Testimony at European Parliament

The Civil Liberties Committee of the European Parliament held a set of hearings on Monday June 25th 2018 about the Facebook and Cambridge Analytica scandal. I was honored to be invited, alongside Facebook representatives, the head of European data protection authorities, data protection activist Max Schrems, and a few other experts.

This is more or less what I said (I ad-libbed a tiny bit at the end, not reflected here) :

Dear members,

Let me first thank you for the opportunity to address such a prestigious assembly. It truly is an honour.

I myself came to the Cambridge Analytica story as a citizen with some knowledge of data protection rights. In December 2015, I read an article by Harry Davies in the Guardian. It made clear that a UK company had processed political data on hundreds of millions of Americans. Immediately, I saw the potential for this situation to generate fruitful discussions on data protection matters, particularly across the Atlantic.

When I didn’t see any follow up articles, I started investigating on my own. I quickly gathered a lot of evidence that was very concerning. The importance felt even greater in light of the social media dynamics during Brexit and the US presidential elections, or rather the completely inadequate press coverage of those dynamics. I went to journalists with my evidence, and some of the Cambridge Analytica coverage blossomed from this, in many successive stages. At each stage I watched in amazement as Facebook’s PR skillfully deflected accusations that I knew to be true. This worked out well for them, until at least March 2018. Some have summarized that period by saying that Facebook is simply “Cambridge Analytica with better PR”. There is definitely something to this statement, as indeed much of what Cambridge Analytica tried to do, Facebook also does on a routine basis, except that up until recently, they didn’t get much heat for it.

In any case, I will call this type of press coverage “top-down transparency”, as, from a data protection standpoint, it does not actually involve a single data subject.

So, what would “bottom-up transparency” look like? Well, it certainly is much harder at the moment, but shouldn’t be. The goal is ultimately for individuals to understand how their information ecosystem is shaped, so why not make sure their questions that legally have to get an answer actually receive a proper answer? In the case of Cambridge Analytica, you heard in the first session Prof. David Carroll present his Subject Access Request, and the consequences in terms of litigation in the UK.

Regarding Facebook, I started my own slew of Subject Access Requests back in December 2016. I asked Facebook for access to my Custom Audiences data and my Pixel data. From the advertisers’ viewpoint, Custom Audiences allows them to target groups of individuals for whom they have a phone number or email address. After some insistence, Facebook did release a tool enabling any user to have the opposite view, into the advertisers who have their information. Facebook however arbitrarily limited this tool to a time scope of two months, which made it useless in retroactive investigations of dynamics during past elections. Nevertheless, even with this limited scope, it is shocking to many to see lists of hundreds of advertisers pretending to Facebook they have their consent. Many journalists choose to lead their articles with this information when discussing the extent of Facebook’s surveillance.

My other request concerned Pixel data. This should basically contain the list of pages off Facebook where I have been tracked as a user. This could also be very informative, even retroactively, in understanding dynamics during electoral periods. Eighteen months later, I still haven’t received that list, but these specific efforts have by now led to a question to Facebook’s CTO in the UK Parliament, to Mark Zuckerberg in the European Parliament, and two comments from Mark Zuckerberg in the US Congress. All the responses provided by these Facebook executives are in fact contradicted by responses I had myself obtained previously. This was explicitly pointed out by US Senator Blumenthal in direct written questions to Mark Zuckerberg. In turn, Facebook’s response to this direct request is to announce some vague plan to implement a new feature called Clear History, which by its very design will be highly deficient on the day of its eventual launch, at a still unspecified point in the future. There is also no doubt this feature will be presented as voluntary, rather than the mandatory transparency effort for which I have started calling out Facebook 18 months ago.

It is worth noting that I was initially making those requests through Privacy Shield, since there I had at least — in theory — a chance to argue my case for free in front of an independent third-party, called TRUSTe. However, after a while, Facebook talked to TRUSTe, and figured out how to dismiss my complaints at their very start. I thus had to interact with the Irish Data Protection Commissioner, who has not taken a single proactive step in enforcing the law with respect to my complaints, quite to the contrary actually. There is no mild way to put this: it is my view, shared by many, that the Irish Data Protection Commissioner’s Office has been the biggest enabler in Facebook’s sustained disregard for European laws regarding data protection.

So Facebook is really Cambridge Analytica with better PR, better lawyers and better lobbying.

In the end, all this is very unfortunate: I am not pursuing transparency for the sake of transparency. I am pursuing it to better understand how those systems work, and to educate others to these digital issues. I have founded a nonprofit working on this, PersonalData.IO, and we have formulated a strategy for enforcement as it relates to platforms. It is a bit subtle, so I will leave that strategy to additional written testimony submitted to the Committee. [1]

Ultimately, Facebook’s data is key to identifying and solving the problems they have created, not Facebook itself. While Facebook or Mark Zuckerberg will offer apologies and ask from us for even more trust while they fix things based on this data, they will really be cementing even more power over an information ecosystem they actively pollute.

As an alternative, a lot of this data could be copied outside of Facebook, through the portability right, and additional services could be constructed there, offering a healthy counterbalance to Facebook’s power. The Facebook Pixel data, for instance, could be imported into an information dietetician that would advise the user on the diversity of opinions they are exposed to. It could also be entrusted to journalists trying to understand better foreign influence. This innovation is actively stunted by Facebook, and with poor enforcement, it could even be worse down the road: Facebook could give selective access to this data to shape the innovation surrounding their platform and further their business goals.

Mark Zuckerberg is denying all of us the opportunity to get access to our data, and to build a vast array of services fixing the problems he is responsible for. It makes perfect sense: he is currently clinging to an outdated business model, and shouldn’t have to be trusted for as long as he does.

Thank you.

[1] See Platforms and Personal Data Processing: the Potential for Achieving Systemic Transparency, by Paul-Olivier Dehaye, Isabel Hahn, and Gerelchimeg Jargalsaikhan https://www.dropbox.com/s/0c9xh10oek2jl1s/Platforms%20and%20data%20subjects%27%20rights.pdf?dl=0