- The Facebook-Cambridge Analytica scandal has highlighted the lack of privacy protections in the US.
- Thanks to the lack of privacy protections, US companies can generally collect whatever information they want on consumers and do with it as they wish — as long as they disclose what they’re doing first.
- The scandal may have lots of different results, but one ought to be new, comprehensive privacy protections.
The Facebook – Cambridge Analytica scandal may lead to a lot of things, from a congressional subpoena for Mark Zuckerberg to a widespread movement by Facebook users to delete their accounts.
But here’s hoping for one particular outcome — that it leads policy makers in Washington to finally make the protection of consumers’ private data a priority.
The United States needs a comprehensive privacy law. And it needs regulators who will vigorously enforce not only that law, but the privacy protections already on the books.
Because whatever else we might discover about Cambridge Analytica’s illegitimate harvesting of Facebook user data, this much is clear: when it comes to consumers’ privacy, industry self-regulation has been a failure.
The technology and related industries collect far too much personal data on the users of their services. They generally do a terrible job of getting actual informed consent from their users for the collection and use of that data. And they’ve shown over and over again that they can’t be trusted to keep all that data safe and secure or limit who has access to it.
The United States “desperately needs to update its consumer privacy laws,” says Marc Rotenberg, president of the Electronic Privacy Information Center, a consumer advocacy group that pushes for privacy protections. “Our current system truly isn’t working at almost an egregious level.”
Facebook allowed Cambridge Analytica to glean data on millions of its users
In the latest Facebook scandal, a university researcher convinced some 270,000 Facebook users to install a personality test app. Through the app, the researcher got access to the Facebook data of not only those users but of their friends as well — an estimated 50 million people in total.
Despite asserting that the user data would only be used for academic purposes, the researcher violated Facebook’s rules and passed it on to Cambridge Analytica, a data analysis firm that later worked with Donald Trump’s presidential campaign,
When Facebook found out that the firm had amassed data on all those users, Facebook asked Cambridge Analytica to delete the data. It also later changed its terms of service so app developers couldn’t gain access to the data of users’ friends.
Just because Facebook decided to be a good actor doesn’t mean Twitter or Google or LinkedIn or the next startup that we haven’t heard of yet is going to be a good actor
But Facebook has come under fire — deservedly — because it allowed Cambridge Analytica to gain access to the data of millions of users without those users’ consent or even knowledge. Even after it became aware that the data firm had gotten access to users’ information illegitimately, it apparently never alerted those users. What’s more, Facebook reportedly did little to ensure that Cambridge Analytica and its app developer actually deleted the data.
How many other apps with access to Facebook user data might have also ignored Facebook’s rules and secretly passed the information on to another party? And how effective are Facebook’s systems for preventing this kind of thing from happening?
The truth is, we simply don’t know. And Facebook has not exactly been forthcoming or transparent in sharing details with the public so far.
In changing its terms of service to restrict app developers from accessing the data of a user’s friends, Facebook seems to have realized that it had crossed a line with regard to how it handles users’ information, said Allie Bohm, policy counsel at Public Knowledge, a consumer research group. But there’s nothing to stop Facebook from changing its terms of service again to allow that kind of information gathering, she said. And even if Facebook wouldn’t do that, there’s nothing to stop other companies from allowing such data gathering.
“Just because Facebook decided to be a good actor doesn’t mean Twitter or Google or LinkedIn or the next startup that we haven’t heard of yet is going to be a good actor,” Bohm said. “This speaks to why Congress needs to step in to address privacy and data use.”
Privacy protections in the US are spotty
The reason that Facebook and other companies can allow such data access is because privacy protections in the United States are spotty at best. You’ve probably heard of HIPAA — the Health Insurance Portability and Accountability Act — which protects the privacy of health information. You may have heard of COPPA — the Children’s Online Privacy Protection Act — which guards the privacy of kids under 13. And you may have run into Gramm-Leach-Bliley when signing a mortgage or other financial document; it protect the privacy of personal financial information.
But outside of those specific areas, the US has few rules to govern what kinds and how much personal information companies can collect or what they can do with it.
During initial commercialization of the internet in the late 1990s, privacy advocates raised concerns about the data online companies were even then starting to collect. The big push at the time was for companies to post privacy polices that spelled out for users what information they were gathering on them and what they planned to do with it. The idea was that companies should seek to get their users’ informed consent to their data collection practices.
But those privacy policies turned out to be something of a joke. There were typically so long and so dense with legalese that as a practical matter, they were impossible to read for most consumers. And instead of protecting consumers’ privacy, they typically served as legal cover for companies to collect all the data on users’ they wanted. As long as they spelled out what they were doing, companies were protected — no matter if few customers actual read the documents or really understood how their data was being used.
“I don’t think you can consider that reasonable consent in people’s digital lives,” said Nuala O’Connor, CEO of the Center for Democracy and Technology.
Companies are generally free to collect whatever data they’d like
But because there’s no overarching privacy law or federal government agency to spell out privacy rules, companies have been free to collect whatever information they liked. The Federal Trade Commission has nominal authority over privacy matters, but it’s part of the joke. It’s generaly limited to guarding consumers against fraud and deceptive practices. As long as companies’ data gather adhered to what they disclosed in their privacy policies, the FTC didn’t have a problem with them — no matter how much data they collected or what they did with it.
In recent years, companies such as Facebook, Apple, and Google have given users more options to control who has access to their private information. But those controls are often buried within settings menus that are typically difficult to navigate much less understand.
And even then, there’s a problem of what we might call information asymmetry. The companies that want access to users’ personal data almost always have a better sense of how valuable that information is and how that information can be used than do users themselves.
Even if Facebook users had known that Cambridge Analytica had gotten access to their personal data, it’s doubtful they would have understood that that data could be used to create psychological profiles of them that could be in turn used to try to influence how they voted. Such disproportionate awareness makes a mockery of the whole notion of informed consent.
We need new privacy protections
So what’s needed? Likely something like the General Data Protection Regulation (GDPR) that’s about to take effect in Europe. That legislation, which is being put in place by all of the countries in the European Union, forces companies that want to collect information on consumers to spell out clearly the information they seek to collect and get consumers to explicitly consent to each and every specific practice. It also gives consumers the right to see what information companies have collected on them, it gives them the right to take that data with them to other companies, and requires companies to notify affecting consumers in the case of a data breach within 72 hours.
“I really like the GDPR,” Bohm said. She continued: “I don’t see any reason why companies shouldn’t be required to do that sort of thing here.”
But I’d advocate Congress going even further than the Europeans and make clear that some data collection and uses of data are out of bounds, as well as setting guidelines on how long companies can keep data. For example, what Cambridge Analytica was able to do — surreptitiously gain access to the personal data of millions of consumers without their knowledge or consent — just shouldn’t be allowed.
To be sure, I’m a realist. Consumer advocates have been pushing for a comprehensive privacy law in the United States for decades to no avail. Republicans in Congress are generaly opposed to regulation of any kind and Democrats are closely tied to the very tech companies that oppose efforts to put new privacy laws in place. And even if they were all onboard, this Congress has been singularly unproductive at doing much of anything. So even at this moment, the chances that Congress will pass a new privacy law are not great.
But one can hope. And even if Congress ducks it yet again, this issue is not going away.