It seemed as though, after years of privacy scandals, Facebook had finally gotten the message. After its founder hinted at a shift to a privacy-oriented model in a blog post earlier this year, the company elaborated at F8 last week by unveiling its new look, FB5, that includes features such as encryption, reduced permanence and secure data storage.
This might sound promising — but it’s not yet time to let Facebook off the hook. If the recent announcement that Facebook stored hundreds of millions of users’ passwords in plaintext for years is any indication, Facebook’s external reorientation has a lot of work to do to make up for its ongoing internal privacy failures.
Facebook already has a wealth of personal data on you, far beyond phone numbers, message content or photographs. New ID Experts research is showing that the platform’s users – as many as 68% of them – aren’t happy with that fact. Additionally, The Wall Street Journal revealed that the social media giant may have data as personal as your weight, your menstrual cycle, your blood pressure or the budget range for your home purchase.
The immediate question, of course, is how did they get this information in the first place? The answer is that many apps use software-development kits (SDKs) that process the data a user gives in order to offer the promised, optimized features of the app. Unfortunately, the information you give to the app is often transferred to the company that created the SDK that the app uses – and thousands of apps use Facebook’s SDK.
Thankfully, several of the companies mentioned in the Journal’s original story quickly sent out software updates that ensure that the apps no longer give sensitive data to Facebook. Facebook likewise started doing damage control, promising to develop systems that so it won’t receive or retain sensitive data transmitted via apps.
Still, for far too long, we’ve taken the promises of Facebook to self-regulate at face-value. Despite the seeming promise of these new announcements, we cannot afford to do so again. I have always believed and supported self-regulation. However, when a company’s behavior is so directed by the business model, self-regulation appears to be a very low priority. In competitive markets, actions and product features not in the best interests of consumers – or even harmful to consumers – can be regulated by alternative market choices.
Short of billions of people turning off these apps, there exist few, if any, alternatives. It shouldn’t take another data privacy scandal to move us to action. Our federal leaders must take a stand and craft legislation to defend consumer privacy.
Admittedly, doing so will be no easy task. Social media goliaths like Facebook and Google have deep pockets and incredible power in Washington. But that doesn’t mean regulation isn’t possible. Consider tobacco: When President John F. Kennedy’s surgeon general, Dr. Luther L. Terry, released a report that publicized the link between tobacco and cancer, the public – and legislators – were spurred to action. Just over a year after the publication of the report, Congress passed the Federal Cigarette Labeling and Advertising Act of 1965, which required cigarette companies to post a warning on cigarette packages.
We must take a similar approach to online giants like Facebook. Consumers have a right to know exactly what information is being taken from them and how it is being used. What’s more, this knowledge must be clearly laid out in plain language, not crammed at the bottom of a pages-long, densely-worded terms and usage agreement. If Congress asks for anything less, it will be a failure to defend the privacy of American citizens.
Fortunately, we have several solid models on which to base legislation. Although the EU’S General Data Protection Regulation (GDPR) has not been enacted without problems, it has at least forced companies of all kinds to reconsider and rework their data collection policies. Closer to home, California has recently made moves to make its data breach notification laws more stringent, so that companies must inform consumers when biometric or passport data has been compromised.
Additionally, many tech leaders are starting to recognize the problems of their business models and offer advice on what can be done to strengthen consumer privacy protections. At Davos last year, Salesforce CEO Marc Benioff drew a comparison between social media and cigarettes. Apple CEO Tim Cook penned an op-ed in Time requesting “comprehensive federal privacy regulation.” And early Facebook adviser Roger McNamee has said Facebook needs to change its business model to win back user trust.
Technology is critical to our economy and our global leadership. If we want to craft legislation that balances protecting consumers with preserving economic growth, we’ll need input from figures like these.
Consumers absolutely have the right to share information via these platforms. They offer all kinds of conveniences and benefits, from connecting with relatives, friends and potential business partners to tracking helpful information about our health and our preferences. These new feature updates from Facebook reinforce the value that many find in the platform. But without true, demonstrated change on the part of Facebook, use without full and complete knowledge of the risks is nothing short of abuse. By making privacy legislation a priority, our federal leaders can help create a data ecosystem where privacy and prosperity work together.
Thomas F. Kelly is president and CEO of ID Experts, a Portland, Oregon-based provider of data breach and identity protection services. He is a Silicon Valley serial entrepreneur and an expert in cybersecurity.