Members of Congress should press Mark Zuckerberg for the kind of details that will help them craft new privacy and other regulations.
Facebook CEO Mark Zuckerberg's appearances this week at congressional hearings delving into the Cambridge Analytica data scandal mark a crucial moment for the company, its users, and the broader public — and it's important that members of Congress use it wisely.
It has become increasingly clear that new regulations are essential to constrain the power of Facebook and the other giant tech firms, and to prevent the societal damage that abuse of their services can cause. In particular, the Cambridge Analytica debacle has highlighted the lack of — and need for — basic online and data privacy protections in the US.
But for policymakers to come up with new legislation, they need to better understand the scope of the problem. And to gain the momentum they need to push such rules through, they need to start making the case for them.
In both cases, Zuckerberg's appearances can help.
Here are some of the things members of Congress should ask him about as they're trying to understand Facebook's privacy problems and building the case for new privacy legislation.
Cambridge Analytica was able to get access to data on millions of Facebook users via an app designed by a university researcher. But that app was just one of thousands — perhaps even millions — that had access to users' data. It's clear from the app that leaked data to Cambridge Analytica that Facebook didn't keep close tabs on what developers did with that data once they gleaned it from the social network.
As one example, Facebook over the weekend suspended data analytics firm CubeYou for allegedly the same thing that happened in the Cambridge Analytica scandal — illegitimately passing along data gleaned from a Facebook app to a third party without the permission of users. But it only took that action after being notified about CubeYou by CNBC.
In a statement on his personal Facebook page, Zuckerberg said the company is now going back and investigating apps that had access to "large amounts" of user data and plans to do an audit of any app connected to "suspicious activity." Members of Congress should press Zuckerberg on what the company has found so far. If he demurs by saying that the investigation is only in its early stages, legislators should give him a deadline for disclosing what Facebook has found — the sooner the better.
But they should also try to get a better sense of the potential scope of the problem with Facebook apps. They ask Zuckerberg how many apps were created before 2014, when its rules changed; what kind of data they had access to; and how many users could potentially have had their data misused by them.
The Cambridge Analytica data leak affected up to 87 million Facebook users. But Zuckerberg last week revealed an even bigger data leak, at least in terms of numbers of people affected — malicious actors were able to use a search tool to download the public profile information of more than half of all Facebook users.
Congress should press Zuckerberg on how many people are affected by these and other potential data leaks. They also should get him to disclose what kinds of information was leaked about users.
Facebook users almost certainly had no idea that the information gleaned about them and their friends through a personality quiz app could be used to try to influence an election, as was reportedly the case in the Cambridge Analytica scandal. But Facebook and Zuckerberg almost certainly have an excellent idea of the value of the information the company has collected on its users — and how that data could be used, at least in concept.
The company has spent more than a decade collecting information on its users. It's also conducted experiments on its users to see how it can use what it knows about them to influence their thoughts or behaviors. It's spent years honing tools that allow its clients to finely target advertising messages to users. It's also been investigating how its services were abused by Russian-linked actors to spread propaganda during the 2016 US presidential election.
Members of Congress should press Zuckerberg on how the data collected about its users is already being used to target and influence them. And it should get him to talk about how that data could potentially be used in malicious ways.
The European Union's General Data Protection Regulation takes effect in May. Many privacy advocates look at the GDPR as a model for the kind of baseline privacy law the US sorely needs. The new law requires companies to protect consumer data and to get explicit and specific permission for all kinds of data-collection activities.
Facebook has said it will apply the rules globally, but said there will be some variation in how it adopts them in each country. Lawmakers should press Zuckerberg on what that means for US customers. They should get him to list the parts of GDPR Facebook won't honor for the US and explain why it won't.
Zuckerberg and Facebook's mantra is that the company is on a mission to connect the world. But the company's mission really has been to collect as much data as possible on users — and encourage them to share ever more information with their friends and, in turn, the company. The company monitors users' locations, keeps track of who they call or text, and monitors the content of their messages.
It would be interesting — and potentially eye-opening — to know if Zuckerberg thinks there is a bright line beyond which the company shouldn't go in its quest to profile users. Legislators should press him on whether there's any data that Facebook has declared off-limits, that it's barred its systems from collecting, or, on its own, has deleted from its systems. And they should ask why it has or hasn't set those limits.
Facebook's value to advertisers is that it allows them to aim their messages at users with a great deal of precision and accuracy. Marketers can target based on all kinds of information — users' location, interests, political beliefs and more. The more data Facebook collects, the more finely marketers can target their messages — and the more valuable its service.
Facebook and Zuckerberg have said this micro-targeting is part of the bargain they offer consumers; it allows the company to offer its service for free. They also portray it as a benefit to consumers; users see ads that are tailored just for them, rather ones that are meaningless to them. But it's not at all clear that consumers understand exactly what kinds of information Facebook has about them, what can be done with it — or who would have consented to that data-collection if they did.
The company has a new privacy page that's supposed to give users a better idea of the data it's collecting and what it's doing with it. But lawmakers should ask Zuckerberg for his definition of informed consent. They should also press him on what he thinks a privacy-friendly Facebook would look like — and how adherence to international privacy norms might affect its business model.