By Jonathan Zittrain. (American professor of Internet law and the George Bemis Professor of International Law at Harvard Law School).
The news about Facebook is not getting better. The company has sharply increased the number of users whose data was improperly shared with an outside company connected to President Trump’s campaign, to possibly 87 million. Amid an outcry, Mark Zuckerberg, the company’s chief executive, gave his mealy mouth explanations before The US Congress on Tuesday and Wednesday of last week. However he has other major problems looming that could well see the death of Facebook its self.
Former Federal Trade Commission officials have been pulling out their calculators in recent weeks trying to figure out just how big a fine the commission could levy against Facebook for its latest privacy mishaps. Then they look at the numbers on their screens — if their calculators can even handle 13 digits — and try to put the massive scale into words.
William Kovacic, a former FTC chairman, may have come closest when he joked that the potential fine as totalling “more money than there is on the planet.” In other words, the theoretical limit to the fines could reach into the trillions of dollars should the FTC — in the investigation it started last month — find Facebook violated its 2011 consent decree on a scale affecting more than 100 million Americans.
That should be a bracing bit of mathematics for the company. As most of Washington focuses on the political theatrics of Facebook’s Zuckerberg making his first appearance on Capitol Hill, it’s the FTC headquarters, an Art Deco-accented building a short walk away, that could pose the greater threat to the company.
There are important caveats, of course.
Caveat No. 1: The FTC has not yet found any new violations, and the investigations are in its early stages. Facebook has repeatedly said it did not violate the consent decree.
Caveat No. 2: Kovacic’s estimate of “more money than there is on the planet,” made in an interview with The Washington Post over the weekend, covers only the actual currency — bills and coins — in the world. This typically is estimated at several trillions of dollars, denominated in various currencies, and not the far larger number held in various accounts.
Caveat No. 3: The FTC would most likely never levy a fine, the former officials agree, that’s so large that it would imperil the future of Facebook. Plus, FTC officials have presumably have had some visibility into the company’s data practices since 2011, when the consent decree mandated that the FTC monitor Facebook’s data privacy practices.
But what’s clear is that the FTC — after years of trying to assert itself as the federal government’s most important watchdog of digital privacy — has a hammer of potentially historic size to wield over Facebook. Should the current group of FTC officials decide to use this hammer, the company could be forced into major concessions that could affect how it collects and handles data — two issues at the core of how the business makes money.
That outcome is arguably more likely than Congress finally passing strong digital privacy legislation and getting it signed by President Trump, after years of legislative inaction.
David Vladeck, a former FTC director of consumer protection who oversaw the consent decree with Facebook, says he expects the commission to find new violations in light of the company’s revelations last week.
Though he downplays talk of fines in the trillions of dollars, he estimates the probable fines in the vicinity of 2.5 Billion a record for FTC privacy fines. However large the fines might be, “I certainly think that it gives the FTC leverage,” said Vladeck, now a Georgetown University law professor. Facebook declined to comment.
But here’s a look at the problem the company potentially faces. If you don’t have fairly advanced calculator handy, try a spreadsheet on your computer:
In the first column of your spreadsheet, enter 87 million. That’s how many Americans Facebook has said had their data collected by a researcher working with Cambridge Analytica, a political consultancy hired by President Trump and other Republican candidates over the past two federal election cycles. This is the piece that the FTC already has said it’s investigating. It’s also the piece that the former FTC officials are most confidant could lead to findings of new violations of the consent decree. (Worldwide, the number was of affected users was 87 million, but the FTC covers only violations against Americans).
He’s got $60 billion to his name, 99% of which he has said he will donate to charity. And he controls Facebook — is Facebook — in an unusual way: He controls 60% of its shareholder votes. So he doesn’t have to worry about next month’s subscriber count or how to deflect a hardball question from a committee chairman. He can contemplate posterity with big ideas geared to a public interest. Given Facebook’s domination of social media, anything the company does — including a devolution of its power — will serve as a model for others.
To get a sense of the new approaches he should take, consider why Congress is calling hearings. The core offences begin with classic and now pervasive online privacy violations.
BUT HOW DID IT HAPPEN?
In 2014, 270,000 people were paid by an outsider to install a Facebook app and answer questions like “Do you panic easily?” and “Do you often feel blue?” They weren’t told that their answers would become part of a psychological profile used by a voter profiling company, Cambridge Analytica — first to assess how they might vote and second to design personalised advertising for the purpose of changing their political views or their likelihood of voting, all to favour the agenda of Cambridge Analytica’s funders and clients. The app also scooped up information from the typically non-public profiles of the quiz-takers’ friends — turning 270,000 people into 87 million.
The violations are a big deal, even though this type of profiling is still hit and miss. Incentives push toward keeping and copying data rather than deleting it — and using it to, say, quietly target the credulous with ads for snake oil, limit the groups who see certain real estate ads or serve African-American voters with ads designed to depress Election Day turnout.
Currently there is no way for us to retract information that previously seemed harmless to share. Once tied to our identities, data about us can be part of our permanent record in the hands of whoever has it — and whomever they share it with, voluntarily or otherwise. The Cambridge Analytica data set from Facebook is itself but a lake within an ocean, a clarifying example of a pervasive but invisible ecosystem where thousands of firms possess billions of data points across hundreds of millions of people — and are able to do lots with it under the public radar.
Several years ago Facebook started to limit what apps could scrape from friends’ profiles even with permission, but the basic configuration of user consent as a bulwark against abuse hasn’t changed. Consent just doesn’t work. It’s asking too much of us to meaningfully respond to dialogue boxes with fine print as we try to work or enjoy ourselves online — and even that is with the naïve assumption that the promises on which our consent was premised will be kept.
There are several technical and legal advances that could make a difference.
On the policy front, we should look to how the law treats professionals with specialised skills who get to know clients’ troubles and secrets intimately. For example, doctors and lawyers draw lots of sensitive information from, and wield a lot of power over, their patients and clients. There’s not only an ethical trust relationship there but also a legal one: that of a “fiduciary,” which at its core means that the professionals are obliged to place their clients’ interests ahead of their own.
The legal scholar Jack Balkin has convincingly argued that companies like Facebook and Twitter are in a similar relationship of knowledge about, and power over, their users — and thus should be considered “information fiduciaries.”
First; partly published in the New York Times as “Mark Zuckerberg Can Still Fix This Mess”