The FTC Unfriends Facebook

 

While Facebook thrives in the marketplace, the company is under siege by angry critics both inside and outside of government over privacy issues. The Federal Trade Commission (FTC) claims that Facebook violated its 2011 privacy consent decree and may impose a fine on the company of up to $5 billion. The FTC alleges that Facebook did not do enough to protect user data from being improperly exploited by Cambridge Analytica, which used that data to supply strategy advice to the Trump campaign.

In one sense, the fine is the least of Facebook’s worries; other initiatives are in development to alter the way the company does business. With her usual lack of caution, Senator Elizabeth Warren has called for the breakup of Facebook, Amazon, and Google on the ground that their allegedly monopolistic practices tend to squash smaller upstarts, leading to what she laments as a rapid decline in competition and innovation across an industry that has been defined by fierce competition and high levels of innovation. Warren doubled down on her position by recently unveiling a new bill imposing criminal liability—including jail time—on corporate executives for simple negligence in carrying out their manifold duties.

Piling on, Rhode Island’s David Cicilline, who chairs the House Subcommittee on Antitrust, Commercial and Administrative Law, has called for aggressive FTC investigation and antitrust remedies against Facebook. On the Senate side, Ron Wyden of Oregon wrote the FTC urging the direct imposition of fines against Mark Zuckerberg personally. There are other efforts like these afoot in many states and in the European Union.

Yet, as this war continues, Facebook’s stock maintains its high market value and is up 41% year-to-date. Indeed, Facebook, sensing the inevitable, has already accounted for a fine on its books, only to see investors bid up the price of its shares by 9 percent in after-hours trading. That market assessment is instructive because it predicts that Facebook’s platforms, including the highly profitable Instagram, will continue to attract and retain users in the months and years ahead, notwithstanding public knowledge of its allegedly porous privacy policies. That rise in market price is indirect but powerful evidence that many of Facebook’s users are not concerned with any flaws in the company’s business model. The remainder are probably banking on two factors. The first is their own ability to take defensive measures by limiting the kinds of information they place on the site. The second is the additional protections that Facebook has incorporated since the Cambridge Analytica data breach. In sum, Facebook users are looking forward, not backward.

In most discussions of the legal issues, Facebook’s liability under the terms of the consent decree is treated as a self-evident proposition. But a careful review of the key provisions of the decree when set against the Cambridge Analytica fiasco shows that the FTC’s case is more tenuous than conventional wisdom holds. The basic objective of the 2011 decree was to prevent, with the consent of the individual user, disclosure to third parties of “covered information”—i.e., personal information about users, including “nonpublic user information” that “is restricted by one or more privacy settings.” The key provision is Article II, which states that Facebook had to “clearly and prominently disclose” its intent to share designated nonpublic information “prior to any sharing of a user’s nonpublic information by [Facebook] with any third party[.]”

The key word in Article II is “sharing,” which, given its ordinary meaning, means that Facebook has taken the information in question and has itself or through its agents supplied that information to some person not otherwise entitled to receive it. The limited scope of the prohibition makes perfectly good sense because Facebook can well organize its own internal affairs to block its agents from making the forbidden disclosures, and, when such measures break down, institute corrective actions post-breach to control the damage.

The prohibitions contained in Article II do not reach, however, the related risk that a third party might deceitfully steal data from the overall system. Article IV addresses this issue by ordering Facebook to “maintain a comprehensive privacy program” with two key objectives: To design its new and existing products in ways that are likely to secure that information, and to take steps “to protect the privacy and confidentiality of covered information” by “the identification of reasonably foreseeable, material risks, both internal and external, that could result in Respondent’s unauthorized collection, use or disclosure of covered information[.]”

The appropriate plan in question is covered by an extensive verification program that uses independent, outside investigation to confirm that Facebook remains in compliance with the requirements of the consent decree. There seems to be no charges prior to the current situation that Facebook was not in compliance with any of the protective obligations imposed by Article IV. Nor does the 2011 decree contain, it should be stressed, any explicit remedies, including any schedule of fines, to deal with instances of breach.

The difficulty with the FTC’s case is that its allegations regarding the Cambridge Analytica breach do not seem to fall neatly into Facebook’s obligations under Article II or Article IV. Every account of the Cambridge Analytica story makes it painfully clear that the company was shut down because of its extensive willful misconduct. But it is critical to note, as Vox reports, the nature of its wrongs: “In March, the New York Times and Observer reported that Cambridge obtained private Facebook data—specifically, information on tens of millions of Facebook profiles—from an outside researcher who provided it to them in violation of his own agreement with Facebook.” It appears that Cambridge Analytica stated in its original solicitation that it would only collect data for academic purposes. It then was able to get many people to sign up to the program, after which the company used the app to collect data not only from those who consented, but also from their Facebook friends who had not consented.

At this point, it seems clear that Facebook itself had a strong, if useless, legal remedy against Cambridge Analytica and said outside researcher for the losses it suffered because of their misappropriation of data. Those losses should cover the substantial reputational hit that comes with the entire scandal as well as any financial losses that flow to Facebook by virtue of the scandal. At the same time, the interposition of two actors—the outside researcher and Cambridge Analytica—goes a long way to insulate Facebook from responsibility under the 2011 consent decree. As regards Article II, it would be odd to say that Facebook engaged in the “sharing” of data taken from it against its will. It is also difficult to make out a charge against Facebook under Article IV. Critically, the decree does not hold Facebook strictly liable in the event that its defenses against third party misappropriation have been breached. Its program was obligated, in the words of Article IV, to be “reasonably designed” to address the privacy risks, “appropriate to [Facebook’s] size and complexity, the nature and scope of [Facebook], and the sensitivity of the covered information[.]”

This section would be an important source of liability if there were some allegation that either Facebook or its external examiner knew of this particular risk of wholesale misappropriation. But the accounts thus far have stressed the decision of Facebook not to invest sufficiently in settings that might have prevented the collection and use of this data, until the entire matter blew up in March 2018 with the revelations of a whistleblower, Christopher Wylie, about how Cambridge Analytica collected the information.

Finally, in addition to the weaknesses in the government’s theory, the computation of the fine cannot be based on the 2011 consent decree. The current thinking runs as follows: “If the company’s found to have violated the agreement, it could face penalties of up to $40,000 per user per day, which could in theory add up to billions, if not trillions of dollars.”

These numbers just do not add up. It would be foolish to insist that the FTC could not find some areas of specific negligence in Facebook’s procedures since the 2011 decree that may well constitute independent grounds for imposing a fine under the FTC’s general oversight authority. But that fine should be a tiny fraction of the commonly cited $5 billion figure, because the stated amount of daily damage to individual users, which works out to $14.6 million per user per year, is at least several thousand times any actual (and unspecified) loss. There is no deterrence or retributive rationale that supports the penalties so imposed. One wonders whether the fine would be the same if Cambridge Analytica worked for the Clinton campaign?

Notwithstanding this egregious inflation of damages, apparently, Facebook has decided to throw in the towel on contesting the size of the fine, but its acquiescence has to be in large measure strategic, for the real risk lies in so-called structural remedies. Facebook is a networked firm whose value to users depends on the number of other like-minded individuals accessible on the platform. Break it into constituent companies and its user value is likely to go down. Yet, ironically, the privacy risks from unauthorized data breaches will be at least as large, and perhaps greater, given that smaller firms are likely to have fewer funds to invest in security. The market demand for privacy remains, and, as is so often the case, the best fixes come from technology that can be constantly adjusted and improved, and not from the dangerous overreach of the half-baked legal proposals so much in vogue today.

© 2019 by the Board of Trustees of Leland Stanford Junior University

Published in Law, Technology
Tags: ,

Like this post? Want to comment? Join Ricochet’s community of conservatives and be part of the conversation. Join Ricochet for Free.

There are 12 comments.

Become a member to join the conversation. Or sign in if you're already a member.
  1. EtCarter Member
    EtCarter
    @

    Well, at least Facebook is still loved by intel-agencies hostile to the U.S.A., U.K., and the E.U., yknow?

    • #1
  2. Clifford A. Brown Member
    Clifford A. Brown
    @CliffordBrown

    Is not the EU likely to be far more dangerous to Zuckerberg’s billions than the FTC?

    • #2
  3. Stina Inactive
    Stina
    @CM

    Two things:

    1) why isn’t the sharing of private information with the Obama campaign mentioned and

    2) how does something like facebook have any value if they can’t sell personal data?

    • #3
  4. cdor Member
    cdor
    @cdor

    I’m confused. Is the lesson just the same as always–help Trump succeed and you are in trouble? I really do not understand the compelling need some people have to put their most private thoughts and information on a public platform. Are there verifiable acts of aggression from Facebook, Google, and Amazon showing them crushing any potential competition? Or are they just so good nobody can compete?

    • #4
  5. Jon1979 Inactive
    Jon1979
    @Jon1979

    Stina (View Comment):

    Two things:

    1) why isn’t the sharing of private information with the Obama campaign mentioned and

    2) how does something like facebook have any value if they can’t sell personal data?

    Team Obama and the media in general did a victory lap, high-fives and fist-bumps over their collective cleverness at using Facebook to target possible Obama voters during the 2012 election cycle, which all tied into the overall hubris on the left that they had found the Rosetta Stone (or stones) in securing their Permanent Electoral College Majority. Just as the changing demographics of the nation were going to give the Democrats about 240-250 electoral votes going into every election, where all they’d have to to is campaign and win 1-2 swing states each year, their inherent mental superiority in the world of high tech would mean they had mastery of the world of targeting voters on social media, and that the operators of those same social media sites would help things along, they being on the side of all that is just and true.

    That things didn’t turn out that way led to the current wrath against those same social media sites, by costing them their protection from attack (Zuckerberg already was the least-favored of the big tech guys after “The Social Network” and Aaron Sorkin’s ensuing movie, but Twitter’s also in the barrel now because while its operators lean left, their most famous user is Donald Trump). But the thing is while those on  the left are talking break-ups and high fines, they’re not talking removing the social media outlets ability to claim to be common carriers like the phone company while at the same time maintaining the right to delete posts or remove users over content the companies don’t like. If anything, that’s where the reform should be, so they don’t get to play editor while at the same time being immune from libel/slander lawsuits, if Person A gets banned while Person B says anything they want.

     

    • #5
  6. Keith Rice Inactive
    Keith Rice
    @KeithRice

    While the Cambridge Analytica abuses have been made public you have to wonder how many times Facebook sold user information.

     

    • #6
  7. EtCarter Member
    EtCarter
    @

    Clifford A. Brown (View Comment):

    Is not the EU likely to be far more dangerous to Zuckerberg’s billions than the FTC?

    I believe you are correct, sir: the EU can put the screws to outfits like Facebook in ways the US shivers at. Zuck will likely  need Miracle Max when European 6-fingered men are done with facebook.

    • #7
  8. Jules PA Inactive
    Jules PA
    @JulesPA

    Richard Epstein: One wonders whether the fine would be the same if Cambridge Analytica worked for the Clinton campaign?

    T.H.I.S.

    • #8
  9. TBA Coolidge
    TBA
    @RobtGilsdorf

    Stina (View Comment):

    Two things:

    1) why isn’t the sharing of private information with the Obama campaign mentioned and

    2) how does something like facebook have any value if they can’t sell personal data?

    1. Well, that was for the greater good, so, you know, What Difference Does It Make?™ 
    • #9
  10. Duane Oyen Member
    Duane Oyen
    @DuaneOyen

    Amazon has competition and has reached its market position fairly- to go after them would be nothing other than decreeing that success in the Us will be penalized.

    There are lots of alternatives to Google.  Use Bing or DuckDuckGo.  Everyone.  Starting now.

    Facebook deserves and has earned the ire it faces.  There are lots of ways to knock them down a peg without destroying them- ask Sen. Hawley.

    • #10
  11. Chris Campion Coolidge
    Chris Campion
    @ChrisCampion

    I’m confused.  Are big corporations evil or not?  Because in 2012, they were amazing and fantastic!  And in 2019, now they’re evil.

    What’s changed?

    • #11
  12. EtCarter Member
    EtCarter
    @

    Chris Campion (View Comment):

    I’m confused. Are big corporations evil or not? Because in 2012, they were amazing and fantastic! And in 2019, now they’re evil.

    What’s changed?

    Sorry, Dude.Ya gotta keep up. I’m thinking evil again 

    • #12
Become a member to join the conversation. Or sign in if you're already a member.