Tougher regulation of Facebook is inevitable
Countless mistakes and a lack of transparency have left few other options.
Two long days of congressional hearings have come to an end for Mark Zuckerberg. But the embattled Facebook CEO seems to have left members of Congress with more questions than answers about his company's handling of user data, leading a number of them (Democrats and Republicans) to float the idea of tougher regulations. Although more oversight means the government could keep a closer eye on how Facebook operates, there's concern in the tech industry (and among free-market Republicans) that it could stifle innovation. That's because only companies with deep pockets are likely to have the necessary resources to comply: While Facebook has the means to hire 15,000 people to monitor security, that may be hard for a startup to do.
Zuckerberg's visit to Capitol Hill was the culmination of months of controversy over a number of issues for Facebook, including the spread of misinformation, hate speech and fake accounts on its platform. But the last straw came after news broke that Cambridge Analytica (CA), a political-consulting firm with ties to the Trump campaign, had misused the private information of as many as 87 million Facebook users. The CEO's apology tour actually began last week, with a series of press interviews and updates to the company's privacy policy. Zuckerberg said he was sorry and that Facebook's recent mishaps were his mistake, and he echoed those sentiments in his testimony before the Senate Commerce and Judiciary Committees as well as the House Energy and Commerce Committee.
Some members of Congress who questioned Zuckerberg, such as Sen. Richard Blumenthal (D-CT) Rep. Mike Doyle (D-PA), believe Facebook may have violated a settlement it reached with the Federal Trade Commission in 2011. That decree accused Facebook of deceiving consumers by "telling them they could keep their information private and then repeatedly allowing it to be shared and made public" and, as a result, the company would be "barred from making misrepresentations about the privacy or security of consumers' personal information," among other things.
We now know that Facebook learned about the Cambridge Analytica incident in 2015, but it wasn't until last month that it disclosed what it described as a "breach of trust" by the consulting firm. And that was seemingly only because it learned that The New York Times and The Guardian were about the break the story. It also took Facebook more than two years to notify users whose data were affected, which it just started doing this week. Zuckerberg was asked if he was involved in the decision to not contact the users when the company became aware of the issue, and he said he didn't know if there "were any conversations at Facebook overall because I wasn't in a lot of them."
While there's a chance Facebook did violate its privacy deal with the FTC (Zuckerberg said he doesn't believe that to be the case), the company won't face any financial penalties regardless. The main issue is that the FTC, the primary body overseeing Facebook, doesn't have strong enforcement powers. Even if the FTC does find that Facebook violated its 2011 agreement, the agency can't impose fines because it would be considered a first-time violation. When you take into account that the company raked in a record $12.97 billion in revenue last quarter, most of which came from advertising, it can definitely afford to be held accountable for protecting people's data.
"We continue to have these abuses and these data breaches, but, at the same time, it doesn't seem like future activities are prevented."
"We've been relying on self-regulation in your industry for the most part, and we're trying to explore what we can do to prevent further breaches," said Rep. Diana DeGette (D-CO) on Wednesday. "We continue to have these abuses and these data breaches, but at the same time it doesn't seem like future activities are prevented. And so I think one of the things that we need to look at in the future, as we work with you and others in the industry, is putting really robust penalties in place in case of improper actions." Zuckerberg said that it's likely Facebook will find that other apps abused user data like Cambridge Analytica, and promised to notify users quickly if that ends up being the case.
The idea of tougher regulation for Facebook (and other tech companies) seems to have bipartisan support, based on statements made by multiple members of Congress. Sen. Amy Klobuchar (D-MN) asked Zuckerberg if he would support a rule to notify users of a data breach within 72 hours, which he said he wouldn't be opposed to. That would be a huge shift for his company, considering that it took it more than two years to disclose the what happened with Cambridge Analytica.
Throughout the hearings, Zuckerberg repeatedly emphasized that he isn't against the idea of Facebook being regulated, and pledged to work with policymakers on proposed rules. He also highlighted his support for digital-advertising regulations like the Honest Ads Act, a bipartisan bill that proposes online advertising be regulated the same way print, radio and television ads are.
Senator Lindsey Graham (R-SC), meanwhile, asked Zuckerberg if he thought Facebook had a monopoly, pointing to the acquisition of social-media app Instagram in 2012. "It certainly doesn't feel like that to me," Zuckerberg said. "It is a good business decision," added Graham. "My point is that one way to regulate a company is through competition, through government regulation. Here's the question that all of us got to answer: What do we tell our constituents, given what's happened here, why we should let you self-regulate?"
Zuckerberg replied by saying that his position is not that there should be no regulation. "The real question, as the internet becomes more important in people's lives, is what is the right regulation, not whether there should be or not." Graham then encouraged Zuckerberg to submit proposals to Congress, adding that "one way to regulate a company is through competition, through government regulation." But the truth is that, with more than 2 billion monthly on Facebook alone (not counting Instagram), the company really doesn't have much competition in the space. Twitter, in comparison, has 330 million monthly active users.
Senators and representatives also asked Zuckerberg if he would be open to the idea of implementing something similar to the European Union's General Data Protection Regulation (GDPR), which goes into effect May 25th and aims to focus on data consent and strengthen protection for individuals' private information on the web. Under these new rules, sites like Facebook will be held accountable for how they handle personal data from their users and would be compelled to respond when people request a report of the information a company has on them. It will also require that organizations be clear about what they're doing with their users' data, whether it's ad targeting or user research.
If Facebook were to implement something similar to GDPR in the US, and around the world, that has the potential to solve a lot of the company's problems. Still, one of the main concerns for various lawmakers is that Facebook isn't transparent enough with its users, particularly when it comes to what it does with their personal data -- even if they consensually give it to the company. "Your user agreement sucks," Sen. John Kennedy (R-LA) told Zuckerberg on Tuesday, in one of the hearing's more memorable moments.
"The purpose of a user agreement is to cover Facebook's rear end, not inform users of their rights."
"The purpose of a user agreement is to cover Facebook's rear end, not inform users of their rights." Kennedy added, "I'm going to suggest to you that you go back home and rewrite it. And tell your $1,200-an-hour lawyers -- no disrespect, they're good -- you want it written in English, so the average American can understand it." This is something Facebook has already started to fix.
Just last week, Facebook updated its terms of service and data policy to make it easier for users to understand, thanks to a more straightforward language that doesn't require a law degree to process. It's a step in the right direction, but it's worth noting that the privacy policy itself largely remains the same -- this change was mostly about adding language that's easier for the average Facebook user to discern. Zuckerberg said that if Facebook continues to not communicate its policies clearly, "then that's something we need to work on."
Among the most ambitious proposals was a consumer privacy bill of rights designed to protect people's personal data, which was introduced during Tuesday's hearing by Connecticut's Blumenthal and Sen. Ed Markey (D-MA). With the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act, the FTC would be required "to establish privacy protections for customers of online edge providers like Facebook and Google." Zuckerberg said that the details of these types of proposed regulations "matter a lot," but that if it makes sense, he would fully support it. "If it's the right regulation, we'll welcome it," he said. "I think that's a discussion that needs to happen."
Still, Sen. Blumenthal said he has reservations about Zuckerberg's testimony. "I don't see how you can change your business model to maximize profit over privacy," he said, "unless there are specific rules from an outside agency. I have no assurance that these vague commitments will produce any action."
As earnest as Zuckerberg seemed during both hearings, he also has a track record of empty apologies. If he really wants to earn back people's trust, he's going to have to do more than just say sorry, and actually prove that he's willing to put users' privacy protections over Facebook's bottom line. Stronger federal regulation likely won't happen overnight (or at all, so long as Republicans control Congress), but that may ultimately be where we're headed. This probably isn't the last Zuckerberg has heard from Congress.
