Before Facebook, There Was GeoCities

The FTC’s 1998 case against an early web pioneer laid the groundwork for data privacy discussions today.

Facebook home page styled to look like a GeoCities site.
Lisa Larson-Walker

Twenty years ago, a high-flying tech company behind the most popular online community of the day was accused by the Federal Trade Commission of “deceptive practices in connection with its collection and use of personal identifying information from consumers.” The company was in possession of an extraordinary amount of personal data, collected from its vast number of users, and questions were being raised as to what exactly it was allowed to do with that information. Was it going to—and more importantly, was it allowed to—commercialize that data? Was it violating people’s privacy or misrepresenting their purposes? Won’t somebody please think of the children??

The 1998 FTC complaint against GeoCities came at a moment when the internet was in its awkward phase. As it became a place not just to visit but to contribute, the need for user protections became clear (to some, but not all). While early net pioneers forged new frontiers on the Wild Wild Web, government bodies and trade commissions argued over how best to regulate it.

Twenty years later, it seems as if those institutions have failed—we again find ourselves questioning what a popular platform is able to do with our data. Though GeoCities was much smaller than Facebook, and the scope of what one could do with 1998 data much less sophisticated, it’s hard not to draw parallels between the internet’s first major consumer-privacy case and its most recent—one which definitely won’t be its last.

GeoCities, then known as Beverly Hills Internet, launched in 1995, nine years before Facebook, eight before Myspace, three years even before Google. GeoCities was one of the earliest instances of a virtual community—or communities, to be exact. The web-hosting platform allowed its users, known as “homesteaders,” to create and customize their own personal webpages, locating them in one of GeoCities’ topically themed “neighborhoods,” such as Hollywood (film and actor-themed pages), Silicon Valley (computers, hardware, programming, and technology sites), Athens (teaching, education, reading, writing, and philosophy pages), or Area 51 (science fiction, fantasy, and the first centralized home for conspiracy theories online).

By offering early internet users this much-desired—not to mention free—room of their own, GeoCities’ user base grew rapidly. By 1997, it had surpassed 1 million members. In 1998, the New York Times reported that its audience was growing at “twice the speed of the average Web site.” (As the FTC complaint notes, “One out of five U.S.
Web users visited respondent’s Web site in October 1997.”)

GeoCities came along at a time when it wasn’t yet clear what the internet was. As Farhad Manjoo wrote in Slate upon the site’s 2009 closure, GeoCities in many ways invented the internet as we know it: “[I]t was the first big venture built on what is now hailed as the defining feature of the Web 2.0 boom—‘user-generated content.’ ”

These days, its “user-generated content” is regarded as something of a nostalgic joke: pages full of OTT graphics, sparkling/blinking/moving text, and endlessly rotating “Under Construction” gifs (many of which can be laughed at here). But as ridiculous as GeoCities’ aesthetic may seem today, its pages and features—carefully archived by the Internet Archive—form an important, clunky relic of what the web looked like and how it grew. Not to mention its role in helping GIFs become what they are today. (Cool!)

In mid-1998, just as GeoCities was preparing to go public, the FTC launched a complaint against the site, as part of its crackdown on online privacy practices. The FTC alleged that GeoCities was lying to its customers by misrepresenting how it was using their personal information and was therefore in violation of the Federal Trade Commission Act.

In order to sign up for the service, GeoCities users were asked to provide certain personal information (some of which was optional, some not), including email and postal addresses, interest areas, income, education, gender, marital status, and occupation. From this data, GeoCities came to be in possession of a valuable database—not Cambridge Analytica–level valuable, but hey, it was the ’90s. GeoCities assured its users that it would not share their registration info with third parties, with a note promising, “We will not share this information with anyone without your permission.” In spite of these assurances, the FTC claimed, GeoCities had “sold, rented or otherwise disclosed” user information to third-party marketers, which used it to target individuals with advertising offers beyond what they had agreed to.

Furthermore, the FTC alleged that GeoCities was misrepresenting its relationship with the GeoKidz Club, an interactive site aimed at children that appeared to be run and maintained by GeoCities itself—it was promoted by GeoCities in its child-focused “Enchanted Forrest” neighborhood. In reality, the club was being run by third-party hosts, which were therefore able to collect and maintain children’s information—unregulated and unbeknownst to parents.

“GeoCities misled its customers, both children and adults, by not telling the truth about how it was using their personal information,” Jodie Bernstein, then the director of the FTC’s Bureau of Consumer Protection, said in a statement at the time.

GeoCities, keen to resolve the matter quickly in order not to delay its IPO, agreed to a settlement with the FTC (with no admission of wrongdoing). The consent order mandated that the company not misrepresent its data practices. It also required GeoCities to post a detailed privacy policy on its site, outlining what info was being collected and for what purpose, with a “clear and prominent hyperlink or button labeled PRIVACY NOTICE” on the home page. The order was highly specific in terms of what practices GeoCities was required to disclose, yet nowhere near as detailed as the convoluted privacy policies we’ve come to expect—and agree to without reading or understanding—today. GeoCities was also required to obtain parental consent before collecting information from children, a precursor to the Children’s Online Privacy Protection Act, which would be enacted in October of that year.

Bart Lazar, a privacy and intellectual property attorney who defended GeoCities, credits this case with having a big influence on the development of the online privacy domain moving forward. “It established the FTC as the sheriff on privacy,” Lazar said. “It allowed the FTC, by treating us as the poster child, to gain a foothold and establish its precedent, which stands today. So although no legislation directly came out that said, ‘FTC, you’re in charge,’ the FTC has, over the last 20 years, been able to enforce privacy policy, enforce reasonable levels of security, and been appointed the leader in international privacy.”

Lazar believes the FTC may have been making an example of GeoCities. “Because an enforcement agency has limited assets, you go after one company, and you try to get as much publicity as possible with the goal—and you can look at it one way or the other—of educating or instilling fear into the business world,” he said. “When the FTC came after GeoCities, all the other companies that are in the business are going like ‘Oh, OK, well, if … a company that I aspire to be has gained the attention of the FTC, I better make sure that my privacy practices are buttoned down.’ So it has an education and deterrent effect that gets the industry in line.”

If the congressional hearings with Mark Zuckerberg are anything to go by, the deterrent is not working. The FTC may have more online regulatory power than ever (it already has a 2011 consent order with Facebook), but the industry is most certainly not in line.

It’s hard not to see the GeoCities case repeating itself in today’s long-overdue Facebook reckoning—and not just because GIFs have come full circle. Both sites represented unprecedented steps in online media for their time—and unprecedented dilemmas for privacy advocates and regulatory bodies. Much like Facebook today, the internet of 1998 was something lawmakers could scarcely wrap their heads around. Yet both sites were highly accessible to users—temptingly free, with low technical barriers to entry. GeoCities was used primarily by early adopters of tech, and these net n00bs may have been especially naïve about giving away their data, still learning the rules of the game. But even today, many Facebook users are clearly struggling to understand how much the company knows about them and how that data is used. “The common theme is whether a consumer really has a fair understanding of how their data is going to be used,” said Lazar.

Of course, there are some key differences, not least size and scale. “I think the key difference between the GeoCities and the Facebook case has to do with the size of the number of individuals at stake and the amount of revenue that’s at stake,” said Lazar. GeoCities’ 2 million plus users may have “put it at the third largest website at the time. But we’re not talking about billions of people around the world.”

The amount of data being collected also varies significantly. GeoCities collected comparatively basic intelligence: It knew its members’ email and postal addresses, interest areas, income, education, gender, marital status, and occupation. Facebook, meanwhile, knows … everything about us? On Wednesday, when New Mexico Rep. Ben Luján asked Mark Zuckerberg about data points, his answer was unsatisfactory.

Luján: On average, how many data points does Facebook have on each Facebook user?

Zuckerberg: I do not know off the top of my head.

The activities that can be engaged in using personal data—both in its collection and analysis—are now much more sophisticated, as the 2016 election has shown. “In this Facebook situation, you’re not merely talking about an email marketing campaign,” Lazar said. “You’re talking about behavioral advertising, you’re talking about profiles based on likes and online activities and using that information to categorize an individual to determine whether that individual would be receptive to particular types of communication on political or consumer-based issues.”

But while GeoCities was accused of being actively misleading, can we really say the same about Facebook in the Cambridge Analytica case? GeoCities made and allegedly broke a promise not to give away its members’ data. In Facebook’s case, it was the users who clicked it away. Those who opened the “This Is Your Digital Life” app regrettably chose to share their data to a third party, granting it permission to harvest their data and that of their friends for “academic purposes” (Aleksandr Kogan, who broke several promises, might be more analogous to GeoCities). The fact that Facebook once allowed users to sign away their data and their friends’ privacy so easily is its more damning conduct.

GeoCities misrepresented its purposes. But Facebook never really made any secret of its interest in commercializing our data, other than placing it in convoluted and incomprehensible privacy policies. For the more internet savvy Web 2.0 user, Facebook having an uncomfortable amount of data was an implicit part of the deal. It was when that information fell into the wrong hands that we realized how potently concentrated our Facebook data was.

So what are we now going to do about it? One thing is clear from the Zuckerberg hearings: Twenty years on from the internet’s first ever consumer-privacy enforcement case, our framework for online data protection is sadly still “under construction.”

Read more from Slate on Cambridge Analytica.