When Democrats and Republicans in Congress agree on something, it usually involves symbolic acts of patriotism or minimally decent acts of disaster relief. Add to that list: giving Mark Zuckerberg the third degree—and insisting that his company face some kind of consequence for the Cambridge Analytica scandal and how cavalierly it has often treated its users’ data. “I think it is time to ask whether Facebook may have moved too fast and broken too many things,” Rep. Greg Walden, a Republican from Oregon, said last Wednesday as he opened up a House committee hearing with Zuckerberg. “I don’t want to vote to have to regulate Facebook, but by God I will,” said Sen. John Kennedy, a Louisiana Republican, during a Senate joint committee hearing the day before the House’s. Democrats sounded even more gung-ho about cracking down on the company. “This incident demonstrates yet again that our laws are not working,” said Rep. Frank Pallone, a Democrat from New Jersey. Congresswoman Jan Schakowsky, a Democrat from Illinois, laid it out plainly while dressing down the 33-year-old CEO: “This is proof to me that self-regulation simply does not work.”
If the status quo isn’t good enough—and if consumers and lawmakers agree that Facebook’s raft of recent new initiatives to better protect user privacy has arrived far too late—then what will work? There has never been a more opportune time to rethink how the law treats Facebook and its peers, companies that exchange the free use of their services for access to their visitors’ data, which they monetize in various ways. A year and a half of bad press has certainly sucked some wind from the social network’s capacious sails. Just in the four weeks since the Cambridge Analytica scandal broke, the company’s market capitalization has lost more than $100 billion from its February peak as journalists and politicians have scrutinized its treatment of user data and reiterated uncomfortable questions about its role facilitating a Russian-backed disinformation effort aimed at the 2016 campaign. Even before the latest drama (and the #DeleteFacebook campaign it inspired), bad omens were beginning to crop up for Facebook. In January, for example, the company reported its sharpest drop in user growth ever. And yet the conventional wisdom that emerged from last week’s hearings was that Congress was unlikely to pass anything that would require significant new protections for users of social media platforms. At best, it could pull an existing bill from the shelf that would regulate the important-but-relatively-minuscule realm of online political advertisements. Once the glare of the hearing-room lights faded away, it seemed, Facebook would once again be left to regulate itself.
The reasons why are mostly obvious: Though he tripped on a few probing queries, Zuckerberg generally managed to parry the vague, off-topic, and often repetitive questions of lawmakers who were either unable or unwilling to reckon in a sophisticated manner with the ways Facebook has changed the world. There’s the Republican control of Congress and Washington’s current deregulatory flavor, something Facebook seized upon last week when it courted conservative groups to push back against any new, wide-ranging privacy rules. There’s the fact that Facebook users generally like, or at least don’t dislike, a service that has become central to maintaining the connections in their lives despite the many pitfalls of its business model. Finally, there is Silicon Valley’s long-standing imperviousness to broad federal oversight, a symptom of its economic vitality as well as its political affinity with the party more likely to regulate it—Democrats. But there’s another reason Congress may never force Facebook to do better by its users: The people most equipped to propose a way to regulate large internet platforms and then fight for it—digital privacy advocates and activists—have been jarringly quiet.
When lawmakers rein in large companies, it takes the help of forces than can shout down the voices of corporate lobbyists and their ideological allies. When the Federal Communications Commission voted to protect network neutrality and prevent internet providers from slowing down and throttling access to websites in 2015 (before the current FCC reversed the decision), it was with support of the nearly 4 million Americans who had been rallied to urge the FCC to improve on its original plan. And in 2012, outrage over two relatively arcane online intellectual property bills—the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA)—reached such high volumes that the number of elected officials who opposed the pieces of legislation ballooned from 31 to 101 after a single day of action; the bills eventually died. There is no similar effort now to protect Facebook users’ privacy.
Without organized constituent pressure, lawmakers are far more likely do nothing or create legislation favoring the very corporations that need regulating in the first place. “It’s the difference between a bill that staff is driving versus a bill that constituents are driving,” said Alvaro Bedoya, a law professor at Georgetown and former staffer for ex-Minnesota Sen. Al Franken who has also served as chief counsel for the Senate Judiciary Subcommittee on Privacy, Technology, and the Law. “It is critical as a staffer to be able to point to organizations and communities and say, ‘If I make that change, the AARP is going to blow up at me’ or ‘If I make that change, anti-stalking groups are going to be mad at me,’ ” he said. If lawmakers are going to piss off lobbyists and the donors they represent, they need to know that if they don’t act, someone on the other side will be pissed off, too.
In Facebook’s case, this isn’t hypothetical: Lawmakers are not hearing from the groups that focus on internet privacy and appear to be at a bit of a loss on how to proceed with legislation. “The conspicuous silence of the tech-oriented civil-society groups has been really telling,” one congressional staffer told me, adding that “a grass-roots campaign to capitalize on the immense public interest in these issues” could help catalyze a push for comprehensive data-protection legislation in the vein of the General Data Protection Rule, or GDPR, the wide-ranging European Union regulation going into effect May 25 that will significantly change the ways companies like Facebook, Google, and Twitter operate in those countries.
Who is missing from this conversation? Start with prominent digital privacy advocacy groups like the Electronic Frontier Foundation (where I used to work), the Center for Democracy and Technology, and the Open Technology Institute (where I once interned) at New America, which have long lobbied against government surveillance like the kind exposed by the Edward Snowden leaks several years ago. I asked each of them if they have campaigns related to Facebook, or have proposals for any kind of legislation that would address the ways Facebook and other companies surveil and monetize your every move. Not one does—the most they’ve done is write blog posts and started initial conversations. And Fight for the Future, a powerful and fierce grass-roots group that championed the winning fight to pass net neutrality protections in 2014, only just launched an online petition and set of broad demands that puts the onus on tech companies to reform themselves. Compare this level of engagement with these issues to the media, which has treated the weeks since the Cambridge Analytica scandal broke as a public referendum on Facebook’s entire business model, or the growing outcry from academics who have long studied and warned of the deleterious effects of broad corporate data collection. But this is clearly not enough. If the people whose job it is to care about digital privacy can’t be bothered to push for laws to regulate how Facebook treats the data we give it, why should Congress?
The summer before I moved to California in 2013 to work at the Electronic Frontier Foundation, the Guardian published the first story about the unfathomable scale of the National Security Agency’s mass surveillance. It was the first of many revelations based on documents leaked by Edward Snowden that blanketed the news for the next year. Days after that first story ran, EFF, along with a broad coalition of 86 advocacy organizations, signed on to a petition, StopWatching.Us, demanding an end to the government data collection. By the end of June, a half-million concerned individuals had signed on, too.
The movement gained momentum as news stories about the NSA’s PRISM program and other activities continued to trickle out, eventually culminating in a march that October in Washington, D.C., where thousands from across the country rallied to demand that lawmakers rein in the government’s spying on individuals. (I helped organize participation from Philadelphia, where I was based at the time.) The next big action was in February, when another broad coalition of advocacy organizations came together for a day of mass action via a website, TheDayWeFightBack.org, built to funnel constituent calls to members of Congress. In one day the coalition was able to generate more than 89,000 phone calls to 535 congressional offices, flooding their phone lines. In the end we didn’t achieve any kind of legislative change, but we did channel public outrage over NSA surveillance into a focused movement—one that remains in place to push back against unconstitutional governmental intrusions into individuals’ privacy.
Privacy advocates know how to build coalitions and campaigns. They know how to make demands, and they know how to hatch an action agenda fast. They’re quick to do it when the issue is government invasion of privacy. But it didn’t happen over the March weekend that the Cambridge Analytica news broke, even though the story showed that a network with more than 2 billion users is a whole lot more permeable than most ever imagined. Nor was there a public list of demands ready in advance of Zuckerberg’s congressional hearings, where lawmakers were so in need of guidance that some of them asked the CEO how he would like to see his company regulated. South Carolina Sen. Lindsey Graham, a Republican, even asked Zuckerberg, “Would you submit to us some proposed regulations?” Zuckerberg replied, “Yes.”
When I asked about their plans for campaigns demanding that elected officials take action to limit corporate data collection now, the advocates I talked to either said they’re not ready or they’re not planning on doing anything. “Yeah, there’s no campaign coming up that I know of,” said Gennie Gebhart, a researcher at the Electronic Frontier Foundation, one of the premier digital rights and tech policy advocacy nonprofits in the U.S. This is a group that has been suing the NSA over its digital surveillance efforts for at least a decade—after whistleblower Mark Klein went to its offices in 2005 with all kinds of proof that the agency had been siphoning up the communications of people that pass through AT&T’s fiber-optic cables. EFF is among the most respected expert organizations and advocacy outlets on user privacy in the world both because it’s been doing it for so long and because of its careful adherence to facts, a rare trait among activist groups.
Perhaps institutional caution is the reason for their slowness to act here, but it may also come down to something philosophical. Gebhart told me, “EFF is not giving pressure to legislate because there has been a knee-jerk reaction in some of the conversation of, ‘How will we legislate Facebook? What will we slap on them?’ And I think maybe the better tack to take is to take a couple steps back first and ask, ‘What privacy protections do we need that we are missing,’ and second, ‘What rules or other mechanics are available to get those privacy protections that perhaps we haven’t been using?’ ” Gebhart pointed me to a blog post with ideas about how EFF thinks people can have their privacy protected by social media platforms, but said there’s no standing plan now for what to ask of Congress. Rather, the organization is leaning toward specific user controls that Facebook should implement, like ways the platform can improve transparency and assure that data has been deleted when requested. EFF also warns of the dangers of how poorly worded regulation could go awry.
Likewise, at the Center for Democracy and Technology, Vice President for Policy Chris Calabrese told me that it’s just too soon to know which direction to take. “Advocacy organizations don’t move on the dime,” Calabrese said. “If you started the year saying we’re going to push for a baseline privacy bill or commercial privacy legislation, there’d be skepticism about it,” he continued, saying that a broader public interest in limiting corporate data collection reached a boiling point very quickly. But the Cambridge Analytica story isn’t actually new: It broke years ago in a 2015 Guardian report about how Sen. Ted Cruz’s presidential campaign was using Facebook data wrongfully obtained from tens of millions of users. Advocacy groups have had plenty of time to figure out their positions on the kind of corporate surveillance that powers the big technology platforms. They could’ve been prepared for public interest to peak. They weren’t.
That might be because they’re waiting for ideas to appear rather than crafting ideas themselves. Open Technology Institute Director Kevin Bankston wrote in an email that he “can’t speak to hypothetical ‘regulation,’ ” adding that the institute does generally support the idea of privacy legislation. Bankston also warned that not all legislation proposed is good, pointing to the Obama administration’s draft Consumer Privacy Bill of Rights, which had so many industry concessions that the advocacy community couldn’t support it. He said that right now various members of Congress are interested in different solutions and OTI finds “encouraging a proliferation of such ideas both big and small is more of a priority for us than prematurely picking a particular horse to back.” (The Open Technology Institute’s parent foundation, New America, is a partner with Slate and Arizona State University on Future Tense, the magazine’s section about the societal implications of new technology.)
It’s hard to tell what is more striking: that these groups wouldn’t want to lead the way on whatever regulation emerges, or that they seem completely unprepared (or unwilling) to do so. Broad corporate surveillance and data collection isn’t new, and in fact, it’s what powers much of the government surveillance these groups have long railed against. Facebook has been around for 14 years. Google, even longer. How could digital privacy advocacy organizations not already have strong proposals for what lawmakers need to do to ensure corporations aren’t sucking up inappropriate amounts of data? The longtime focus of privacy advocates on government surveillance, not corporate surveillance, is one explanation. That probably has to do with the founding principles behind a lot of internet advocacy, which has its origins in libertarian and anti-regulation philosophies. As a result, a lot of complaints from privacy advocates over the years have focused on how government surveillance is harmful to our constitutional rights and less on how they might be harmful to our communities.
It’s also hard to overlook the fact that a lot of privacy advocacy groups in the U.S. get funding from the same tech companies that would ostensibly be affected by government regulation of consumer data collection. EFF, for example, took in about $822,000 from Google, including donations from employees that are matched by the company, in fiscal 2017. CDT collected about $590,000 in donations and support from Google in 2016 and received $250,000 from Facebook last year. As for OTI, Google’s former CEO Eric Schmidt co-founded and has been a significant donor to New America for years. He and his wife’s philanthropic foundation committed to $4 million in funding New America from 2016 to 2021. All of these groups maintain complete independence from their donors.
This isn’t to say that there haven’t been moves to fight overly broad corporate surveillance by advocacy groups. The American Civil Liberties Union, which is a part of Fight for the Future’s new campaign, specifically called out Facebook for the way it let developers scrape horrendous amounts of data back in 2009 with a campaign and a Facebook quiz to demonstrate how porous the privacy protections are. But what’s happening now is an unusual occurrence. This could be a moment to build a broad coalition of all kinds of groups concerned by the industry of online data collection. Right now, it’s not.
Even before I left the world of internet-freedom advocacy, I disagreed with its emphasis on constitutional abstractions over real-world harm to communities, and it’s a tension that I think helps explain why the major internet-privacy groups are so silent about Facebook’s mess now.
The argument against government surveillance is generally premised on the idea that Americans have a right to privacy upon which the government has infringed. It’s true that if someone is listening to what you’re saying, you might not say everything you would say otherwise. Under surveillance, free speech is chilled. Americans are also constitutionally protected against unreasonable search and seizure—but as with many rights, not everyone’s are equally respected in practice. Stop-and-frisk policies disproportionally target people of color, as do police who look for possible immigration arrests by pulling over brown people with broken taillights. Police have secretly bugged New York City mosques. If you need food stamps, the government no longer gives out little books of actual stamps, but rather tracks everything you buy with an EBT card—a level of surveillance over what you eat that only applies to the poor.
That’s the problem with so much of the fight for online privacy: It wants to protect rights that not everyone gets to enjoy. By focusing so much of its activism over the years on harms to the Constitution instead of harms to communities, the movement hasn’t always made the room necessary for the kind of storytelling and coalition-building that could interest a broader swath of Americans—and maybe propel Congress to act. The advocacy around StopWatching.Us, in response to the Snowden leaks, was framed around protecting privacy rights. But what if you’ve never really had any?
This emphasis on constitutional infringement has its roots in the founding libertarian philosophy of early U.S. internet activism. One of the movement’s guiding treatises, the Declaration of the Independence of Cyberspace by EFF co-founder John Perry Barlow, centers on protecting the internet from government intrusions. This isn’t to say that groups like EFF, OTI, and others haven’t in recent years made efforts to expand their outreach and messaging to communities harmed by government surveillance: They have, and it’s been a refreshing extension of their work. This comes in addition to an important legal history at digital civil liberties organizations of defending marginalized and vulnerable communities in court against the government’s harmful spying. (Also, some justice-focused organizations have joined the fight against government surveillance and are working to steer the focus to how digital surveillance can facilitate discriminatory profiling.)
Still, there haven’t been huge wins in the movement to reform mass surveillance by the government. The NSA hasn’t started collecting less data, nor are there signs that the Drug Enforcement Agency nor the Department of Homeland Security have, either. President Obama actually broadened the federal government’s digital surveillance machine right before he left the White House. None of this is to say that the work fighting government surveillance should slow down, or that these organizations should entirely alter their focus—unlawful spying by the feds and local law enforcement is harmful, and working to rein it in is critically important work. But corporate data collection feeds into government surveillance—and it hits people in real ways, too.
I don’t know if a different emphasis would have led to more success for digital-privacy advocates, but I do wonder: If these groups had focused more on protecting communities and their needs from the beginning, would they have been more likely to notice that people are not only harmed by government data collection but by corporate data collection, as well?
This isn’t just one big issue, but many small ones. Large internet companies could work with the AARP to push for the government to curb data brokers, who often target the elderly and convince them to disclose private information, as Alvaro Bedoya suggested to me. They could pay attention to how mortgage brokers have used targeted ads, as they did before the global financial crisis, to peddle subprime loans. Back then, financial companies were combining online-behavior data with location and demographic information in order to deduce a person’s race, something they could in theory still do today using Facebook. Groups that work to help survivors of domestic abuse and advocates for immigrant rights could be engaged in this conversation—since all kinds of surveillance-tech companies use data obtained from across the internet to make software used by law enforcement, or even stalkers, to track online behavior data to surveil people. It wasn’t until September that Facebook and Google stopped letting advertisers target people based on racist and bigoted search terms like “How to burn Jews” and “threesome rape” and “black people ruin neighborhoods.” Regulating data collection isn’t only about protecting people’s rights—it’s about protecting people’s lives.
With all eyes on Facebook, there’s good legislation that failed to gain traction in the past that is worth revisiting now. There was the data broker bill from 2015, which would have given consumers more control over the data that companies hold on them and force more corporate accountability. There was also the geolocation privacy bill from 2011 that was meant to give consumers more control about location data that’s collected on them. There was a bill about cybersecurity and privacy for drivers, an issue that’s going to become more important as more cars come equipped with advanced computer systems and as more companies continue to invest in a self-driving future. These piecemeal approaches to privacy might even make more sense than any large bill like the EU’s regulations, since an omnibus approach could get watered down or contain industry loopholes that undermine the bill’s purpose.
The onus shouldn’t just be on advocates to take advantage of users’ and politicians’ current outrage and attempt to more thoroughly regulate companies like Facebook and Google. We should also expect lawmakers to see when there’s a problem and act on it themselves. But advocacy organizations and professional activists play a critical role, and when they work together to rev up the public, they can give the specter of regulation corporeal form. This might mean organizing a day to flood Congress with phone calls. Or booking congressional staffers’ time with visit after visit from constituents. Or simply putting people’s stories first, like the many accounts of people being stalked online by hate groups that got their personal information from data brokers. How many people responded to a Facebook ad for a harmful product, like a subprime loan, hypertargeted to their demographic? When advocates start to ask how online surveillance has concretely affected people’s lives, the results may be surprising—and energizing.
Moments like the one we’re in don’t come often. While advocacy groups who deeply understand the intricacies of online data-collection wait and see what happens with privacy regulation, the news environment is going to move on. They’ll miss their chance. Maybe that’s what they want.
