Privacy commissioners from the Americas, Europe, Africa and Australasia have put their names to a joint statement raising concerns about a lack of clarity from Facebook over how data protection safeguards will be baked into its planned cryptocurrency project, Libra.

Facebook officially unveiled its big bet to build a global digital currency using blockchain technology in June, steered by a Libra Association with Facebook as a founding member. Other founding members include payment and tech giants such as Mastercard, PayPal, Uber, Lyft, eBay; VC firms including Andreessen Horowitz, Thrive Capital and Union Square Ventures; and not-for-profits such as Kiva and Mercy Corps.

At the same time, Facebook announced a new subsidiary of its own business, Calibra, which it said will create financial services for the Libra network, including offering a standalone wallet app that it expects to bake into its messaging apps, Messenger and WhatsApp, next year — raising concerns it could quickly gain a monopolistic hold over what’s being couched as an “open” digital currency network, given the dominance of the associated social platforms where it intends to seed its own wallet.

In its official blog post hyping Calibra, Facebook avoided any talk of how much market power it might wield via its ability to promote the wallet to its existing 2.2 billion+ global users, but it did touch on privacy — writing “we’ll also take steps to protect your privacy” by claiming it would not share “account information or financial data with Facebook or any third party without customer consent.”

Except for when it admitted it would; the same paragraph states there will be “limited cases” when it may share user data. These cases will “reflect our need to keep people safe, comply with the law and provide basic functionality to the people who use Calibra,” the blog adds. (A Calibra Customer Commitment provides little more detail than a few sample instances, such as “preventing fraud and criminal activity.”)

All of that might sound reassuring enough on the surface, but Facebook has used the fuzzy notion of needing to keep its users “safe” as an umbrella justification for tracking non-Facebook users across the entire mainstream internet, for example.

So the devil really is in the granular detail of anything the company claims it will and won’t do.

Hence the lack of comprehensive details about Libra’s approach to privacy and data protection is causing professional watchdogs around the world to worry.

“As representatives of the global community of data protection and privacy enforcement authorities, collectively responsible for promoting the privacy of many millions of people around the world, we are joining together to express our shared concerns about the privacy risks posed by the Libra digital currency and infrastructure,” they write. “Other authorities and democratic lawmakers have expressed concerns about this initiative. These risks are not limited to financial privacy, since the involvement of Facebook Inc., and its expansive categories of data collection on hundreds of millions of users, raises additional concerns. Data protection authorities will also work closely with other regulators.”

Among the commissioners signing the statement is the FTC’s Rohit Chopra, one of two commissioners at the U.S. Federal Trade Commission who dissented from the $5 billion settlement order that was passed by a 3:2 vote last month.

Also raising concerns about Facebook’s transparency about how Libra will comply with privacy laws and expectations in multiple jurisdictions around the world are: Canada’s privacy commissioner Daniel Therrien; the European Union’s data protection supervisor, Giovanni Buttarelli; U.K. Information commissioner, Elizabeth Denham; Albania’s information and data protection commissioner, Besnik Dervishi; the president of the Commission for Information Technology and Civil Liberties for Burkina Faso, Marguerite Ouedraogo Bonane; and Australia’s information and privacy commissioner, Angelene Falk.

In the joint statement — on what they describe as “global privacy expectations of the Libra network” — they write:

In today’s digital age, it is critical that organisations are transparent and accountable for their personal information handling practices. Good privacy governance and privacy by design are key enablers for innovation and protecting data – they are not mutually exclusive. To date, while Facebook and Calibra have made broad public statements about privacy, they have failed to specifically address the information handling practices that will be in place to secure and protect personal information. Additionally, given the current plans for a rapid implementation of Libra and Calibra, we are surprised and concerned that this further detail is not yet available. The involvement of Facebook Inc. as a founding member of the Libra Association has the potential to drive rapid uptake by consumers around the globe, including in countries which may not yet have data protection laws in place. Once the Libra Network goes live, it may instantly become the custodian of millions of people’s personal information. This combination of vast reserves of personal information with financial information and cryptocurrency amplifies our privacy concerns about the Libra Network’s design and data sharing arrangements.

We’ve pasted below the list of questions they’re putting to the Libra Network — which they specify is “non-exhaustive,” saying individual agencies may follow up with more “as the proposals and service offering develops.”

Among the details they’re seeking answers to is clarity on what users’ personal data will be used for and how users will be able to control what their data is used for.

The risk of dark patterns being used to weaken and undermine users’ privacy is another stated concern.

Where user data is shared the commissioners are also seeking clarity on the types of data and the de-identification techniques that will be used — on the latter researchers have demonstrated for years that just a handful of data points can be used to re-identify credit card users from an “anonymous” data set of transactions, for example.

Here’s the full list of questions being put to the Libra Network:

1. How can global data protection and privacy enforcement authorities be confident that the Libra Network has robust measures to protect the personal information of network users? In particular, how will the Libra Network ensure that its participants will: a. provide clear information about how personal information will be used (including the use of profiling and algorithms, and the sharing of personal information between members of the Libra Network and any third parties) to allow users to provide specific and informed consent where appropriate; b. create privacy-protective default settings that do not use nudge techniques or “dark patterns” to encourage people to share personal data with third parties or weaken their privacy protections; c. ensure that privacy control settings are prominent and easy to use; d. collect and process only the minimum amount of personal information necessary to achieve the identified purpose of the product or service, and ensure the lawfulness of the processing; e. ensure that all personal data is adequately protected; and f. give people simple procedures for exercising their privacy rights, including deleting their accounts, and honouring their requests in a timely way.

2. How will the Libra Network incorporate privacy by design principles in the development of its infrastructure?

3. How will the Libra Association ensure that all processors of data within the Libra Network are identified, and are compliant with their respective data protection obligations?

4. How does the Libra Network plan to undertake data protection impact assessments, and how will the Libra Network ensure these assessments are considered on an ongoing basis?

5. How will the Libra Network ensure that its data protection and privacy policies, standards and controls apply consistently across the Libra Network’s operations in all jurisdictions?

6. Where data is shared amongst Libra Network members: a. what data elements will be involved? b. to what extent will it be de-identified, and what method will be used to achieve de-identification?

c. how will Libra Network ensure that data is not re-identified, including by use of enforceable contractual commitments with those with whom data is shared?



We’ve reached out to Facebook for comment.

Update: A Facebook spokesperson sent this statement, attributed to Dante Disparte of the Libra Association: