Last Week’s Federal Privacy Hearings: A Debate Framed by Facebook’s False Choice

This week the House and Senate held hearings to discuss potential federal privacy legislation. A lot of good came out of it. There is no question we need to move beyond the “notice and choice” paradigm that places such a heavy burden on people and really just provides a veneer of privacy compliance, an excuse that uses more check boxes to let Facebook off the hook for abusing our data. There is no question we need stronger rules and penalties for unfair and deceptive data practices, including Senator Wyden’s proposal authorizing criminal charges for willful violations.

The focus on federal preemption in the hearings also makes clear how heavily Congress remains under attack by Facebook’s efforts to undermine legislation that would actually protect people. It’s paradoxical that the same federal authorities whose failure to regulate Facebook for the past decade and who have gotten us into this sad state of affairs might now be given exclusive authority to police Facebook in the future. This is akin to a school principal promising a teacher who let bullies beat up the other students for years that the other teachers won’t try to stop the bullies in the future. Any federal privacy legislation that includes preemption only demonstrates how complicit the federal government has been in getting us to this point in the first place, and how Facebook is able to use its own illegal activity to continue to stack the deck against billions of people. What is more, the only argument in support of preemption is the complexity of managing different state privacy regimes going forward. Newsflash: this is already the case today!

But the real issue to be grappled with in any federal privacy legislation is not “notice and choice”, preemption or any of the other topics that dominated the hearings this week. The real issue is something that wasn’t discussed nearly enough, which is the inherent connection between monopoly power and data abuses. In a platform economy like Facebook, control over data and control over markets go hand in hand. Privacy and anti-competition are two sides of the same coin. They cannot be addressed separately if Congress wants its legislation to be effective.

In a platform economy, the right to transfer your data from the platform provider (i.e., Facebook, Google, Apple) to a competitive service on that same platform is actually just as, if not more important, than the right to access, correct or delete your data. We heard a lot about the right to access, correct or delete last week, but these rights matter much less to real people in the real world than a true right to transfer. There are only a handful of dominant platforms in the world today. Most people aren’t going to delete all their data from them. That basically amounts to a choice to stop using technology altogether. Accessing that data in a spreadsheet doesn’t do very much either. You can’t then magically upload that data to a competitive social network and recreate the same kind of experience you were having on Facebook, despite what Facebook’s PR machine might say.

The fundamental power people require to check Facebook’s abuses of their data is the power to transfer their information and switch; but the U.S. government’s failure to safeguard this power has enabled Facebook to achieve unfettered control and influence over billions of people who no longer have any real choice, privacy or freedom. This goes back to the heart of the relationship between monopoly power and data abuses: the issue of data portability.

The U.S. government is nowhere close to understanding this issue well enough to draft effective privacy legislation that actually protects the American people. Facebook’s lies to Congress have fostered this confusion. This was evident during Zuckerberg’s testimony to Congress last spring. On the one hand, in response to Cambridge Analytica, legislators wanted to make sure Facebook doesn’t allow third parties to access your data. Zuckerberg told them Facebook now “massively restricts the amount of data access that a developer could get” and that they worked on “locking down” the platform. On the other hand, these same legislators demanded that users have full control over their data and can port it to other services since, of course, users own their data. Zuckerberg responded that “as someone who uses Facebook, I believe that you should have complete control over your data.” Not a single Senator even realized that these two demands, and Zuckerberg’s responses to them, entirely contradict one another! If Facebook can completely lock out competitors from accessing user data, then users by definition do not have the ability to port their data and networks to a competitive service as a check against Facebook’s own abuses of their data or a deterioration in the quality of Facebook’s services.

The entire privacy debate in Congress has been framed around this absurd false choice between data portability and data protection that is built entirely on Zuckerberg’s lies about how Facebook manages its Platform. Zuckerberg wants us all to believe the following story: from 2007 through 2014, Facebook gave third parties access to data because it believed that users own and control their data and should therefore be able to take it to other applications. During this time, a series of privacy scandals occurred due to nefarious third parties misusing the data. Thus, in 2014 and 2015, Facebook stopped giving third parties access to data and now all these issues are resolved. Zuckerberg wants us to believe we are dealing with the fallout from the time before Facebook made changes to “lock down” its Platform; that Facebook was idealistic and didn’t realize the ways its Platform could be abused; that Facebook has now smartened up, and this kind of stuff won’t happen again.

These statements by Zuckerberg to Congress were intentional lies, and we can prove it. We have spent four years investigating this very issue, and here’s the truth. Since 2007, Facebook has deliberately and maliciously architected its Platform specifically to violate user privacy in numerous ways, chief among them by choosing not to pass privacy settings through its most popular platform APIs, both public APIs and secret private APIs. Facebook expanded this sharing of user data without consent in 2012 in order to transition its failing desktop advertising business to mobile phones. In November 2012, Zuckerberg explicitly decided to sell user data in secretive deals with third parties in exchange for “unrelated” purchases in Facebook’s mobile advertising products. If third parties didn’t agree to these deals, Zuckerberg would shut them down, remarkably by claiming they violated Facebook’s policies on user privacy! This is why we’ve had all these privacy scandals; not because Facebook was too idealistic and didn’t do enough to prevent abuse. But because Facebook weaponized your data and sold it to the highest bidder in order to save its business from collapsing. And it has been doing it ever since.

Zuckerberg’s convenient story about how we got here ensures that Facebook’s business thrives no matter what Congress decides. He in effect told Congress that if we allow real data portability, we’ll continue to have abusive third parties commit privacy violations; so the only choice must be to give Facebook a monopoly over user data to abuse how it sees fit. Framed in this way, Zuckerberg wins under any scenario. In the scenario where Facebook must let users switch to competitive services, Facebook uses its market power to force companies to buy Facebook’s ads at above market prices upon threat of being shut out of its Platform. When inevitable privacy violations like Cambridge Analytica occur because Facebook is sending these companies data without any privacy controls, Facebook places the blame on unspecified bad actors and promises to do better in the future — to “take a broader view of its responsibility.” In the scenario where Congress legislates against third-party data access, Facebook, not you, becomes the owner of your data, and Zuckerberg can leverage that immense advantage to monopolize virtually every aspect of your life. Facebook builds tools and features that create the false impression that you are in control, while ensuring that you can never really replicate the experience you have on Facebook with any other company because your data and network are walled off.

This false choice is the very engine of Facebook’s business model. It’s a false choice Zuckerberg has forced us to live with for ten years without us even realizing it’s all one big sham to benefit Facebook’s monopoly. By pitting developers and users against one another, Facebook guarantees it comes out on top. But developers and users are on the same side. They both have a strong interest in participating in a platform with a stable privacy foundation, and Facebook’s failure to provide that makes them both victims here. If you’re skeptical of this, consider for a moment that you may have already accepted the debate on Facebook’s false terms.

Just look at the sharp contrast with Apple’s platform for iPhone apps. Apple enables real data portability, which is your ability to control your data and network across platforms through APIs with informed, transparent and explicit consent that is easy to understand and manage. This is how Apple’s platform works when apps ask if you want to share your location, receive text messages, or transfer your phone contacts. This is how you’re able to use Apple Music, Spotify or Pandora on your iPhone. This is how you can choose to text your friends in iMessage, WeChat, Telegram or WhatsApp. You can use Apple’s app or another app without any degradation in the quality or experience of the other app’s service.

Apple’s phone contacts list is no different from the friends list Facebook let people share with Facebook’s competitors before Zuckerberg “locked down” the Platform in 2015. Both APIs provide your network of real-world connections, which you must be able to control to find value in almost any type of app these days. Without being able to bring your own real-world network into apps, you are stuck using only the apps that have already built that real-world network. Read: you are stuck using Facebook.

Unlike Facebook, Apple has not suffered a decade-long string of privacy scandals, and yet Apple continues to permit you to control your phone contact list and make it available to other iPhone apps. Apple did not need to “lock down” its platform in the way Facebook did in 2015 allegedly to protect privacy. Imagine if tomorrow Apple did the same thing and prohibited all iOS apps from accessing your phone contacts list; there would be international outrage over such an anti-competitive action. Many of the apps you depend on every day would completely break, and Apple would face an immediate and very public investigation.

But Apple will never do this. Apple will never need to do this because it hasn’t maliciously gutted the privacy settings of its own Platform to weaponize it in the service of its advertising business. Apple recognizes that you — not Apple — own your phone contacts list. So why is permitting users to port their real-world network to competitors a manageable task for Apple, but an impossible one for Facebook?

The answer: Facebook deliberately violated your privacy in order to sell your data in a deceptive and secretive scheme to save its business from collapsing. Zuckerberg made this decision in 2012 (right after the FTC Consent Decree!). Facebook has been selling your data ever since and has been covering it up for years. That might sound dramatic and far-fetched; but it also happens to be true. The scope and scale of Facebook’s deception and cover up is so massive that it has tied Congress into knots trying to understand it. This is the only reason we live in a world where Senators and Congressmen can demand two completely contradictory actions in the same breath: “Facebook, monopolize user data by preventing third parties from accessing it! But, oh, give users complete control over that data!”

Congress has an obligation to untie the knots that have contorted this entire debate to Facebook’s immense advantage. Congress must spend more time understanding the critical role data portability plays as a check against privacy abuses and the illicit use of market power, particularly by platform providers who also compete with other services in the platforms they manage. Congress must get to the bottom of Facebook’s deception and use the lessons from it as a blueprint for a new kind of privacy regime: one that appreciates the role of market power in data abuses and addresses the root causes of these repeated scandals, rather than just their symptoms.