Georgetown Law
Technology Review

Amidst allegations that Cambridge Analytica used the personal data of millions of Facebook users to target voters and help sway the 2016 U.S. presidential election,1See generally Kevin Granville, Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens, N.Y. TIMES (Mar. 19, 2018), https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html. public spotlight is on the data management practices of social media platforms—particularly the transfer of data between the platform and third parties.

Collaboration between social media platforms and outside entities is not new. For example, Facebook used to offer to advertisers a platform feature called “Partner Categories,” which breaks down Facebook users into descriptive groups—such as “buyers of children’s cereals”2Ingrid Lunden, Facebook Launches Partner Categories, 500+ Generic Profiles to Target Ads Better, with Data from Datalogix, Epsilon, Acxiom, TechCrunch (Apr. 10, 2013), https://techcrunch.com/2013/04/10/facebook-launches-partner-categories-500-profiles-to-target-ads-better-on-mobile-and-desktop-using-data-from-datalogix-epsilon-and-axciom/. or “soda drinkers.”3Taylor Hatmaker, Facebook Will Cut Off Access to Third Party Data for Ad Targeting, TECHCRUNCH (Mar. 28, 2018), https://techcrunch.com/2018/03/28/facebook-will-cut-off-access-to-third-party-data-for-ad-targeting/. Grouping users by common characteristics helps advertisers target a particular consumer base and serve relevant ads.4Id. To identify a user’s characteristics, Facebook purchases outside information on its users from third-party data providers such as “Datalogix, Epsilon, Acxiom, and BlueKai.”5Id. Third-party data providers collect bits of information people leave behind on the internet, such as webpage visits or purchase history. Data providers then piece the bits together to form more useful information, such as a person’s demographics and personal tastes.6See generally Jack Simpson, What Are First-, Second- and Third-Party Data?, ECONSULTANCY (Mar. 24, 2016), https://econsultancy.com/blog/67674-what-are-first-second-and-third-party-data. Social media platforms supplement in-house user information with information from third-party data providers to enhance the platform’s ad-targeting ability. Such relationships are “common industry practice” for social media platforms.7Hatmaker, supra note 3.

The public is now curious about what other common industry practices Facebook engages in, and whether such practices should remain common. Recently, Facebook suspended its relationship with an outside political consulting firm Cambridge Analytica who obtained Facebook user information without permission.8Jonathan Shieber, Facebook Suspends Cambridge Analytica, the Data Analysis Firm that Worked on the Trump Campaign, TECHCRUNCH (Mar. 16, 2018), https://techcrunch.com/2018/03/16/facebook-suspends-cambridge-analytica-the-data-analysis-firm-that-worked-for-the-trump-campaign/. While Facebook prohibits the sale or transfer of user data “to any ad network, data broker or other advertising or monetization-related service,”9Granville, supra note 1.  Facebook generally allows access to user data for academic research.10Id.User information left Facebook’s hands through this otherwise legitimate channel, only to arrive in Cambridge Analytica’s possession in the end.11Id. Cambridge Analytica allegedly used the obtained personal user information to provide useful electorate information for the Trump campaign,12Issie Lapowsky, What Did Cambridge Analytica Really Do for Trump’s Campaign?, WIRED (Oct. 26, 2018), https://www.wired.com/story/what-did-cambridge-analytica-really-do-for-trumps-campaign/. raising additional questions about whether such relationships jeopardize democracy in America.

Revelations about the relationship between Facebook and Cambridge Analytica sparked a bipartisan interest to inquire after internet companies—something that does not happen often on the hill. On April 10 and 11, Facebook CEO Mark Zuckerberg testified before an inquisitive Congress who sought answers on the Cambridge Analytica incident and just how much control users have over their personal information.13Dustin Volz & David Ingram, Facebook’s Zuckerberg Unscathed by Congressional Grilling, Stock Rises, REUTERS (April 11, 2018), https://www.reuters.com/article/us-facebook-privacy-zuckerberg/facebooks-zuckerberg-unscathed-by-congressional-grilling-stock-rises-idUSKBN1HI1CJ. Among the many “sensitive” questions Zuckerberg parried was whether a non-Facebook member can remove their personal data possessed by Facebook, and if so how.14Id. When asked whether Facebook has a monopoly in the industry, the CEO replied that it “doesn’t feel like that” to him.15Transcript of Mark Zuckerberg’s Senate Hearing, WASH. POST (Apr. 10, 2018), https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hearing/?utm_term=.9e9934c1a3ad.

To the question of a new privacy bill that will check platforms like Facebook, Zuckerberg noted a need for it, but otherwise avoided commenting on the details.16Volz & Ingram, supra note 13. Members of Congress recognize the critical role that Facebook plays in our society and are seeking to “explore approaches to privacy that satisfy consumer expectations while encouraging innovation.”17Mallory Locklear, Mark Zuckerberg Will Testify at a Joint Senate Hearing on April 10^th, ENGADGET (Apr. 6, 2018), https://www.engadget.com/2018/04/06/zuckerberg-testify-joint-senate-hearing-april-10/. Whether the spirit will be channeled into an actual bill protecting people’s privacy online will depend on overcoming Silicon Valley’s powerful lobbying presence on the hill. To put it in context, Google, Apple, Facebook, and Amazon together spent $49.7 million on direct lobbying alone in 2017.18Kang, Kaplan & Fandos, Knowledge Gap Hinders Ability of Congress to Regulate Silicon Valley, N.Y. TIMES (Apr. 12, 2018), https://www.nytimes.com/2018/04/12/business/congress-facebook-regulation.html. Coupled with the apparent dearth of technological knowledge on the hill,19Id. a consensus on new privacy law—which has not happened since 200920Alvaro M. Bedoya, Why Silicon Valley Lobbyists Love Big, Broad Privacy Bills, N.Y. TIMES (Apr. 11, 2018), https://www.nytimes.com/2018/04/11/opinion/silicon-valley-lobbyists-privacy.html.—will not be easy.

Meanwhile, privacy on the internet remains in jeopardy. With new allegations that Cambridge Analytica planned to launch its own cryptocurrency through which sale of personal data would be facilitated,21Nathaniel Popper & Nicholas Confessore, Inside Cambridge Analytica’s Virtual Currency Plans, N.Y. TIMES (Apr. 17, 2018), https://www.nytimes.com/2018/04/17/technology/cambridge-analytica-initial-coin-offering.html. users need greater control over their personal data more than ever. Such greater control needs to reflect the expectations users have when they use a platform. Judging by how much the internet has come to evolve in the presence of participants with pecuniary and political motives, trustees of user information online face a looming responsibility to deliver the privacy and security users want and need.