Facebook’s recent debacle with Cambridge Analytica may seem like just another one of a long list of security incidents in which the personal data of millions of people is compromised from large web sites. However, most of the reports we hear about other such data exposure events involve criminals breaking into websites by exploiting security vulnerabilities and stealing the data for often illicit purposes. But there’s something essentially different about Facebook and other social media sites like it. Unlike a bank or grocery store that has your data and applies a business model based on selling their products or services to customers, Facebook’s business model is reversed. Facebook makes their money by collecting revenue from advertisers.
This means that the primary metric for Facebook is really quite simple: eyeballs. If they can keep you on their platform looking at things that interest you, this means that they can sell more advertising and make more money. This business model, of course, has some well-known social effects. Their algorithms tend to show you things that you are more likely to read and interact with, keeping your eyeballs on the page and therefore on the advertisements. Sadly, however, it is often the most polarizing and outrageous posts that “rise” to the top of the screen. After all, those are the ones you are most likely to spend the most time interacting with and getting into heated exchanges over with your Facebook “friends.”
Additionally, the other side of the advertising business model requires convincing advertisers that they are getting through to likely customers. On Facebook, advertisers are able to better target you based on the data that Facebook collects. Thus, advertisers are willing to spend top dollar to get as much of your private information as they can. So, as the saying goes: “When it comes to Facebook and services like it, you are not the customer; you are the product.” And this reality changes the entire dynamic when it comes to data breaches. Keeping all of your data private is at some level detrimental to Facebook’s bottom line. The more data Facebook can collect and give to their advertisers, the better the advertisers are able to target you, and the more money Facebook can charge those advertisers. The incentive structure undermines Facebook’s interest in maintaining the privacy of your data—at least when Facebook is left to its own devices. So long as profit from advertisers is their primary motivation, there is no doubt that there must be some level of industry regulation if we have any expectation of Facebook adhering to good data privacy practices.
Given that, one might be left suspicious after watching Facebook CEO Mark Zuckerberg’s testimony at the recent Congressional hearings on the Cambridge Analytica scandal. Among his apologies and assurances that Facebook had learned from the incident and would do better in the future, Zuckerberg also told Congress that he would welcome privacy regulations from the legislature. Why would the CEO of a large corporation like Facebook encourage regulation of his own industry, particularly when keeping data private weighs negatively on their profit? One obvious reason that large corporations want regulations is to limit competition. If complicated regulations must be followed in order to participate in the industry, it is costlier for small new companies to enter the market, discouraging them from even trying and leaving only well-established players.
It could be argued that Facebook simply wants to cement its dominance in the social networking space by having privacy regulations introduced that only they can afford to follow. But Facebook does have a pretty secure spot in social networking now, and when smaller players have entered the market, Facebook has been known to acquire the companies and incorporate their technology into the Facebook platform. Given the potential profit downside, it seems unlikely that keeping their monopoly is the reason they would want regulation.
Instead, I suspect the reasons for wanting regulations are even more nefarious. When it comes to data privacy, companies like Facebook are exposed to potential civil liability if data about their users gets into the wrong hands. There is no doubt that getting sued is a big potential downside to a company’s profits. However, if the legislature or some executive agency crafts some regulations with specific data privacy requirements, a company that follows the letter of the law will be able to say, “We followed the regulation precisely. We shouldn’t be held liable for things that the law did not explicitly forbid.” And if a company is able to lobby the legislature or the agency that develops the regulations, they have at least some measure of control over how stringent those regulations will be. In his testimony, Zuckerberg had the following exchange with Senator Lindsey Graham:
GRAHAM: You embrace regulation?
ZUCKERBERG: I think the real question, as the Internet becomes more important in people’s lives, is what is the right regulation, not whether there should be or not.
GRAHAM: But—but you, as a company, welcome regulation?
ZUCKERBERG: I think, if it’s the right regulation, then yes.
GRAHAM: You think the Europeans had it right?
ZUCKERBERG: I think that they get things right.
GRAHAM: Have you ever submitted …
(LAUGHTER)
That’s true. So would you work with us in terms of what regulations you think are necessary in your industry?
ZUCKERBERG: Absolutely.
GRAHAM: Okay. Would you submit to us some proposed regulations?
ZUCKERBERG: Yes. And I’ll have my team follow up with you so, that way, we can have this discussion across the different categories where I think that this discussion needs to happen.
Notice Zuckerberg’s less-than-enthusiastic comment about the European regulation, the General Data Protection Regulation (GDPR). There’s no doubt that the GDPR was primarily designed to address concerns raised by the practices of social media companies like Facebook. It is true that under GDPR even banks and retail businesses must improve their data storage practices to protect customers’ privacy. But for Facebook and its ilk, the GDPR not only clamps down on bad storage practices, it also constrains the companies’ ability to elicit and market user data to their advertisers. A decline in revenues is a likely outcome.
Alternatively, if Facebook has a strong hand in the design of regulation, it is doubtful that constraints on the collection and selling of user data would be forthcoming. As Zuckerberg’s comments make clear, he is willing to work with Congress on regulation but only on “the right regulation.”
Ironically, then, Zuckerberg’s self-serving comments point to the greater wisdom of modeling our privacy regulations on the GDPR, making them as stringent, if not even more so than the European approach.
Pete Resnick worked for 24-years as an Internet software engineer and continues to work on Internet protocol standards at the Internet Engineering Task Force. He served on the U-C Big Broadband (UC2B) Board and continues to serve on the Urbana Human Relations commission and as a board member of Urbana’s Rape Advocacy Counseling and Education Services.