The transatlantic controversy over Facebook and the Cambridge Analytica scandal is really just starting to unfold. I have no doubt that in the coming days/weeks/months, similar stories will emerge of other third-party applications that have inappropriately saved, shared or misused Facebook user data – CA is far from the first (or last) to do so, however egregiously.
While a lot of the attention right now is around possible regulation of Big Tech (which is good), the underlying issues at play are actually much bigger and more fundamental. Particularly for us in the United States, the fundamental questions are about personal data, our notions of privacy, and how (or whether) we want to prepare legally for the next couple of decades. And I fear that, already, policymakers are thinking much too small about the role of data sovereignty and the balance of power between citizens and a tiny number of corporations that control the information our societies run on.
You were hacked a long time ago
None of your data is private.
The reality is that just about all of us have been “hacked,” whatever that even means now. The Target hack lost over 70 million American consumers’ names, addresses, credit/debit card info and much more. The recent Equifax hack lost almost 150 million records of pretty much every form of highly personal data you can imagine. Pick a consumer-facing business, and it’s a better bet than not that they’ve been the target of hackers. Most of those targets probably don’t even know it yet – or aren’t talking. All of your information is for sale on the darkweb, in a well-segmented database that anyone can buy for dirt cheap. It really is that simple, and there’s nothing you can do about it. (For more on this, I highly recommend this short podcast series called Breach which I recently finished. Great stuff.)
In this state of chaos, the role that Google, Apple, Facebook and Amazon have played in imposing some order over the internet cannot be overstated. Those companies have a massive incentive to invest deeply in data security, and are widely considered to have some of the best infosec talent and practices in the world – certainly a lot more formidable than, say, the U.S. government. Slowly, our user identities on these platforms have become as central to our lives, and sometimes more, than our mailing addresses or social security numbers. In a world in which highly personal descriptive data (ex. name, address, phone number) is a commodity that’s traded and sold, the value of the actively personal data these platforms own – your email/text communications, social graph, buying and browsing history and so forth – makes the kind of data credit bureaus keep almost quaint by comparison. This is why Google and Facebook essentially took over the entire advertising industry; and as individuals, we have rights over absolutely none of it.
Do not weep for Facebook
As the world becomes more dependent on digital platforms, the primacy of internet giants is going to increase, nearly regardless of other factors. This is why anyone worried about Facebook’s future during the current controversy should relax. Like Google, Facebook has substantially evolved itself from “just” the most popular social network on the planet into an indelible component of the internet itself. In many regions of the world, Facebook effectively is the internet, part of a long-running and highly successful strategy by the company to engage the “next billion” coming online for the first time. Facebook’s active user growth may have leveled off in US/Canada, but it’s still exploding in Asia, where most of its future audience lives. Facebook still makes most of its money in the West, but it’s reasonable to assume this will not always be the case.
Between core Facebook, Instagram, WhatsApp and its sundry other properties, Facebook (or Google, or Amazon) is already a much more effective broker of your identity than any bank, data broker or credit bureau could be. Indeed, shutting out data brokers’ access to Facebook data (via Partner Categories), as they did last week, only benefits Facebook more. It’s probably only a matter of time before one or more GAFA firms rolls out a credit score-like product, which will do to the credit bureau oligopoly what they’ve already done to the print advertising industry.
Trust vs. data sovereignty
For the last twenty years, Silicon Valley’s mantra has essentially been: “Trust us to be stewards of your personal data. (But you have no right to it anyway.)” The argument has long been that if you don’t want Facebook, Google or someone else to have your data, you are free to simply not use their platforms. We saw this argument made frequently back in the aughts, but applying it to the internet of 2018 and beyond is far trickier.
Unlike the EU, where “privacy” is enshrined as a specific, personal right, the word doesn’t even appear in the American constitution. Generations of jurists have bent over backwards getting it in there to rule on everything from abortion to police searches, resulting in a confusing mess that makes applying the concept to a 21st century personal data scenario a tortuous exercise. The American maximalist interpretation of the First Amendment also gives tech companies an expansive claim to any data they collect. So while European citizens may expect of some level of control over their personal data, Americans’ interests in the same are left subordinate to the revenue imperatives of any firm that holds it.
“Data sovereignty” is one term for the sweep of rights that European citizens will soon enjoy as the EU’s General Data Protection Regulation statute goes into effect. Consider some of the ways the European Union is putting citizens’ interests before those of corporate ones:
- Any company doing business in the EU will be required to get consent from visitors before processing data about them, which must be done for a specific purpose.
- Europeans must be allowed full access to and review of the data a company keeps about them, and reserve the right to have that data be changed or fully erased upon request.
- Companies may not prevent users from transferring their personal data from one vendor to another, based on a standardized format.
What’s more, any company that suffers a data breach is obligated to report it within 72 hours to the appropriate authorities. Penalties for firms’ non-compliance with any of the above have teeth: stiff fines based on a percentage of global revenue.
It’s currently April of 2018, and “GDPR” goes into effect next month. While there’s been a surge of companies making preparations for compliance, a really striking number have not, or don’t even really know where to start. I suspect they will learn – quickly – once fines start getting handed down.
The future of the internet
While I was initially skeptical, I’ve come around to the conclusion that the EU’s approach with GDPR represents a much more thoughtful and intentional path forward for the internet than anything proposed in the U.S. by far.
The neverending drumbeat of data breaches in American companies stems from a basic absence of real negative consequences for them. Stock prices are barely affected, few, if anyone, loses their jobs, and fines are perfunctory. In this environment, it doesn’t make basic business sense to even care much about basic data security or to invest in it. Big breaches of highly personal data will continue.
Empowering people with greater rights over the data collected about them would be a positive civic good which is in high demand, as evidenced by the hundreds of thousands of Europeans who’ve already lodged “right to be forgotten” requests with Google. (Thousands of Americans have too, actually, but of course they’re ineligible for protection.) Naturally, Silicon Valley corporate interests would squeal in opposition, but companies that are afraid of their users being empowered to leave their platforms aren’t worth protecting anyway. Just as importantly, imposing meaningful penalties on companies that are cavalier with customer data would cause many of them to behave differently.
The world is only going to get more connected and more digital, with more of our lives and identities mediated through online platforms controlled by a tiny number of companies. Reserving some modicum of power for citizens will not reverse this trend, but instead help correct the balance towards democracy. That is arguably a democratic government’s first job. I hope they’ll think about doing it.