Before Facebook there was FaceMash. Mark Zuckerberg founded FaceMash in his Harvard dorm room in 2003 and Facebook a year later. According to the Harvard Crimson, FaceMash used “photos compiled from the online facebooks of nine [Harvard] Houses, placing two next to each other at a time and asking users to choose the “hotter” person." Having gone viral (at least by 2003 standards), the Harvard authorities stepped in, shut FaceMash down and charged Zuckerberg with breach of security, violating copyright, and violating individual privacy. The charges were later dropped.
Mark Zuckerberg remains proud of his hacker roots to this day.
Even now, Facebook’s campus is located at One Hacker Way. Zuckerberg may not run from these hacker roots, but what of the data privacy and security charges Harvard levied against him? Well, it seems that not much has changed in this regard either. In November 2018, Facebook revealed that it had exposed photos belonging to 6.8 million consumers to third party app developers without permission. The next month, The New York Times revealed that Facebook had continued to share troves of personal information with some of the world’s largest corporations long after it had sworn to cut off access to the data. These are but two recent examples of Facebook’s difficult relationship with user privacy.
Facebook is not alone among its peer companies, but it is the poster child for Big Tech’s attitude toward privacy. Eric Schmidt of Google has displayed equal disdain for privacy in his public remarks, once famously saying: "We know where you are. We know where you've been. We can more or less know what you're thinking about." Sit on that one for a minute.
Having taken a hands off approach for years, there is a growing consensus among lawmakers that Big Tech must be reined in. But how? Most lawmakers now recognize that the nation’s privacy laws need to be modernized. Efforts are currently underway in the Senate Commerce Committee to craft legislation that would create a "one-size-fits-all" federal privacy standard for businesses, large and small.
Beyond privacy, a smaller group of lawmakers is calling for the break-up of internet platforms under the antitrust laws. Last week, a precedent setting 48 states announced an investigation into Google and the week before a smaller group announced an investigation into Facebook. These investigations will take time, years even, and it may be challenging to build a case against Big Tech under current antitrust case law, but it’s a start.
Although these ongoing privacy and antitrust efforts are on separate tracks, there is a way to think about them in a joined up way. The logic goes something like this: a one-size-fits-all or-most to privacy is fine in theory but perhaps not in reality. The real-world harm that lawmakers are seeking to address in privacy legislation is not the whole economy but rather a few dominant internet platforms and data brokers for whom data is not just important to the business model, it IS the business model. Not every website is Facebook. In fact, most websites just want to collect information so they can help customers complete a transaction or provide a service. Facebook does not want to deliver a product. For Facebook and other dominant internet platforms consumers ARE the product. Privacy legislation should reflect this reality.
When looked at this way, the number of companies that could be deemed "privacy systemic actors" are actually quite few in number. In fact, we can count them on the fingers of one hand. The EU already does and refers to them as “the GAFA.” Rather than over-regulate the whole economy, a better approach for lawmakers is to ask what can be done with these systemic actors that, like the banks before them, are too big to fail and present a risk to society? Privacy legislation is one path. Antitrust is another. However, there might be a third way that appeals to conservatives. A targeted approach that merges privacy and antitrust without doing regulatory harm to the whole economy would be optimal. This approach would bifurcate privacy legislation for systemic actors versus privacy legislation for everyone else. Rather than a regulatory sledge hammer, it would use a scalpel.
Think about it: Unlike most websites, Big Tech systemic actors engage in day-to-day surveillance in order to amass personal data using our cell phones, our in-home smart devices, and our search history. Privacy legislation could be crafted to reflect this reality by defining this data or these methods of collection to be particularly risky. Similarly, legislation could give law enforcers heightened powers to police Big Tech by structuring enforcement fines and penalties as a percentage of revenues a company makes from privacy invasive services. To counter Big Tech’s tendency to overshare user data with third parties like Cambridge Analytica, legislation could make the platform responsible, as the original data collector, for the third parties’ privacy compliance. These are just some of the ways in which lawmakers could take a bifurcated approach to privacy using a scalpel and not a sledge hammer to go after the real harm to society caused by systemic actors and not Mom-and-Pop websites.
Before the summer break, the Senate Judiciary Committee held a hearing on "Understanding the Digital Advertising Ecosystem and the Impact of Data Privacy and Competition Policy.” At the hearing, senators grappled with both privacy and antitrust and how to apply both policy frameworks to Big Tech. The hearing laid a solid foundation for bifurcated privacy legislation along the lines discussed above. Work remains to be done, but legislation that reflects legitimate antitrust concerns as well as the privacy concerns regarding Big Tech may just be the path forward.