This week a New York Times investigation revealed that Facebook had secret deals with numerous companies for access to user data, including in some cases the contents of millions of users’ private messages. The companies included Amazon, Sony, Microsoft, Yahoo, Spotify, and Netflix, as well as two firms considered security threats to the U.S.: Chinese smartphone manufacturer Huawei and Russian search engine Yandex.
This was hardly the first story about a massive Facebook privacy violation. In fact, many in the privacy world – and indeed anyone who pays close attention to policy challenges – may now be experiencing “Facebook fatigue.” But it is hard to escape the sense that we have reached the tipping point – apologies will no longer work, education campaigns have reached a dead end, even informal agreements with members of Congress to reform business practices will not do the trick. So what happens next?
Much of the discussion is understandably on leadership at Facebook. Should Mark Zuckerberg and Sheryl Sandberg continue in their present roles? That is a question being asked by shareholders, business journalists, and experts in leadership. But in the policy world, the focus is on the government agencies that are responsible for overseeing business practices and for imposing fines when companies cross the line.
And so the focus shifts to the new chair of the Federal Trade Commission, Joseph Simons. Simons joined the FTC in May, following his nomination last fall by Donald Trump. Simons came there after serving as a partner at a New York law firm that represents business groups facing antitrust charges. He had earlier served in the FTC’s Competition Bureau in the first years of the George W. Bush administration.
At his nomination hearing before the Senate, Simons signaled he would take on the tech firms. He told the Senators that the FTC would prioritize the consumer protection issues “where harm is the greatest,” and that would garner the “biggest bang for taxpayer dollar.” (Note to reader: Facebook has 2.3 billion users.) Simons said “companies that are already big and influential can sometimes use inappropriate means, anticompetitive means, to get big or to stay big. And if that’s the case then we should be vigorously enforcing the antitrust laws.”
In July he told Congress, that the FTC needs greater authority to protect consumers. Simons asserted that privacy and data security are now the top priority for the FTC, and signaled his support for data protection legislation that would accomplish three things: (1) provide civil penalties for companies that violated the law; (2) give the FTC jurisdiction over nonprofits and common carriers; and (3) provide the FTC with rulemaking authority for privacy and data security.
Key to Simons present ability to act against Facebook is the sweeping 2011 consent order, that brought the company within the agency’s legal authority for 20 years. That legal judgement was supposed to end the practice of disclosing user data to third parties without meaningful consent, and required a comprehensive company privacy program and biennial third-party audits.
After 2011, the agency remained strangely silent about Facebook’s post-consent order privacy violations, and even allowed it to acquire the data of WhatsApp users in an ill-considered merger in 2014. But in March of this year, the FTC announced it would reopen the investigation of Facebook, following news that the political data firm Cambridge Analytica, tied to President Donald Trump’s campaign, obtained information on up to 87 million users of the social media site without their consent.
What might the Federal Trade Commission do now? That is a good question. Large monetary judgements may give some satisfaction but it is not clear how that would benefit users or advance the cause of privacy. And when the company’s stock took a hit earlier this year, it responded by targeting its WhatsApp users with more advertising, a violation of commitments that both companies made to consumers prior to the deal.
Tim Wu makes a compelling case in his new book, The Curse of Bigness: Antitrust in the New Gilded Age, that now is the time to break up Facebook. The obvious candidates for separation are Instagram and WhatsApp. Those two companies provided competing services and could now in theory be available to Internet users who no longer want to give their personal data to the social media giant. In an earlier piece for Techonomy, I also explained that regulators could learn a lot from a closer look at the Facebook-WhatsApp deal. That merger was not only dreadful for privacy, but also for competition and innovation. And please reread that last sentence. The conventional wisdom that privacy and innovation are opposed is completely wrong.
But the clock is also ticking. It was in March that the FTC said “Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook.” The FTC thus confirmed, now almost nine months ago, that there was an open investigation into reported concerns about Facebook’s privacy practices.
Since that time the British Data Protection Agency, facing similar concerns about the misuse of Facebook data during the Brexit campaign, conducted an extensive investigation, published a comprehensive report, and issued a substantial fine. And Elizabeth Denham, the UK Information Commissioner, has now produced a second report for Parliament that looks at data analytics and political campaigns, an issue that also needs greater scrutiny in the United States.
Joe Simons did not write the original consent order with Facebook, nor can he be held accountable for a half decade of inaction by the Commission. But he is now chair of the most powerful consumer agency in the country. He has the authority, the evidence, and the public support to act.
Marc Rotenberg is President of the Electronic Privacy Information Center, an independent research center in Washington DC, established in 1994 to focus public attention on emerging privacy issues. EPIC brought the original complaint to the FTC that resulted in the 2011 consent order with Facebook.
