Op-Ed Written By Congressman Jim Langevin
Facebook’s conduct with the underhanded campaign consultancy firm, Cambridge Analytica, has laid bare the limits of data protection law. Facebook users are the victims in this case – yet the company may only be liable under federal law if it also violated one of its written contracts with users. The innovations of the Information Age have outstripped the U.S. legal system’s protections for individual control over how our personal information is shared and used. It is time for that to change.
As the complexity of data sharing increases, so does the possibility that our information will be used in ways we never intended or authorized. Take the Facebook case. I challenge anyone to find a single one of the millions of affected users who provided information to Facebook with the expectation that Cambridge Analytica would use it to develop “psychographic” voting profiles for targeted political ads.I fully expect the players in the Cambridge Analytica case to come before Congress to testify, which CEO Mark Zurckerberg is scheduled to do next week, and which I called for following news reports in The New York Times and The Sunday Observer. More transparency is essential for policymakers to fully grasp the implications of this incident, and Facebook owes its users and shareholders – both of which I am – a full accounting of its actions. However, the available reporting is enough to provide a framework to explore policy options for strengthening controls on data usage.
Facebook reportedly learned that Cambridge Analytica had acquired millions of users’ profiles two years ago. At the time, Facebook sent letters to Cambridge Analytica and an associated researcher insisting that they delete the information. However, two important things did not happen: Facebook did not positively verify disposal of the data through an audit, and no individuals were notified that their private information had been used in a way they had not authorized. There were no federal requirements that either happen, just trust in the parties involved. Having seen that trust doubly betrayed, we may need new law to impose rigorous notification and disposal requirements when users’ data is shared improperly.
Facebook has stated that it was a violation of their agreements with Aleksandr Kogan, the Cambridge University researcher who initially collected the data, for him to sell or license it to Cambridge Analytica. This defense misses the point that granting unfettered access to raw data makes it technically and legally difficult to enforce limitations on data usage and sharing. Facebook extended trust to the researcher, on behalf of its users and without their knowledge, that the data would be used and protected in accordance with its terms. Those terms also allowed apps like the researcher used to collect data not only about users who explicitly authorized the app to do so, but also about their friends. While Facebook revoked that policy in 2014, there remains no legal requirement that users directly consent to sharing.
Langevin represents Rhode Island’s 2nd District. He is co-chair of the Congressional Cybersecurity Caucus.