In a lengthy Facebook post published Wednesday, only days before the first anniversary of the Cambridge Analytica scandal, Facebook CEO Mark Zuckerberg provided a vision for a rethinking the company’s approach to social media, one that he promised would strengthen protections for consumer privacy.

At the heart of the proposal, entitled “A Privacy-Focused Vision for Social Networking,” is a plan to bet heavily on one-to-one and small-group communications protected by encryption. “Today we already see that private messaging, ephemeral stories, and small groups are by far the fastest growing areas of online communication,” the post read, in part. He predicted Facebook as we know it would continue to thrive as a platform for sharing messages with larger numbers of friends, but the company would also focus on building “a simpler platform that's focused on privacy first.”

In the days since the posting, Zuckerberg’s promise to focus on privacy has been met with skepticism by many consumer advocates. They welcome any move by Facebook to increase consumer protections, but will need to be convinced of the company’s intentions and follow-through. “This is Facebook’s most full-throated endorsement of privacy as a value,” says Justin Brookman, director of Consumer Privacy and Technology Policy at Consumer Reports, “Even if I don’t think that, at core, Facebook is committed to the fundamental changes they would need to make to really deliver on privacy.”

Facebook has had a troubled history when it comes to consumer privacy, including the misuse of consumer data by Cambridge Analytica, a political consulting firm, as well as widespread sharing of consumer data with other companies without user consent, and a significant data breach affecting almost 30 million users in October 2018

Beyond those scandals, day-to-day operations at the company rely on the collection of consumer data from a vast array of websites and apps in addition to the Facebook platform itself, using methods that are largely opaque to Facebook users. And while the company provides settings to restrict the number of outsiders who can see user's posts on Facebook, very few of the platform’s many settings allow consumers to control what data is collected by Facebook itself.

More about Facebook

“It’s good that they’re coming out to embrace privacy and security, but the devil is in the details,” says Kurt Opsahl, deputy executive director of the Electronic Frontier Foundation, a non-profit devoted to defending digital privacy. “We’ll need to see how it’s implemented.”

In fact, while Zuckerberg’s post included bold pronouncements, it didn’t reveal much concrete information about how those changes would actually work when used by consumers, and how well they’d really protect consumer privacy.

Consumer Reports reached out to Facebook for more detail about its plans for advancing Zuckerberg’s privacy agenda, but the company did not respond immediately.

So what would it take for Facebook to turn the corner on data privacy? Consumer Reports, in collaboration with other consumer rights and technology organizations, established a set of criteria in 2017 called The Digital Standard in part to help give companies a set of guiding principles for designing digital products and services that prioritize privacy and security. When you compare the Digital Standard side-by-side with Facebook’s current practices and future promises, you see how many questions remain.

The Limits of Encrypted Messaging

The most concrete step promised in the blog post last week was to introduce end-to-end encryption to Facebook Messages. “People's private communications should be secure,” Zuckerberg wrote. “End-to-end encryption prevents anyone—including us—from seeing what people share on our services.”

The technology is already available through WhatsApp, a messaging platform owned by Facebook since 2014, along with Apple’s iMessage, Signal, and other services, and it is endorsed by the Digital Standard as a way to prevent both hackers and intrusive governments and corporations from snooping on individual communications.

“It’s a basic best practice,” says Pam Dixon, executive director of the World Privacy Forum, a public-interest group focused on data privacy issues.

Privacy experts CR spoke with support Facebook’s promise to adopt encryption, but they caution against the assumption that this will significantly reduce the amount of data collected by the company.

Wednesday's Zuckerberg post says that metadata is used “run our spam and safety systems,” but it can also be used to add data to a consumer profile for selling targeted ads.

In fact, that's exactly what Facebook allows with its WhatsApp messaging platform. Its privacy policy says, in part: “Facebook and the other companies in the Facebook family also may use information from us to improve your experiences within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads.”

"As Zuckerberg said, the content of messages is not super interesting," explains CR’s Brookman. "That selfie of you looking cute?  It’s hard to monetize that. But they’ll get the metadata, and that’s a lot more useful. Also, they get data about what you do off of Facebook—that wasn’t addressed in Zuckerberg's post, and that probably isn't going to change.”

Consumers Are Still the Product

It’s a cliché of the digital world that if you’re not paying for a service, you’re the product. There’s no better example than Facebook. The company makes its money by targeting consumers through ads, and that business relies on personal data.

The data, according to Facebook’s ad targeting page, includes the products you buy, the articles you read, the identities of your friends, your hobbies, the websites you visit for news and entertainment, your apps, and the places you work, shop, and vacation. Facebook collects data from a vast array of websites and apps, along with its own platforms. And it uses its data to place ads on other websites, too. You may not visit your Facebook home page for a month, and yet have multiple contacts with the company every day without ever realizing it.

There was little in Zuckerberg’s statement to indicate that Facebook plans on scaling back on this source of revenue, but it did hint at a new source: mobile payments. Near the top, he writes, “we all expect to be able to do things like payments privately and securely.”

Mobile payments are a fast-growing industry in the United States, led by services such as Apple Pay and Venmo. WhatsApp has already rolled out mobile payments in India, the platform’s biggest market.

Facebook could one day collect fees from vendors or credit card companies when you use WhatsApp or Facebook Messenger to pay for dinner or an Uber ride. In addition, last summer Facebook introduced a Business API for WhatsApp to convince U.S. companies about the platform’s potential for communicating with customers about shipments and answering their questions.

“Facebook’s venture into e-commerce might be a hedge against a world in which they don’t have access to as much data,” says CR's Brookman, in case legislators pass new privacy-protection laws or consumers find ways to avoid sharing as much information with the company.

Data That Disappears

Facebook has a number of privacy settings that allow you to control who can see your posts, how easy it is for internet users to look up your Facebook profile, and more. However, you have very little control over what data the company itself collects and uses for targeted advertising. Anything you post on Facebook or Instagram is fair game, as is the record of who you communicate with through WhatsApp. A 2018 Consumer Reports investigation explained how the company also collects data using browser-based tracking software called Pixels on most commercial websites, through mobile apps with sharing buttons, and by other means.

Ideally, privacy advocates say, consumers should be able to learn what data is being collected about them and exert meaningful control over it. As the Digital Standard puts it, when using a privacy-respectful service, you “can see and control everything the company knows” about you, whether it comes from the service’s own data collection or from third parties.

The Zuckerberg blog post doesn’t address the use of Pixels, or ways for consumers to limit most kinds of data collection. However, it does say that both messages and the metadata associated with them will be deleted or archived after a period of time. This is a positive step, according to privacy advocates.

“People have certain expectations about what happens to their data, and this is an opportunity to regain that trust,” adds Emory Roane, policy counsel at the Privacy Rights Clearinghouse, a California based consumer privacy group.

Consumers might welcome a number of these changes, including both the impermanence of data and the addition of end-to-end encryption. However, according to the Zuckerberg post, none of the changes are likely to come before the end of 2019, if not later.

And the company hasn’t always delivered on past promises. In the spring of 2018, for example, Zuckerberg announced that a "Clear History" setting would soon allow consumers to delete data Facebook had collected off the site and from third parties. Nearly a year later, the tool hasn’t appeared. It’s now promised for this spring, and it’s still unclear exactly how it will work. Consumer Reports e-mailed Facebook for more details about the rollout of "Clear History" but the company has not yet responded.

In the future, however, consumers may not have to rely as much on Facebook’s good intentions. The company is facing pressure to reform its data collection practices through the EU’s General Data Protection Regulation, or GDPR, which provides consumer protections for residents of Europe.

In the U.S., Consumer Reports has strongly advocated in favor of a number of state data protection laws, and legislation has been passed in California and elsewhere. A number of similar proposals at the federal level are gaining momentum among both Democrats and Republicans.

“Regulation is coming.” says CR's Brookman. 

What Happens to Facebook As We Know It?

One thing that’s clear from Zuckerberg’s post is that, despite all the promise of change, the core platform of Facebook isn’t going anywhere anytime soon. Within hours of releasing his memo, Zuckerberg affirmed in an interview with Wired that Facebook’s social media site would continue to exist in its present form. He added that the platform's News Feed wouldn’t disappear even as the company shifted toward smaller-group messaging.

“Facebook and Instagram and the digital equivalent of the town square will always be important,” he told Wired. “I actually think that they will continue to grow in importance.”

Despite all the fanfare, it’s possible and perhaps even likely that Facebook will change relatively little. “People seem to be taking this with a grain of salt,” says Brookman, noting that Wall Street has showed little reaction to Facebook’s privacy news. “Facebook's underlying business model of excessive data collection is not changing.”