FTC's Privacy Settlement With Facebook Gets Pretty Much Everything Backwards; Probably Helps Facebook
from the guys-come-on dept
So, as was leaked a couple of weeks ago, the FTC has now made its $5 billion settlement with Facebook official. There’s quite a bit that’s interesting in the stipulated order that is worth reading. I’m actually glad to see that this wasn’t just about Cambridge Analytica, where I think the “breach” issue was much less concrete. Instead, it does include a bunch of other very real violations by Facebook, including:
- Storing passwords in plaintext
- Using phone numbers that were provided for security (two factor authentication) for advertising (a massively dangerous and stupid practice by Facebook)
- It’s questionable use of facial recognition without consent
- Sucking up logins to other services.
Frankly, all of those are much more serious breaches than what happened with Cambridge Analytica.
Separately, as I discussed two weeks ago, if you’re mad at the size of the fine, you’re missing the point. This is, by far, the largest fine the FTC has ever issued, and goes way beyond anything that it’s done before. The real problem is that this is basically all that the FTC can do. That’s the only weapon it has and it’s never going to be enough because the FTC isn’t really set up to handle modern privacy questions like this — and that would require a new mandate from Congress. This is in Congress’s court.
That said, my bigger concern, as always, is that everyone’s obsession over “protecting privacy” is going to mean significantly less competition. I raised this issue last year, soon after everyone freaked out about Cambridge Analytica, noting that I feared what would happen is that Facebook would be driven to lock down everyone’s data rather than making it more accessible to third party and competing services.
There are significant and important trade-offs here. For years now I’ve been talking about the real way to create more competition on the internet, and much of it involves pressuring the big internet companies into opening up. Have them create APIs that allow others to build services on top of their data so that we’re not so locked into the giant platforms. Enable more competition at the service level, rather than the data collection level.
But this agreement does the opposite. It is basically giving up and saying that the FTC and regulators now think that Facebook will be the dominant platform for ages, and therefore it needs to better police data and better lock it down. This is not a good solution (except if you’re Facebook). As former Facebook CSO Alex Stamos points out in a very thoughtful thread, while this is a slap on the wrist regarding Facebook’s problematic privacy practices, it actually helps stop future competition:
The real threat to the tech giants is competition, not regulation, and everybody is missing what really happened today: Facebook paid the FTC $5B for a letter that says “You never again have to create mechanisms that could facilitate competition.”
Facebook already has ~2.5B users. It has the world’s second largest ad network. It never again needs data from anybody else to make money or third parties to facilitate growth. This order doesn’t include the word competition or include any balancing tests. It’s fantastic for FB.
“You need to allow for 3rd party clients.”
Sorry, mean FTC won’t let us.
“Other companies can build on your graph.”
Sorry, mean FTC won’t let us.
“You need a real data export feature that allows users to move.”
Sorry, mean FTC won’t let us.
I can’t believe Facebook didn’t pay more for this. If the FTC offered to “order” Amazon to help consumers save money by offering house branded options in every top category, Bezos would leap across the table with a $10B check and a massive grin. This is a natural consequence of the shallow nature of the “techlash”. The US doesn’t have a substantive privacy law, and the FTC has to base work on what they consider unfair or misleading practices. If critics don’t understand the equities balance, they can’t balance equities. This isn’t binding on other companies, but it will be interesting to see if they use this as a reason to reduce APIs and favor their own apps. The data stolen and exported to the cloud (GPS, SMS, contacts, mail, calendar) from Android/iOS dwarfs SCL/CA.
This is part of the problem I keep trying to highlight. When your only focus is on punishing big tech companies like Facebook, be careful about how you do so, because there are so many important tradeoffs, that if you don’t pay attention to what you’re doing, all you really end up doing is locking them in as the dominant platforms.
And that’s really what’s happening there. Our lack of understanding about privacy or about data and “ownership” will lead people to a very dangerous place, where we make short term decisions — such as what happened here — that are focused on “punishing” one particular set of companies for one particular set of actions (many of which were really bad). But the end result is even worse. You’ve set up the system such that the only logical and reasonable way out of this bad situation is foreclosed.
The best way out of Facebook’s dominance is to have it give up total control over the data it collects. But, here, the FTC has done the reverse. It has given Facebook more control over the data it collects in the name of “protecting” privacy. This is backwards. Rather than saying that Facebook shouldn’t be the one protecting all that data, the FTC is just saying “protect it better, and don’t let any other service be allowed to come in and do anything.” And that includes the kinds of competitive services that are necessary to eat away at Facebook’s position.
I know a lot of people are mad the fine wasn’t larger, but the fine doesn’t matter. All that really matters is whether or not competitive services are enabled or not, and this agreement forecloses the best way to actually chip away at Facebook’s market position. And that’s the real shame.