Are you serious Mr Zuckerberg?
This past weekend, in an Op-Ed in the Washington Post, Mark Zuckerberg called for new regulations to address harmful content, electoral integrity, privacy and data portability.
Nine years since he proclaimed that privacy is no longer a social norm, four years since Facebook noticed broadscale harvesting and exploitation of their users' data by third party companies and chose not to tell us about it, two years since he denied there were any abuses of data in political campaigns, and over a year following public scandals regarding the harvesting and exploiting of data, Mr Zuckerberg claims there is only now a need for new rules.
While these issues do need to be addressed, it is hard not to be sceptical. Facebook is seeking yet again to apportion blame for its failures elsewhere - this time on governments for failing to regulate. Yet Facebook continually obstructs regulatory reform with its powerful lobbying capabilities , appeals against regulatory judgments and then investigates its critics.
In each of Zuckerberg's asks, the devil is in the detail, and as ever, Facebook is protecting itself.
Taking the third ask - "effective privacy and data protection needs a globally harmonized framework." Zuckerberg states that: "New privacy regulation in the United States and around the world should build on the protections GDPR provides. It should protect your right to choose how your information is used — while enabling companies to use information for safety purposes and to provide services." That last bit is key to Zuckerberg's defense. Whilst on the surface this may seem uncontroversial, he's trying hard to ensure that consent doesn't inhibit Facebook's data-intensive advertising model. Yes, the very type of profiling that has been so controversial, targeting vulnerable people and excluding people by race. This kind of interpretation of law would allow Facebook to claim that personalised ads are part of the service they offer, in data protection terms so they can rely on "necessary for the performance of a contract" as the legal basis to avoid consent (and the challenges they are facing in this regard. So what Zuckerberg's really saying in the piece is that Facebook want GDPR-like regulation everywhere, but one that serves Facebook's current business model and essentially doesn't allow people to opt-out of tracking and personalised ads.
Taking the second ask, on election protection and common standards on verifying political actors. Facebook has been extremely slow to react on this and is only doing so in response to some of the scrutiny and criticism it has faced in the last couple of years. For many years, Facebook actively promoted its use for political campaigns, including the benefits to campaigns of its data combined with onboarded data from data brokers. Its ads transparency efforts to date have been limited both in geography and effectiveness and have been implemented in a way that has made it difficult for civil society and researchers to scrutinise.
Taking the fourth ask, on data portability, Zucerkberg's emphasises the importance of choice, innovation and competition. Zuckerberg proposes that true data portability should look more like using the way Facebook can be used to sign into apps rather than current ways of downloading an archive of information. This completely misses the point. First, using Facebook to sign into an app is in the end more beneficial to Facebook's relentless data harvesting exercise. Second, the point of data portability is to enable individuals to transfer their data to another service, and Facebook should already be providing the right of access and data portability as enshrined in GDPR to its users worldwide. Facebook's eternal quest for growth is in large part responsible for the lack of choice and unavoidability of its services (Facebook, Whatsapp, Instagram).
If he is serious
Regulation is essential for preventing and holding to account exploitative practices. This is why at PI we work to develop, strenthen and modernise legal protections and use the law to challenge those that fall short. However, Facebook doesn't need to wait for regulators to make all of these changes - especially those related to our privacy.
First, while calling for new laws is not necessarily objectionable, Facebook should begin by complying with and supporting pre-existing, strong regulations and protections for users, not attempting to undermine them. If Facebook is suddenly so keen on GDPR (after years of fighting to water down GDPR and even now complying with it in questionable ways) and wants GDPR to become a global standard, then it should treat GDPR as a floor and not a ceiling. This would mean ensuring that users around the world are provided with the same rights. This also means supporting, rather than opposing, new laws such as the ePrivacy regulation in Europe.
Second, Facebook should accept failure and do better. When Facebook is found to have fallen short of what is required by law, accept this, make changes and learn, rather than using vast resources to challenge decisions that are inconvenient or pose a threat to the way Facebook monetises data. For example, in Belgium, Facebook is challenging the Belgian court's decision in favour of the Belgian DPA against Facebook's tracking practices - the importance of this decision is explained in Privacy International's report on data Facebook receives from Apps. Similarly, Facebook is appealing the fine issued by the UK DPA, the ICO, in the wake of the Cambridge Analytica revelations.
Third, Facebook must address concerns of market dominance and related 'captive users'. It is ironic that Zuckerberg emphasises the importance of choice, innovation and competition - when Facebook has gobbled up services such as Instagram and Whatsapp, effectively limiting choice for users while ensuring their personal data can be harvested for Facebook's exploitation. How will Facebook deal with the findings of anti-competitive behaviour (for example, German antitrust and the recent UK Parliament DCMS Committee report)?
Fourth, on the use of data in elections and political campaigning, Facebook doesn't need to wait for more regulation to move faster and try harder. We agree with Mr Zuckerberg that current definitions and focus on candidates and elections are limited. There are important questions to be answered about how political campaigns use data and targeting. Yet Facebook has control over the back and front end - the way data is used and the adverts that people see. As a starting point, Facebook should increase the scope of their ads transparency efforts to extend beyond narrow definitions of what a political ad is. All ads have the potential to be political in nature and transparency efforts should acknowledge this. Facebook should also provide users with increased transparency with regards to why they are targeted with an ad or piece of content. The company recently announced improvements to this, but it's still not enough. Offering a proper Ad Archive API (such as suggested by Mozilla) to allow external reviews and analysis is yet another step Facebook could take to ensure more transparency and open its businesses practices to the public.
Fifth, high standards should be applied globally to address the picking and choosing of regulatory frameworks. Facebook should not be lowering their standards in a regulatory void just because they can.
We found this image here.