General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy
Facebook's Security and Privacy Overhaul Comes at a Price
CEO Mark Zuckerberg Reports Decreased Revenue Growth, GDPR Impact(This story has been updated.)
See Also: Using the Netskope HIPAA Mapping Guide
Facebook is making substantial investments to improve its data security and privacy practices. But the long-term cost of those investments and impact on the bottom line has spooked investors, leading to a $120 billion loss in market value on Thursday, the largest one-day loss of value for a U.S. traded company.
CEO Mark Zuckerberg said in a Wednesday earnings call that his company had "a solid quarter," with revenue growing 42 percent year over year to $13.2 billion, and the social network now counting 2.2 billion active users monthly, with 1.5 billion people using it daily.
But Zuckerberg warned that the company's security and privacy initiatives are already impacting the bottom line and will continue to do so.
The company has been driven to overhaul its security and privacy practices as it faces probes in multiple countries into its mishandling of tens of millions of users' private details, which ended up in the hands of third parties such as Cambridge Analytica. Facebook's platforms have also been abused by nation-state actors and others as part of information warfare efforts as well as hate speech campaigns that have triggered violence in places such as Myanmar - aka Burma - as well as Sri Lanka (see Facebook Battles Election Interference, Internal Criticism).
Security and Privacy Investments
"Looking ahead, we will continue to invest heavily in security and privacy because we have a responsibility to keep people safe," Zuckerberg said. But as I've said on past calls, we're investing so much in security that it will significantly impact our profitability. We're starting to see that this quarter."
Dave Wehner, Facebook's CFO, then delivered the particulars on the earnings call.
"Our total revenue growth rate decelerated approximately 7 percentage points in Q2 compared to Q1," he said. "Our total revenue growth rates will continue to decelerate in the second half of 2018, and we expect our revenue growth rates to decline by high single digit percentages from prior quarters sequentially in both Q3 and Q4."
The drop in advertising revenue was most pronounced in Europe. Wehner blamed "reduced currency tailwinds and, to a lesser extent, the rollout of GDPR" - the EU's General Data Protection Regulation, which came into effect on May 25.
While Facebook's operating margins are currently 44 percent, and the company's profit grew in the second quarter, Wehner predicted margins would fall to the "mid-30s" over the next few years.
The news did not please investors. By the end of trading Thursday, the stock price was down 19 percent for the day.
Facebook Sees GDPR Impact
Wehner said that GDPR appeared to be having only a "modest impact" on the company's revenue growth, even though it was only in effect for about one month of the second quarter. In part, he said that's because people have been opting out of some data sharing.
"You've got the impact of the opt-outs," he said. "And while we're very pleased with the vast majority of people opting in to the third-party data use, some did not. That'll have a small impact on revenue growth. And then we're also seeing some impact from how advertisers are using their own data for targeting. Again, that will have a modest impact on growth."
Zuckerberg also noted that the beginning of GDPR enforcement on May 25 had a noticeable impact on the social network. "We did see a decline in monthly actives in Europe - down by about 1 million people as a result. At the same time, it was encouraging to see the vast majority of people affirm that they want us to use context - including from websites they visit - to make their ads more relevant and improve their overall product experience."
'Limits to Growth'
Investors may have been partly spooked by Facebook reporting that its advertising growth slowed most in Europe, apparently due in part to GDPR, even though analysts hadn't expected the new data privacy law to have any such impact.
"They're talking about currency headwinds, but more we think it's due to slower user growth given GDPR and more focus on privacy," said Morningstar analyst Ali Mogharabi, Reuters reported.
Some analysts reacted by noting that Facebook, as with other firms that rely on advertising revenue, cannot grow forever. "The core Facebook platform is declining," said Brian Wieser, an analyst at Pivotal Research Group, in an analysis published after the earnings call, Bloomberg reports.
"As we have written about extensively, the advertising industry - and digital advertising no less - has limits to growth, which we think is the primary factor constraining Facebook's revenue opportunity," Wieser said in his note. "While the company is still growing at a fast clip, the days of 30 percent-plus growth are numbered."
Investments in Artificial Intelligence
On the earnings call, Facebook said that it's taking repeat attempts to weaponize its platform for information warfare campaigns and to interfere in countries' electoral systems seriously.
In part, the company says it's doing that via artificial intelligence - in this case, however, perhaps more accurately known as machine learning (see What's Artificial Intelligence? Here's a Solid Definition).
"Our investments in AI mean we can now remove more bad content quickly because we don't have to wait until after it's reported," Zuckerberg said. "It frees our reviewers to work on cases where human expertise is needed to understand the context or nuance of a situation. In Q1, for example, almost 90 percent of graphic violence content that we removed or added a warning label to was identified using AI. This shift from reactive to proactive detection is a big change - and it will make Facebook safer for everyone."
Plans for Election Integrity, Countering Fake News
Sandberg also detailed broader efforts beyond AI. "We've taken strong steps to address a number of issues including election integrity, fake news and protecting people's information," she said on the earnings call. "One of the most important things we can do to effect change is to increase transparency because transparency leads to greater accountability."
Sandberg said technology and staffers were being used to try and spot as much unauthorized content as possible, but said that it continues to rely on users to flag content as well. "We wish we could find everything ourselves, but we never will, so we're building tools to make it easier for people to report issues to us."
She says that to combat information warfare campaigns, Facebook requires "political and issue" ad buyers to prove who they are. "Advertisers placing ads with political content are now required to verify their identity and location," Sandberg said. "These ads will be labeled with a disclosure about who paid for them and saved in a searchable archive."
CSO's Privacy and Security Prescription
Regardless, Facebook's senior management team appears to be making a serious effort to overhaul the social network's approach to security and privacy.
The new approach appears to align with a no-holds-barred analysis distributed internally at Facebook on March 23 by departing CSO Alex Stamos, who called on the company to get its privacy and security act together. He also said the company needed to listen when it was accused of doing something "creepy" by users or employees.
"We need to build a user experience that conveys honesty and respect, not one optimized to get people to click yes to giving us more access," Stamos wrote in his memo, which was first published on Tuesday by BuzzFeed.
Stamos called on senior managers to make the changes, even though they would undoubtedly affect revenue growth. "We need to deprioritize short-term growth and revenue and to explain to Wall Street why that is OK," Stamos wrote. "We need to be willing to pick sides when there are clear moral or humanitarian issues. And we need to be open, honest and transparent about our challenges and what we are doing to fix them."
Facebook Faces GDPR Complaints
GDPR may yet have a more direct impact on Facebook, since companies can be reported to independent authorities for alleged violations of the data protection law.
At midnight on May 25, Austrian privacy rights campaigner Max Schrems filed complaints worth €3.9 billion ($4.6 billion) against Facebook and its WhatsApp and Instagram subsidiaries, accusing them of forcing users to accept "coercive" new terms that undercut GDPR's protections (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).
Schrems heads a new privacy lobbying group call noyb - for "none of your business." He's previously filed claims against Facebook, Google and other technology giants alleging that they violated European privacy laws.