal consequences if they fail to hand it over.
When it comes to VPNs, it demonstrates why keeping no logs that can be handed over is so important, but also highlights the vulnerability even the strictest no-logs providers have to determined adversaries who willing to use strong-arm tactics to get what they want…