Facebook revealed Wednesday that tens of millions more people might have been exposed in the Cambridge Analytica privacy scandal than previously thought and said it will restrict the user data that outsiders can access.
In a call with reporters Wednesday, Zuckerberg acknowledged he made a "huge mistake" in failing to take a broad enough view of what Facebook's responsibility is in the world. He said it isn't enough for Facebook to believe app developers when they say they follow the rules. He says Facebook has to ensure they do.
Facebook is facing its worst privacy scandal in years following allegations that Cambridge Analytica, a Trump-affiliated data mining firm, used ill-gotten data from millions of users through an app to try to influence elections.
Facebook said Wednesday that as many as 87 million people might have had their data accessed — an increase from the 50 million disclosed in published reports. Facebook is basing the estimate in part on the number of friends each user might have had. Cambridge Analytica said in a statement that it had data for only 30 million people.
On Monday all Facebook users will receive a notice on their Facebook feeds with a link to see what apps they use and what information they have shared with those apps. They'll have a chance to delete apps they no longer want. Users who might have had their data shared with Cambridge Analytica will be told of that. Facebook says most of the affected users are in the U.S.
Zuckerberg said fixing the company's problems will take years.
Besides the privacy scandal, Facebook also has been dealing with fake news, the use of Facebook to spread hate and discord and concerns about social media's effect on people's mental well-being.
These are "big issues" and a big shift for Facebook as it broadens its responsibility, Zuckerberg said. He added that he does think that by the end of this year the company will have "turned a corner" on a lot of the issues. Zuckerberg has made fixing the company his personal challenge for 2018.
As part of the steps it's taking to address scrutiny about outsiders' access to user data, Facebook outlined several changes to further tighten its policies. For one, it is restricting access that apps can have to data about users' events, as well as information about groups such as member lists and content.
In addition, the company is also removing the option to search for users by entering a phone number or an email address. While this helped individuals find friends, Facebook says businesses that had phone or email information on customers were able to collect profile information this way. Facebook says it believes most of its 2.2 billion users had their public profile information scraped by businesses or various malicious actors through this technique at some point. Posts and other content set to be visible only to friends weren't collected.
This comes on top of changes announced a few weeks ago. For example, Facebook has said it will remove developers' access to people's data if the person has not used the app in three months.
Although Facebook says the policy changes aren't prompted by recent events or tighter privacy rules coming from the EU, it's an opportune time. Zuckerberg is set to testify April 10 before a joint hearing of the Senate Commerce and Judiciary Committees, and a day later before the House Energy and Commerce Committee. The two sessions will be his first testimony before Congress. Separately, the U.S. Federal Trade Commission and various authorities in Europe are investigating.
Almost always, critics say, the changes meant a move away from protecting user privacy toward pushing openness and more sharing. On the other hand, regulatory and user pressure has sometimes led Facebook to pull back on its data collection and use and to explain things in plainer language — in contrast to dense legalese from many other internet companies.
The policy changes come a week after Facebook gave its privacy settings a makeover. The company tried to make it easier to navigate its complex and often confusing privacy and security settings, though the makeover didn't change what Facebook collects and shares either.
Several users were surprised to learn recently that Facebook had been collecting information about whom they texted or called and for how long, though not the actual contents of text messages. It seemed to have been done without explicit consent, though Facebook says it collected such data only from Android users who specifically allowed it to do so — for instance, by agreeing to permissions when installing Facebook.
On Wednesday, Facebook said will delete all logs after a year and in the future, the only information this tool will collect from now on is the data that it needs to operate and "not broader data such as the time of calls."
The new policy also makes it clear that WhatsApp and Instagram are part of Facebook and that the companies share information about users. WhatsApp will still have a separate policy as well, while Facebook and Instagram share one.
Reps. Greg Walden, R-Ore., and Frank Pallone, D-N.J., said the House Energy and Commerce Committee hearing will focus on the Facebook's "use and protection of user data." Walden is the committee's Republican chairman and Pallone is the panel's top Democrat.
"This hearing will be an important opportunity to shed light on critical consumer data privacy issues and help all Americans better understand what happens to their personal information online," Walden and Pallone said.
Walden and Pallone said last month that they wanted to hear directly from Zuckerberg after senior Facebook executives failed to answers questions during a closed-door briefing with congressional staff about how Facebook and third-party developers use and protect consumer data.
Zuckerberg said during a March 21 interview on CNN that he would be "happy" to testify before Congress, but only if he was the right person to do that. He said there might be other Facebook officials better positioned to appear, depending on what Congress wanted to know. Walden and Pallone said a day later that as Facebook's top executive, Zuckerberg is indeed the "right witness to provide answers to the American people."
Their call represented the first official request from a congressional oversight committee for Zuckerberg's appearance as lawmakers demanded that Facebook explain reports that Cambridge Analytica harvested the data of more than 50 million Facebook users.
The company, funded in part by Trump supporter and billionaire financier Robert Mercer, paired its vault of consumer data with voter information. The Trump campaign paid the firm nearly $6 million during the 2016 election, although it has since distanced itself. Other Republican clients of Cambridge Analytica included Sen. Ted Cruz's failed presidential campaign and Ben Carson, the famed neurosurgeon who also ran unsuccessfully for president in 2016.
The data was gathered through a personality test app called "This Is Your Digital Life" that was downloaded by fewer than 200,000 people. But participants unknowingly gave researchers access to the profiles of their Facebook friends, allowing them to collect data from millions more users.
It's far from certain what action, if any, the GOP-led Congress and the Trump administration might take against Facebook, but the company will almost certainly oppose any efforts to regulate it or the technology business sector more broadly.
As do most large corporations, Facebook has assembled a potent lobbying operation to advance its interests in Washington. The company spent just over $13 million on lobbying in 2017, with the bulk of the money spent on an in-house lobbying team that's stocked with former Republican and Democratic political aides, according to disclosure records filed with the House and Senate. The company sought to influence an array of matters that ranged from potential changes to government surveillance programs to corporate tax issues.