The tech buzz lurches, seemingly daily, from one Facebook privacy fiasco to the next, but with no resolution and no consequences. On Tuesday, we learned from the New York Times that Facebook allowed Microsoft’s Bing to see the names of virtually all Facebook users’ friends without consent and gave Netflix and Spotify the ability to read Facebook users’ private messages. We also learned from Gizmodo that turning off Facebook’s access to your location will not stop Facebook from tracking your location. On the same day.
According to Nick Confessore, one of the Times writers who broke the story on Netflix and Spotify, Facebook’s defense of the latest privacy breach is that “Facebook doesn’t need explicit consent because partners are all functionally extensions of Facebook itself.” That’s likely not how Facebook users understand the arrangement. And in any event, Facebook never asked a users’ friends whether they agreed to share their data outside of the social network.
We have an agency designated by Congress to protect our privacy in particular and to police acts of unfairness and deception generally under its Section 5 authority. Yet there appears to be no internet cop on the beat. It’s the digital equivalent of watching a shopping district being looted and set afire, while police officers are busy ticketing parking violators.
Not only is the FTC empowered to police Facebook for privacy violations, the FTC secured a consent order with Facebook in 2011, under which Facebook agreed to obtain consent from its users before sharing their data with third parties. Facebook could, in theory, face penalties of up to $40,000 per user per day for violating the FTC’s consent order.
Problem solved? Hardly. As Justin Brookman of Consumer Reports explained to me, “the substantive limits imposed by the order are flimsy, and the audit is just pro forma theater.” The order does not get to the core of Facebook’s dubious privacy behaviors, including targeting users based on what they buy in the physical world. According to Brookman, the “FTC could theoretically try to address that under general Section 5 authority, but they haven’t tried and it’s unclear if they would be successful if they did.”
But why haven’t they tried? Perhaps the FTC is too busy chasing down cartels of ice skating instructors, organists, and music teachers. Or perhaps it diverted too much staff to write a platform-friendly amicus brief in support of Uber and against the city of Seattle’s grant of collective bargaining rights to “independent contractors” working as drivers (a move noted by the Roosevelt Institute’s Marshall Steinbaum). Or perhaps it got distracted by its dogged pursuit of a trademark settlement between 1-800-CONTACTS and fly-by-night lens retailers, in which proof of “consumer” injury took the form of Google’s lost ad revenue.
By aiming its guns at small-time offenders, the agency at least can point to doing something with our tax dollars. Because FTC staffers move from the agency to big law firms representing Big Tech (or vice versa), there could be an institutional incentive to go after low-hanging fruit. Whatever the motive, the aforementioned cases—combined with the FTC’s seeming reluctance to impose fines on Facebook—feed the impression, as noted by Bloomberg’s Noah Smith, that the agency is captured by (or scared to death of) the dominant tech platforms.
That Facebook can’t stay out of the headlines is not just a crisis for Facebook. It’s also a crisis for the FTC—indeed, it’s a “credibility-check moment.” Every day that passes in which the consent order is not enforced against Facebook adds to speculation that something is deeply broken at the agency.
Moreover, the tech firms want the FTC to be named as their sole regulator, pre-empting stronger action by states and their attorneys general to protect privacy. Given its record of tech-friendly enforcement, it’s not surprising that’s who the platforms want looking over their shoulder. But if it can’t even enforce a consent order—a set of promises Facebook itself agreed to abide by—then it will be quite clear the FTC isn’t up to the task of protecting our economy, or our democracy, from the depredations of Big Tech.
By assisting powerful platforms when the zeitgeist is to reign in platform power, the FTC has lost its lodestar: to assist the weak and to constrain the powerful. But all is not lost. FTC Chairman Joseph Simons can right this ship with a course correction.
1. It should announce a finding that Facebook, by sharing data with third-party apps even after introducing controls to limit such sharing, has violated the 2011 consent order. Four former FTC officials told the Times they think the deals violate the order; they can’t all be wrong.
2. It needs to impose a fine that will send shivers down Silicon Valley; the number should start with a B, as in billions.
3. The FTC should enforce the nonsharing restriction expansively, possibly to cover other misleading behavior too.
4. It’s time to require Facebook to enter a new consent order that includes restrictions on a) tracking what users do on other websites and apps, b) tracking geolocation even when users are not using the app, and c) targeting users based on what users buy in the physical world.
5. The agency should push the bounds of its Section 5 unfairness authority to go after unexpected and likely unwanted practices that occur outside of the direction of the user.
6. Finally, the FTC should ask Congress for new authority to enforce a new “reasonably necessary” standard against all online platforms, as proposed by Brookman, which would limit data collection, retention, and sharing to what is reasonably necessary for a service requested by the consumer.
For the FTC to avert this crisis, it needs to show the will to stand up to the platforms. So far, we haven’t seen it.