Wednesday, April 04, 2018

What the Facebook Controversy Teaches About Privacy Regulation

by Randolph J. May and Michael J. Horney

You have probably heard about the “Facebook controversy.” Facebook allowed as many as 50 million Facebook profiles to be shared with a London-based analytics company, Cambridge Analytica. According to reports, among other things, these Facebook profiles were used by President Donald Trump’s presidential campaign to target advertisements to consumers during the 2016 election.
It is not clear at this point if Facebook or Cambridge Analytica did anything illegal, but the Federal Trade Commission (FTC) recently announced that it has opened an investigation, as it should. And Facebook’s CEO Mark Zuckerberg has published full-page ads in over ten British and American newspapers apologizing for a “breach of trust,” which at the very least, suggests the need for some remedial action by Facebook.  
Ensuring privacy online has been the subject of much debate over the last several years, especially after the FCC’s October 2016 adoption of its Broadband Privacy Order, which subsequently was overturned by Congress in March 2017. The congressional action generated considerable reaction on social media platforms, but one thing is very clear: Had the FCC’s Broadband Privacy Order remained in effect, it would not have prevented Facebook’s actions which led to the current controversy – or any future controversies regarding the handling of privacy expectations by an edge provider.
In an April 1 New York Times op-ed, the Obama administration’s FCC Chairman Tom Wheeler implies that the FCC’s October 2016 rules adopted under his leadership would have prevented Facebook’s practices that created the current controversy. (WARNING: Mr. Wheeler’s op-ed was published on April Fool’s Day!) Aside from the fact that Facebook’s “breach of trust” began back in 2014 before the FCC’s 2016 order was adopted, more importantly, the FCC’s rules only imposed privacy restrictions on broadband Internet providers, not edge providers like Facebook and Google.
So, if nothing else, the controversy surrounding Facebook’s “breach of trust” should highlight why the FCC’s Broadband Privacy Order was so problematic.
Web giants like Facebook and Google collect and sell huge amounts of consumer data. Indeed, that is the essence of their business models. As discussed in a June 2016 Perspectives from FSF Scholars, the reason consumers do not pay monthly subscription fees for Facebook and Google is because they instead “pay” by giving up their personal information. Nowadays, consumers frequently sign onto mobile applications using their Facebook and Google accounts. When a consumer uses a social media login to access a third-party application, he or she grants permission for all activities on that application to be shared with the respective social media platform. Among U.S. consumers, Facebook represents over 79% of social logins and Google represents nearly 12% of social logins. The use of web browsers and mobile operating systems allows these service providers to access a massive amount of consumer information. Google Chrome currently comprises nearly 60% of the of the U.S. web browser market.
In contrast, Internet service providers cannot access nearly the amount of consumer data that edge providers access and the range of personal data they access is more restricted. A February 2016 study by respected privacy scholar Peter Swire, along with colleagues Justin Hemmings and Alana Kirkland, found that WiFi offloading and encryption substantially limit ISPs’ access to consumer data. In fact, the paper determined that broadband providers have access to less than 30% of subscribers’ data, significantly less than the amount of data visible to edge providers.
The FCC’s October 2016 Broadband Privacy Order, to which Mr. Wheeler refers in his April Fool’s Day op-ed, was misguided in that it imposed more stringent regulations on broadband Internet service providers than those that applied to edge providers like Google and Facebook under Federal Trade Commission precedents – even though the edge providers certainly posed no less privacy threat than the ISPs. Thus, the FCC’s Broadband Privacy Order created a disparate privacy regulatory regime that clearly favored the web giants.
When Congress overturned the Broadband Privacy Order in March 2017, the effect was to create a symmetrical privacy regulatory regime applicable to both edge providers and Internet service providers. This was an important step. Now, with the Facebook controversy capturing the public’s attention – and with Facebook’s Mark Zuckerberg set to testify soon before Congress regarding what he has called a “breach of trust” – perhaps Congress will decide to adopt new legislation delineating safeguards to protect consumer data.
If Congress does legislate, there is a reasonable debate to be had regarding the extent of the regulatory requirements and the way they are implemented. But one principle ought to be unarguable: It doesn’t make sense in today’s Internet ecosystem to treat Internet service providers more stringently than the Facebooks and Googles of the world when it comes to privacy regulation.