Weighing the consequences of regulating internet giants
The United States stands at a regulatory crossroads as Congress debates whether to adopt European-style controls over the use of online personal data – or trust that Facebook, Google, and the like will respond voluntarily to their customers’ diverse and ever-changing privacy preferences.
In a nutshell
- Personal information is the currency of virtually all social media and a great deal of other online activity
- The users voluntarily trade their data for free use of the services, obviously finding the transaction as beneficial
- Making abuses of privacy rules more difficult is a worthwhile goal, but politicians should allow companies and their customers to address the problem
The United States stands at a regulatory crossroads as Congress debates whether to adopt European-style controls over the use of online personal data – or trust that Facebook, Google, and the like will respond voluntarily (and more efficiently than government) to their customers’ diverse and ever-changing privacy preferences. The wrong decision will secure the market dominance of the current reigning platforms and stifle internet innovation for years to come.
Online privacy and security (or lack thereof) is hardly a new issue, but recent revelations about unauthorized access to personal information from millions of Facebook accounts has prompted Congressional hearings, government investigations, and the rantings of pundits whose knowledge of internet technology would barely fill a tweet.
The current controversy dates to 2014, when Cambridge University researcher Aleksandr Kogan launched a personality quiz application (app) engineered to “scrape” information (gender, birthday, location and page “likes”) from quiz-takers’ Facebook accounts and those of their “friends” whose privacy settings allowed access. The quiz takers (300,000 in all) consented to the use of their data for academic research.
Violation of trust
Mr. Kogan subsequently sold the data to the political consulting firm of Cambridge Analytica, which purchased the information to develop profiles for targeting campaign advertising. Including information “harvested” by other apps by the same researcher, some 87 million Facebook accounts were affected.
The overall reaction to the Kogan/Cambridge Analytica affair has been downright histrionic.
Third-party data transfers such as Mr. Kogan’s deal with Cambridge Analytica violated Facebook policy. During the hearing at the House of Representatives of the United States Congress on April 11, 2018, Facebook CEO Mark Zuckerberg told lawmakers that the Kogan app was banned from the platform as soon as the company learned of the breach in 2015. Mr. Kogan and those with whom he shared the data, including Cambridge Analytica, were directed by Facebook to certify deletion of the improperly acquired data. (Whether that has occurred is in dispute.)
Exacerbating matters for Facebook was the discovery that a pro-Kremlin group had established hundreds of Facebook accounts for propaganda purposes. The so-called Internet Research Agency also purchased political advertising on the site reportedly to provoke rancor between various sectors of the U.S. electorate (as if there wasn’t already enough of it).
Facebook critics pounced on both episodes, and public outrage ensued. The company was derided as negligent, greedy, a jihadist tool, a threat to democracy, a purveyor of fake news, and censor of political speech.
Facebook users are justified in feeling a bit vexed that some of their (widely available) personal information was improperly sold to a political consultancy (now shuttered). But the overall reaction to the Kogan/Cambridge Analytica affair has been downright histrionic. The fact is, the quiz takers freely consented to the collection of their personal information in exchange for access to Mr. Kogan’s app. Moreover, the researcher was only able to access the accounts of “friends” whose settings allowed the quiz-takers’ apps to access their nonpublic information. (In other words, the “friends” set their accounts to exchange app access – presumably because they thought that their Facebook connections would choose apps that they themselves would approve of.)
Too much protestation
More broadly, personal information is the currency of virtually all social media and a great deal of other online activity. With 1.45 billion daily active Facebook users (on average for March 2018), the trade-off is evidently beneficial. Most important of all, though, it is voluntary. So, for politicians to use the Kogan/Cambridge Analytica case as the coal mine canary of privacy amounts to grandstanding of the worst sort. (And hypocritical for those whose own campaigns rely on such data.)
Some of the outrage is being fomented by commercial interests that have lost ground to Facebook, such as old-line media that pine for the days when they controlled access to news and information. Others resent the success of the dominant platforms and thus demand that they be forcibly dismantled – and their wealth redistributed to those who have not earned their own. (Evidently, these wannabe trust-busters fail to grasp that an integrated network constitutes the value of social media.) And then there are those whose hostility likely reflects their own regrets of online oversharing.
Silicon Valley titans are not publicly resisting calls for regulation for the simple reason that their companies benefit from it.
Mostly missing from this debate is recognition of the various U.S. privacy protections already in existence and the potentially dire consequences of adding to the list. But Mr. Zuckerberg and other Silicon Valley titans are not publicly resisting calls for regulation for the simple reason that their companies benefit, on balance, from it.
That is already evident across the European Union, where a sweeping regime of privacy regulation took effect on May 25. The General Data Protection Regulation (GDPR) took four years to negotiate, runs 88 pages and features 99 articles – accompanied by a 90-page directive on implementation. It dictates stringent privacy protections and limits the collection and use of personal data. Any business that handles information on any EU resident – regardless of its location – must comply.
The provisions include:
- requiring consent to collect and/or use personally identifiable information, including name, address, date of birth, Social Security number; user location, IP address, cookies and radio frequency identification (RFID) tags; health and genetic data; biometric data; racial and/or ethnic data; political opinions; and, sexual orientation
- the right to demand digital erasure of personal data from a website (even if it remains otherwise publicly available)
- the right to download personal data from an app or website and move it to another app or site
- the right to file class-action complaints (which is relatively uncommon in Europe)
- violations are punishable by penalties up to 20 million euros or 4 percent of a company’s global revenue, whichever is greater.
Facebook, Google, and other big tech companies have spent millions of dollars to revamp their systems to comply. But the regulatory burden is just too high for many startups and smaller firms. Indeed, a variety of sites went “dark” in Europe on the day the new rules took force, demonstrating how the EU rules will solidify the dominant positions of the current market leaders.
In the absence of this government interference, individuals can withhold personal data from information extractors.
Excessive limits on data use also make it harder for data brokers to compete against market leaders that already possess enormous user bases. But the stacked deck is not the only problem. The EU scheme also limits innovation by dictating terms of service, limiting new data-driven applications, and distorting the business models of social media, search engines and other platforms.
In the absence of this government interference, individuals can withhold personal data from social media or other information extractors. Moreover, companies have strong incentives to respond to consumer demands for privacy. For example, Facebook no longer allows apps to harvest data from user accounts. And the company recently began providing users with a list of apps that have accessed their data to enable account resets. The company is also adding hundreds of personnel to its security and content review departments – with plans for a total of 20,000 by the year-end.
Some critics claim that Facebook and the like are implementing such policies in hopes of forestalling regulation. So be it. The firms’ motivation does not matter as long as customers and shareholders are satisfied. This is precisely what the pro-regulation forces fail to appreciate: even the biggest companies in the world must satisfy customers to remain profitable – unless, of course, government interference disables their competition through excessive regulation.
Where the buck stops
It would be folly for Congress to dictate additional controls on the collection and use of individuals’ information. But that is not likely to stop the hearings and investigations and impassioned floor speeches about the erosion of privacy rights. The likelihood of new regulation is bolstered by the introduction of both Republican-sponsored and Democrat-sponsored legislation (some with particularly earnest titles such as “Balancing the Rights of Web Surfers Equally and Responsibly Act of 2017,” or the “BROWSER Act of 2017”).
Focusing on – even obsessing about – online privacy also allows lawmakers to appear productive when much more pressing matters require their attention. Thus, it will likely fall to President Trump to stall or quash congressional action.