On March 16, information related to the 2016 presidential election came to light: An organization named Cambridge Analytica used data of Facebook users to improve the campaign prospects of President Donald Trump.
Cambridge Analytica was provided this data from a psychology researcher, Aleksandr Kogan, who received the data as a “researcher,” but allegedly sold his commercial services to Cambridge Analytica for $1 million and transferred the data of some 50 million Facebook users, of whom he generated 30 million psychological profiles.
{mosads}Facebook did not act alone. Over 250,000 Facebook users completed Kogan’s Facebook app quiz,
“This is Your Digital Life,” presumably for entertainment purposes. As part of this quiz, users agreed to share their data with Kogan, as well as data related to their Facebook friends, if such friends did not have specific Facebook privacy settings selected.
Facebook users frequently share every moment of their lives, including sensitive data like children’s photos, health updates and political views. And they do so while, to some extent, knowing Facebook collects these data. If Facebook set the fire, we poured the gasoline.
So why blame Facebook? Facebook has no shortage of privacy problems. In the past few years, Facebook has become the favorite punching bag of the privacy advocacy movement, including the target of several European inquiries as well as Federal Trade Commission (FTC) investigations.
On March 20, the FTC is rumored to have opened a case to investigate Facebook’s actions in relation to Cambridge Analytica, which may or may not relate to a previous Facebook consent decree.
Facebook, though hardly a sympathetic party in this or any story, does not deserve the overwhelming negative attention it has received.
Facebook, like many social media platforms, data brokers and data aggregators, succeeds based on two revenue streams: ads and monetized data sales. Facebook users agree to let Facebook use their data for a wide variety of activities; Facebook provides some privacy settings to reduce exposure.
By superficial accounts, Facebook follows the law: It provides notice of its data processing activities, discloses third-party data recipients and solicits user consent. Facebook users can either select privacy settings or not use Facebook.
Facebook establishes contractual policies for data use and enforces these policies. Facebook even required certified data deletion when it discovered misuse.
The United States does not have a broadly applicable data privacy law. Two laws do apply to Facebook’s activities: The Electronic Communications Privacy Act (ECPA), which was passed in 1986 to regulate digital communications, and Section 5 of the Federal Trade Commission Act, which gives power to the FTC to promulgate rules and enforce against unfair and deceptive trade practices.
The ECPA bars organizations providing digital services from accessing data transferred within those services, yet permits organizations to overcome this bar by gathering user consent. The FTC enforces against unfair or deceptive trade practices, which may include issues of transparency and notice to users.
If the American public does not want behavioral information to be used for these purposes, we must either resist giving away free data in the name of short-term entertainment, urge lawmakers to establish broad legal privacy protections or bar specific data uses that are not immediately obvious at the time of data collection.
It would be foolish not to anticipate that data will be used in every political campaign and marketing activity imaginable in new, Machiavellian ways.
Privacy scholars seek to double-down on notice and consent practices, but consent, without true choice, is meaningless. If companies like Facebook provide even more upfront information and require explicit, opt-in consent, it will not necessarily create a more informed public.
To influence real meaningful choice, the U.S. should explore alternative means for enabling users to influence data use. We, not Facebook, must decide who we want to be in the new data age.
Charlotte A. Tschider is affiliated professor at the Mitchell Hamline School of Law, a Fulbright specialist in privacy and cybersecurity law, owner/principal of Cybersimple Security and author of “International Cybersecurity and Privacy Law in Practice,” (Wolters Kluwer, 2018).