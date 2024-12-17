Tim Bernard /

Dec 17, 2024

Tim Bernard is reading a selection of the Very Large Online Platform (VLOP) systemic risk assessments released in late November 2024 in compliance with the Digital Services Act (DSA). He is sharing high-level takeaways and interesting details from each report in installments over the next few days.

1. Facebook

Structuring the Assessment and Report

Article 34 of the DSA lays out a non-exhaustive list of the systemic risks that VLOPS must include in their assessments. Meta has divided these into 7 specific systemic risks and added one additional category (“deceptive and misleading,” perhaps informed by the risk management framework example on Russian disinformation published by the European Commission). Relating to these risks, 19 “problem areas” are identified and explained, most of which relate to one or a small grouping of Meta’s own Community Standards (exceptions are “disinformation,” “misinformation,” and “voice and free expression”). From these problem areas, 122 individual risks were identified and quantitatively evaluated as inherent risks and residual risks, i.e., taking into account current controls. As required by the DSA 34.2, 5 “influencing factors” are also considered.

This is followed by a survey of the many systems and tools Meta’s Integrity organization uses to mitigate the risks. The narrative heart of the report comes in section 6.2.2. This presents the following for each of the problem areas:

Facebook’s policies prohibiting relevant content and behavior

The related systemic risk area

Foreseen 2024 trends

Overview of mitigation efforts

A discussion of inherent limitations to mitigation and identified areas for improvement.

Lastly, improvements to mitigation efforts over the last year are outlined.

What I Learned

The report clarifies that a lot of work went into the systemic risk assessment, including numerous internal stakeholders in assessing and measuring each of the 122 risks. The complexity of the mitigation efforts is also revealed, though exactly how much new mitigation will take place as a direct result of the assessment is unclear.

In particular, a plethora of tools, lists, frameworks, and operating procedures are mentioned, with varying levels of detail. These provide important fodder for regulators around the world with information-gathering powers, as well as potentially journalists, academics, and members of civil society. Not knowing what questions to ask or data to request or demand has been an obstacle in social media regulation and research, and this report may make strides toward correcting that when it comes to Facebook.

These details of how Meta measures and mitigates risks can also be of service to less mature services that are still scaling up. While the Digital Trust and Safety Partnership’s Safe Framework, no doubt informed by Meta’s input, gives fairly detailed guidance, the examples presented in this report add plenty of specificity.

The category of risk-raising trends mentioned in the report, though not particularly extensive or granular in this version, should be of interest to other platforms and to any parties interested in how external factors exacerbate online harms.

Snippets of interest:

Attackers have been deliberately sharing known child sexual abuse material (CSAM) to disable target accounts and take over their linked accounts.

When discussing discriminatory content, Meta reports adjusting its controversial engagement-based algorithm: “shifting away from weighting based on certain signals like the number of comments and shares when ranking content for Recommendations.”

As identifying mis- and disinformation content is both incredibly challenging from both logistical and policy perspectives, they rely more on other signals to identify problematic material, including “behaviour of the accounts,” “how people are responding and how fast the content is spreading,” and “comments on posts that express disbelief.”

In the section on “Suicide and Self-Injury,” Meta reported that “due to legal restrictions, we cannot use our classifiers to proactively detect [problematic content] in Facebook groups.”

What Was Missing

The approach taken by Meta is very much oriented around risks resulting from user content ad behavior that already violates their policies. The introduction to the assessment declares: “[r]isks can arise on our service when users share policy violating content or engage in policy violating behaviour” and the conclusion states, “policy violating content and behaviour risks can occur on Facebook, which may also have wider impacts.” Product or design risks are mostly only mentioned when they may be facilitating or exacerbating the problems caused by other users (or external attackers in the case of privacy and security risks). Some well-known risk topics that should fall under the systemic risk areas are therefore omitted or barely mentioned. These include excessive usage (time limits for minors are mentioned), sleep disruption, social comparison, beauty filters, and amplification of outrage-provoking and polarizing content that may not be deliberately deceptive or engagement-farming. While the impact of these is certainly up for debate, it is hard to argue that they are not risks worthy of consideration and mitigation.

By translating the risks into problem areas that already coincide with its policies, Meta may be missing some aspects and, in effect, putting its thumb on the scale to lead to a conclusion that it is already successfully performing mitigation efforts. (Similarly, it is unclear how much of the risk measurement was a process already in practice at Facebook.) Even if it is well-grounded in risk management standards and performed and reported in good faith, it reflects Meta’s internal priorities rather than those of the DSA. To be clear, given the lack of direction from the European Commission on this, it is no surprise that Meta relied on its current practices and policies. It will be interesting to see what future guidance emerges in these areas.

Finally, the report spends far more time discussing mitigation measures than working through the specific risks and how they truly relate to the systemic risk areas. The assessment is rather formalistic in just matching up the problem areas to the systemic risk areas and then jumping to how they approach and mitigate the categories of abuse that fall under the problem categories. While operations and systems aficionados may find many useful nuggets in this report, those seeking a more philosophical treatment of how Meta understands how the specifics of user-based and design-based harm can translate into societal impact are bound to be disappointed.

Response from Auditors

Because Meta is the target of a current DSA investigation related to systemic risks, the auditor declined to assess Meta’s compliance with most of the measures related to Articles 34 (Risk assessment) and 35 (Mitigation of risks).

2. Instagram

The risk assessment report for Instagram is essentially word-for-word identical to Facebook’s. Aside from superficial terminological differences and changes to statistics, many of the differences between the reports result from the “Groups” feature only existing on Facebook. On the one hand, this is not entirely unexpected as the two platforms share the policy suite that forms the basis of the assessment structure that Meta designed as well as most of the control measures. However, Instagram is a very different platform in terms of, for example, the age of the user base, degree of focus on creators, and norms of privacy. This should suggest a significantly different risk profile, but this is not reflected in the report.

Despite this, quantitative risk calculations must have been conducted separately, as there is some divergence in the inherent and/or residual risk ratings between the two platforms for 3 of the 19 problem areas.

A side-by-side comparison of the two documents does reveal a few different operational specifics. In some cases, a mitigation measure is listed for one platform and not the other. For example, Instagram has a “Limits Function” anti-harassment feature, allowing users to temporarily block groups of other users meeting certain criteria. While Instagram may be a more obvious platform for this tool, it may be worth investigating why it has not been rolled out for Meta’s other platforms.

One other notable addition in the Instagram report is that the demotion of accounts focused on suicide and self-injury in search results (as opposed to just specific content) is listed as an area for improvement. This is claimed as a weakness that Meta is already working on correcting—again raising the question of whether these reports merely discuss risks that Meta was already focused on rather than illuminating previously overlooked areas.

This piece will be updated with notes from reports related to additional platforms.

