By: Linda Perkins
After ten hours of Congressional testimony, one thing is clear – there is growing bipartisan concern over data privacy and data protection in the US. In the wake of so many recent data breaches, and now the data harvesting scandal embroiling Facebook, lawmakers in both chambers of Congress are very concerned about data security. Apparently, so are their constituents, judging from just a few of the questions sent in and read into the record during testimony from Facebook CEO Mark Zuckerberg.
The challenge now is what to do about it.
As a first step, Mr. Zuckerberg agreed to testify before Congress this week and address concerns about Facebook’s data collection policies and the company’s involvement with an app developer who harvested user data from Facebook and later sold it to Cambridge Analytica for purposes of developing politically targeted ads. On April 10, Zuckerberg endured five hours of questioning during a joint hearing conducted by the Senate Judiciary and Commerce Committees. The next day, he sat for another five hour round of questioning by the House Committee on Energy and Commerce.
Skeptics in both chambers questioned why companies such as Facebook should continue to be trusted to self-regulate in light of the risk and consequences for individuals. Zuckerberg agreed that some regulation is probably needed, but was short on details when asked for ideas. Instead, he repeatedly insisted that Facebook now provides clear account settings that allow users to completely control how their data is shared.
During both hearings, lawmakers questioned whether the US needs its own GDPR-style regulations. Several Representatives were prepared to follow up on Zuckerberg’s testimony from the day before by demanding more succinct responses to their questions. At first, Zuckerberg repeated assurances already offered during his Senate testimony such as Facebook’s general promise to extend GDPR required controls to US users.
But when pressed to state whether Facebook would also abide by GDPR restrictions imposed on data collectors, Zuckerberg wavered. These restrictions will severely limit what data can be collected as well as how long it can be retained. The EU data protection law also imposes stiff financial penalties, which Zuckerberg was also asked to consider as a more effective deterrent than the current environment of permissive self-regulation.
When asked if he would support the Consumer Data Protection Act, introduced in the Senate in December 2017 by Senator Robert Menendez (D-N.J.), or the “BROWSER” Act, introduced in the House in May 2017 by Representative Marsha Blackburn (R-TN), Zuckerberg was non-committal.
The hearings covered a wide range of topics, but the most pointed exchanges focused on Facebook’s recently admitted failure to protect user data. Members of the House Committee frequently pushed back when Zuckerberg resorted to prepared talking points, seeking instead yes or no answers. Signaling limited patience, many House Committee members began by pointing out the obvious. Given Facebook’s undisputed position as a global behemoth – with an estimated market value of $479 billion as of April 10 and over 2.2 billion active users world-wide – it is a very different company from the small website Zuckerberg founded in his Harvard dorm room, to which he frequently referred during his Congressional testimony. Others openly criticized Zuckerberg’s public apologies as almost insincere given similar apologies he has offered after previous mistakes managing his growing company.
Nevertheless, as he had the day before, Zuckerberg repeated his claim that Facebook users now have complete control over how their data is shared, by using account settings, opt out features and the ability to delete their accounts. And while Zuckerberg further insisted that Facebook does not sell its data, it also became clear that data collected from its users is monetized and can become extremely valuable to the extent Facebook can use it to efficiently drive content and “relevant” ads to those users most interested in receiving certain content.
Zuckerberg admitted that many users probably do not fully read or understand terms of service agreements and that privacy settings should be easier to navigate and understand. Facebook has recently redesigned user controls for this reason and he repeatedly pointed out that users are also able to delete their accounts at any time, but offered no specifics as to how long it takes to actually purge user data from Facebook servers.
In the end, many in Congress expressed concern that users may not fully understand what data is collected, stored and at risk. Consequently, they questioned whether users are able to give informed consent for the online services they use and stressed that there are now compelling reasons for new regulations and laws to actively protect user data and privacy on their behalf.
Because there was no agreed upon definition for what “data” includes, the accuracy of Facebook’s assertion that its users now have complete control over their data greatly depends on how one defines “data.” Indeed, while users are able to control content on their Facebook feeds through account settings, it is now abundantly clear that Facebook collects and retains a lot more information (and data) about users than the posted content on their user pages. It remains unclear, however, the extent to which a Facebook user can control or delete data collected about them as well as data (including content) created by them.
In fact, Zuckerberg acknowledged during his testimony before the House Committee that Facebook collects user data on people who do not use Facebook, or have Facebook accounts. The only way a non-user can delete data that Facebook has collected about them (ostensibly without their permission) is to first create a Facebook account, and then request that the account be deleted using the account settings. At that point, the non-user’s data merely becomes “inactive” or “inaccessible.” Actual deletion takes much longer.
During follow up questioning by several House Committee members, it also became clear that Facebook tracks users even when they are not logged into their accounts. And, as discovered by one Congressional staffer, browser history data may or may not be included in the downloads now offered to users to review (and possibly delete) data that Facebook has collected about them.
If nothing else, Zuckerberg’s testimony before the House Committee has made clear that we all should pay more attention to the ubiquitous Facebook “Like” button present on many non-Facebook web pages. Why? Because we now know that Facebook likely collects data on any web page where its blue button appears.
Given the fact that so many businesses, across a wide range of industries, and their employees use computers and digital devices to conduct business, it may be time to also ask what data Facebook and other social media companies are collecting, retaining and possibly sharing about individuals not only as private consumers, but also as employees using a BYOD or employer issued device.