Authors: David Streitfeld, Natasha Singer and Steven Erlanger

Posted on: The New York Times | March 24th, 2018


SAN FRANCISCO — The contemporary internet was built on a bargain: Show us who you really are and the digital world will be free to search or share.

People detailed their interests and obsessions on Facebook and Google, generating a river of data that could be collected and harnessed for advertising. The companies became very rich. Users seemed happy. Privacy was deemed obsolete, like bloodletting and milkmen.

Now, the consumer surveillance model underlying Facebook and Google’s free services is under siege from users, regulators and legislators on both sides of the Atlantic. It amounts to a crisis for an internet industry that up until now had taken a reactive, whack-a-mole approach to problems like the spread of fraudulent news and misuse of personal data.

The recent revelation that Cambridge Analytica, a voter profiling company that had worked with Donald J. Trump’s presidential campaign, harvested data from 50 million Facebook users, raised the current uproar, even if the origins lie as far back as the 2016 election. It has been many months of allegations and arguments that the internet in general and social media in particular are pulling society down instead of lifting it up.

That has inspired a good deal of debate about more restrictive futures for Facebook and Google. At the furthest extreme, some dream of the companies becoming public utilities. More benign business models that depend less on ads and more on subscriptions have been proposed, although it’s unclear why either company would abandon something that has made them so prosperous.

Congress might pass targeted legislation to restrict consumer data use in specific sectors, such as a Senate bill that would require increased transparency in online political advertising, said Daniel J. Weitzner, director of the Internet Policy Research Initiative at the Massachusetts Institute of Technology.

There are other avenues still, said Jascha Kaykas-Wolff, the chief marketing officer of Mozilla, the nonprofit organization behind the popular Firefox browser, including advertisers and large tech platforms collecting vastly less user data and still effectively customizing ads to consumers.

“They are just collecting all the data to try to find magic growth algorithms,” Mr. Kaykas-Wolff said of online marketers. This past week, Mozilla halted its ads on Facebook, saying the social network’s default privacy settings allowed access to too much data.

The greatest likelihood is that the internet companies, frightened by the tumult, will accept a few more rules and work a little harder for transparency. And there will be hearings on Capitol Hill.

The next chapter is also set to play out not in Washington but in Europe, where regulators have already cracked down on privacy violations and are examining the role of data in online advertising.

The Cambridge Analytica case, said Vera Jourova, the European Union commissioner for justice, consumers and gender equality, was not just a breach of private data. “This is much more serious, because here we witness the threat to democracy, to democratic plurality,” she said.

Although many people had a general understanding that free online services used their personal details to customize the ads they saw, the latest controversy starkly exposed the machinery.

Consumers’ seemingly benign activities — their likes — could be used to covertly categorize and influence their behavior. And not just by unknown third parties. Facebook itself has worked directly with presidential campaigns on ad targeting, describing its services in a company case study as “influencing voters.”

“People are upset that their data may have been used to secretly influence 2016 voters,” said Alessandro Acquisti, a professor of information technology and public policy at Carnegie Mellon University. “If your personal information can help sway elections, which affects everyone’s life and societal well-being, maybe privacy does matter after all.”

In interviews, Mr. Zuckerberg and Sheryl Sandberg, Facebook’s chief operating officer, seemed to accept the possibility of increased privacy regulation, something that would have been unlikely only a few months ago. But some trade group executives also warned that any attempt to curb the use of consumer data would put the business model of the ad-supported internet at risk.

“You’re undermining a fundamental concept in advertising: reaching consumers who are interested in a particular product,” said Dean C. Garfield, chief executive of the Information Technology Industry Council, a trade group in Washington whose members include Amazon, Facebook, Google and Twitter.

If suspicion of Facebook and Google is a relatively new feeling in the United States, it has been embedded in Europe for historical and cultural reasons that date back to the Nazi Gestapo, the Soviet occupation of Eastern Europe and the Cold War.

“We’re at an inflection point, when the great wave of optimism about tech is giving way to growing alarm,” said Heather Grabbe, director of the Open Society European Policy Institute. “This is the moment when Europeans turn to the state for protection and answers, and are less likely than Americans to rely on the market to sort out imbalances.”

In May, the European Union is instituting a comprehensive new privacy law, called the General Data Protection Regulation. The new rules treat personal data as proprietary, owned by an individual, and any use of that data must be accompanied by permission — opting in rather than opting out — after receiving a request written in clear language, not legalese.

Mélanie Voin, a spokeswoman for the European Commission, said the protection rules will have more teeth than the current 1995 directive. For example, a company experiencing a data breach involving individuals must notify the data protection authority within 72 hours and would be subject to fines of up to 20 million euros or 4 percent of its annual revenue.

In a January speech in Brussels, Facebook’s Ms. Sandberg said, “We know we can’t just meet the G.D.P.R., but we need to do even more.” Google declined to comment.

The United States does not have a consumer privacy law like the General Data Protection Regulation. But after years of pushing for similar legislation, privacy groups said that recent events were giving them new momentum — and they were looking to Europe for inspiration.

“With the new European law, regulators for the first time have real enforcement tools,” said Jeffrey Chester, the executive director of the Center for Digital Democracy, a nonprofit group in Washington. “We now have a way to hold these companies accountable.”

But any ambitions for new rules may run into the realities of the tech industry.

Privacy advocates and even some United States regulators have long been concerned about the ability of online services to track consumers and make inferences about their financial status, health concerns and other intimate details to show them behavior-based ads. They warned that such microtargeting could unfairly categorize or exclude certain people.

In 2010, for instance, the Federal Trade Commission proposed a new option for consumers, called Do Not Track. Two years later, the Barack Obama administration introduced a blueprint for a Consumer Privacy Bill of Rights,intended to give Americans more control over what personal details companies collected from them and how the data was used.

But the Do Not Track effortand the privacy bill were both stymied.

Industry groups successfully argued that collecting personal details posed no harm to consumers and that efforts to hinder data collection would chill innovation. Instead, the advertising industry created a program to allow consumers to opt out of having their data used for customized ads, although it does not allow people to entirely opt out of having their data collected.

“If it can be shown that the current situation is actually a market failure and not an individual-company failure, then there’s a case to be made for federal regulation” under certain circumstances, said Randall Rothenberg, chief executive of the Interactive Advertising Bureau, a trade group.

The business practices of Facebook and Google were reinforced by the fact that no privacy flap lasted longer than a news cycle or two. Nor did people flee for other services. That convinced the companies that digital privacy was a dead issue.

If the current furor dies down without meaningful change, critics worry that the problems might become even more entrenched. When the tech industry follows its natural impulses, it becomes even less transparent.

That would hamper any long-term understanding of the relationship between social media and political views, an urgent question in Germany, Myanmar, Sri Lanka, the United States and many other places.

“To know the real interaction between populism and Facebook, you need to give much more access to researchers, not less,” said Paul-Jasper Dittrich, a German research fellow in digital economy at the Jacques Delors Institute.

There’s another reason Silicon Valley tends to be reluctant to share information about what it is doing. It believes so deeply in itself that it does not even think there is a need for discussion. The technology world’s remedy for any problem is always more technology.

“If Facebook and Google were merely interested in maximizing profits, we could regulate them,” said Maciej Ceglowski, who runs Tech Solidarity, a labor advocacy group. “But well-intentioned people can break things not easy to fix. It’s like a child running a bulldozer. They don’t have any sense of the damage they can do.”

David Streitfeld reported from San Francisco, Natasha Singer from New York and Steven Erlanger from Brussels. Milan Schreuer contributed research and reporting.

A version of this article appears in print on March 25, 2018, on Page A1 of the New York edition with the headline: Call for Privacy Hands a Crisis To Tech Giants.
Read at: