The Facebook-Giphy Data Play

May 20, 2020

On May 15th, 2020, Facebook announced that it had reached an agreement to purchase Giphy, for $400M.

To many, this seems like a staggering amount of money for something that just serves GIFs. Facebook’s main business is in advertising, and GIFs are not inherently valuable for advertising purposes. There may be some possible value, such as Giphy selling “preferred placement” of specific GIF themes in searches, but that risk doesn’t seem to warrant the $400M price tag.

In my opinion, it is earned by the vast amount of tracking data that access to Giphy provides.

“Trending Topic” data

This gives immediate insight into up-and-coming trends based on user searches, which Facebook would be able to capitalize on. This is very close to actually analyzing communications on Facebook’s existing messaging application, however just far enough removed such that Facebook can make an argument that they are not “monitoring your private conversations”.

This is closer to monitoring the use of hashtags on Twitter, but:

  1. Includes private communication channel, rather than public-only tweets
  2. Includes usages on channels that Facebook does not already control, such as Slack, Signal (more on this later), etc.
  3. Is available only to Facebook. Unlike Twitter hashtags, Giphy access logs are not in any way available “publicly”

Cross-reference IPs

We’ve already determined that Facebook now has access to access information for every request to Giphy, thus having indirect usage information for every application with an existing Giphy integration. For many of these applications (Signal being an outlier), this access can be easily cross-referenced with IPs that have been used to access accounts on Facebook, thus allowing this tracking to be logged back to a given Facebook account.

This new insight gives Facebook multiple new abilities, mostly centered around their ability to correlate which Facebook users are using which third-party applications. With this in mind, Facebook can deduce the usage, growth, and user demographics of applications which they do not control.

This is an extremely similar play to the Facebook acquision of the Onavo VPN in 2013, which similarly gave Facebook insight into the usage and demographic information of other products. It took years for this privacy intrusion to be shut down, and even then it was only due to backlash regarding their targeting of children, and not the general violation of privacy.

In another world, web browsers, this is an already-known issue: browser plugins which change hands, maintain their previous permissions, and begin injecting spyware. Google and Mozilla both (in theory) monitor for and address malicious extensions. Should we not have a similar force monitoring for malicious use of existing companies?

At this point, it would be prudent for Giphy to be removed from any third-party applications which does not wish to share it’se user behaviour data with Facebook. Unfortunately, that is a non-trivial undertaking, and could still be seen as anti-competitive behaviour by Facebook; forcing their competition to spend time cleaning up a mess that Facebook made.

This is Facebook’s second (at least) attempt at Trojan-horsing into user’s daily lives through an acquision of a previously innocuous tool (a VPN, a GIF provided). They should not be permitted to continue to buy their way into confidential data. In theory we have anti-trust regulations to ensure a fair market, but it is clear to anyone paying attention that these have not been enforced in years.