The Industry

How Mark Zuckerberg Protects His Own Privacy Online

And what that tells us about how he treats ours.

A woman poses in front of a computer displaying the Facebook logo in Mill Valley, California on March 21, 2018. 
A public apology by Facebook chief Mark Zuckerberg failed on March 22, 2018, to quell outrage over the hijacking of personal data from millions of people, as critics demanded the social media giant go much further to protect privacy. But with pressure ratcheting up on the 33-year-old CEO over a scandal that has wiped around $60 billion (48 billion euros) off Facebook's value, the initial response suggested his promise of self-regulation had failed to convince. / AFP PHOTO / JOSH EDELSON        (Photo credit should read JOSH EDELSON/AFP/Getty Images)
Does he look at Facebook privacy the way his users do? Josh Edelson/Getty Images

Facebook CEO Mark Zuckerberg held a rare conference call with reporters on Wednesday as part of the company’s newfound spirit of openness with the media in the wake of the Cambridge Analytica data scandal. The hourlong call addressed Facebook’s disclosure earlier in the day that the consulting firm may have gotten its hands on the data of as many as 87 million users, as well as a slew of changes to Facebook’s data policies.

The biggest news from the call may have been Zuckerberg’s insistence that Facebook does, in fact, intend to extend the key provisions from Europe’s benchmark new privacy law—the General Data Protection Regulation—to Facebook users around the world. He also addressed the alleged misalignment between the interests of Facebook’s business and those of its users. (In the long run, he maintains that they’re actually complementary.)

While other reporters drilled into the details of Facebook’s latest policy changes, I took the opportunity to ask him the kind of oddball question that probably helps to explain why he doesn’t hold this sort of press conference more often. His answer was perhaps more amusing than illuminating, but it did highlight a side of Zuckerberg that he has rarely addressed in public: his own Internet habits. (You can read the full transcript of Zuckerberg’s press conference here.)

We know Facebook relies on users to provide it with personal data, which comes with risks of misuse or manipulation (see: Cambridge Analytica). We also know Zuckerberg values his own privacy. He bought four houses adjacent to his Palo Alto, California, home only to tear them down and build his own “compound”; Facebook has given him millions of dollars for personal security services, including private planes; guards apparently patrol the streets outside his San Francisco apartment.

But what about when Zuckerberg is online? Does he guard his privacy as zealously there as he does in the physical world? Or does he do the things that Facebook’s platform has nudged its users to do, like signing up for apps, giving them permission to access their data (and their friends’), and letting advertisers track them around the web?

One of our few prior data points on this question comes from the (accidental) 2016 revelation that Zuckerberg covers his laptop’s webcam with tape—a privacy measure that’s not as paranoid as it might sound. Another is that he’s had his social media accounts hacked multiple times. At least one of those hacks claimed to use a password of his that was exposed in a 2012 LinkedIn breach, which implied that Zuckerberg had been using the same password for multiple sites and hadn’t changed it in years—two very basic privacy blunders.

On Wednesday, I asked Zuckerberg what online privacy measures he takes now. Does he use ad-blocking software, perhaps, or a virtual private network? And in particular, might he have signed up for a Facebook app like thisisyourdigitallife, the one that researcher Aleksandr Kogan built to harvest Facebook users’ data that he later fed to Cambridge Analytica?

“I don’t know about that one specifically,” he said of Kogan’s app. “But I use a lot of apps. I’m a power user of the internet here.”

“I’m a power user of the internet” was perhaps the call’s most memorable line, if only for its comedic value. But his response does suggest something substantive about Zuckerberg’s approach to online privacy: He seems to be sort of a pragmatist about it. He clearly recognizes that hacks and breaches can happen, but using Facebook less, avoiding third-party apps, or limiting his internet use do not seem to be part of his repertoire. Nor does he seem to distinguish much between privacy and security, which are two different issues that can sometimes be intertwined (as in the Cambridge Analytica leak). Here’s more from his response:

In order to protect privacy, I would just advise that people follow best practices around security: Turn on two-factor authentication, change passwords regularly, don’t have your password-recovery responses be information that you made publicly available somewhere. All the basic practices, and then just look out and understand that most attacks are going to be social engineering, and not necessarily people trying to break into security systems.

It’s noteworthy that at least two of his main recommendations—two-factor authentication and changing passwords regularly—are ones that Zuckerberg himself seems to have been burned for not following in the past. Unfortunately, Zuckerberg didn’t address whether he uses ad-blocking software or a VPN. Facebook and Adblock Plus have been engaged in a sort of arms race over the use of such software to block ads on the social network. One way to read his response is that he prefers talking about security to talking about privacy, since Facebook is known for its strong information-security practices but relies on users to share all kinds of personal data in order to power its advertising algorithm.

Of course, Zuckerberg has a vested interest in projecting the image of someone who uses various online services with confidence, accepting the possibility that his personal information might sometimes be compromised as the price of being an internet power user. It’s possible he’s actually browsing with Tor and communicating with Signal, and he just doesn’t want to admit that publicly. But we do know he uses Facebook a lot. Even when he was avoiding the press and his own employees at the height of the Cambridge Analytica news cycle, HuffPost’s Ashley Feinberg noted that he was busily liking posts on Facebook, from people such as Spotify CEO Daniel Ek and early Facebook investor (and chairman of Graham Holdings, Slate’s parent company) Don Graham.

If Zuckerberg is indeed a privacy pragmatist—as many people are—that’s convenient for him: Facebook and other big tech companies tend to favor restrictions on data’s use over restrictions on its collection. But a true pragmatist should recognize that Facebook’s historic approach to privacy, which gives users fine-grained control over various data sources and uses through a complex array of settings, has been deeply flawed. Few people take the time to comb through such settings, as Zuckerberg seemed to finally acknowledge in his response Wednesday when he said, “I hope that more people look at … the privacy controls that you have.” He went on:

I think we could do a better job of putting these tools in front of people and not just offering them, and I would encourage people to use them and make sure that they’re comfortable with how their information is used on our services and others.

That Facebook could do a better job of putting its privacy controls in front of users is an understatement. But at least Zuckerberg seems to be recognizing, at last, that just giving people a bunch of options hidden away in an obscure settings menu is insufficient.

Ideally, Zuckerberg would value his users’ online privacy the way he values his own privacy offline. If that were the case, however, he probably would never have built Facebook in the first place. It seems that the best we can hope is for Zuckerberg to value his users’ online privacy the way he values his own online privacy: enough to make basic privacy measures easy and readily available to them, while acknowledging that their data will probably never be 100 percent safe in his hands.

Read more from Slate on Cambridge Analytica.