Facebook, Cambridge Analytica and Why Your Data is Still for Sale
June 7, 2018
The Location Privacy Protection Act should have been an easy bill to pass.
First introduced by Senator Al Franken in 2011, the bill companies from collecting or disclosing location information from a device without a user鈥檚 consent. It sought to undermine so-called 鈥渟talking apps鈥 such as SPYERA and FlexiSpy, that allowed users to install software on someone鈥檚 phone without their knowledge and track their location. In , Sen. Franken shared an example of how this software had been used against victims of domestic abuse:
鈥淭his victim had decided to get help, and so she went to a domestic violence program located in a county building. She got to the building, and within five minutes, she got a text from her abuser asking her why she was in the county building. The woman was terrified, and so an advocate took her to the courthouse to get a restraining order. As soon as she filed for the order, she got a second text from her abuser asking her why she was at the courthouse and whether she was getting a restraining order against him. They later figured out that she was being tracked through a stalking app installed in her phone.鈥
The tech industry saw the bill in a different light. Industry groups expressed concerns about the impact on the development of location-based services, given the bill also required companies to get customer consent before sharing location information with third parties. They for self-regulation. 54 organizations lobbied the bill, including Google, Facebook, Microsoft eBay and wireless communications industry group CTIA.
The Location Privacy Protection Act isn鈥檛 unique when it comes to opposition from the tech industry. The United States has taken a light-touch approach to regulating data privacy, largely due to the concern of stifling innovation. That hesitation seems to have only grown as the tech industry in the US became one of the country鈥檚 biggest economic exports: Five of the most valuable companies in the world include , , , and .
In the meantime, consumer privacy bills have been introduced to Congress over the past decade, but there hasn鈥檛 been a major data privacy law passed at the federal level since 2009.
When Cambridge Analytica came to light, the conversation around privacy and data protection changed dramatically. Public in Facebook plummeted, while lawmakers and even CEO Mark Zuckerberg the growing need for regulation. At the same time, The European Union鈥檚 General Data Protection Regulation (GDPR) became enforceable , and its regulatory repercussions will soon hit US shores. The omnibus bill the use of all EU citizens鈥 data, even if the company using the data is outside the EU. Some have speculated that Facebook for Cambridge Analytica鈥檚 misuse of data under GDPR鈥檚 comprehensive rules.
As the fallout from Cambridge Analytica continues and Europe makes a major legislative step forward with the GDPR, there is the need for deeper conversation around data privacy in the US. Why has the US stagnated on data privacy laws since 2009?
There are a number of reasons that range from the US value of private enterprise, historical approach to data privacy laws and the meteoric growth of the tech sector. But there鈥檚 one factor that could stall legislation beyond the current crisis: The tech industry鈥檚 massive lobbying power.
Tech industry lobbying has ballooned over the last decade. , , and spent nearly $50 million on lobbying efforts combined in 2017, according to data from the nonpartisan nonprofit MapLight Foundation. It鈥檚 the most that any of those companies have spent on lobbying in a single year, and over six times what they spent combined in 2009. The increase comes at a time when promising new technologies, including artificial intelligence, automated cars and machine learning are developing faster than ever. Slowing down that innovation could have serious consequences for their bottom line.
鈥淎ll those companies, their livelihood and future depend tremendously on what the US government and other governments do in terms of tax policy, trade policy, labor policy, consumer rights policy and privacy,鈥 said Robert McChesney, professor of communication at University of Illinois at Urbana-Champaign and author of the book Digital Disconnect: How Capitalism is Turning the Internet Against Democracy. 鈥淭hese are all government laws and policies that will determine whether a company is exceptionally profitable or whether it doesn鈥檛 exist.鈥
Many industries spend significantly to fight for friendly policy. But the tech industry鈥檚 appeal to both sides of the aisle and their financial ability to fund a defense against any bill of their choosing paints an uncertain picture of data privacy laws in the US moving forward.
When the US and Europe diverged
The US hasn鈥檛 always lagged on privacy regulation. The US actually created the framework that underpins privacy regulations around the world today. In the early 1970s, a Senate advisory committee created a code for automated personal data systems called the Fair Information Practices (FIPs), a set of principles for business and government entities that collect, use and disclose personal information. This laid the groundwork for the US鈥 first comprehensive data privacy law, the 1974, which governs the use of personal data stored on federal government databases. The FIPs the OECD鈥檚 established in 1980 as well as the in 1995, the precursor to GDPR.
However, given the FIPs were a set of principles and not legislation, the way data privacy laws developed was largely dependent on the values of different societies. In Europe, where data privacy and protection is considered a in the chilling way the Nazis used databases to track and target Jews and other minority groups during World War II, more comprehensive and consumer-oriented legislation was successful. Whereas in the US, where a high value is placed on and individual freedoms, a sectoral approach that attempted to the benefits of commercial activity and protection of individual privacy developed instead.
鈥淭he United States is a very free-market pro-capitalist society, that has really impacted how we think about privacy,鈥 said Joe Jerome, policy counsel for data and privacy at the Center for Democracy and Technology.
The sectoral model governs through a combination of legislation, regulation and self-regulation, only passing laws for specific industries: Health data is protected by , for example, while data of children under 13 is protected under . This has resulted in a patchwork quilt of laws at the federal and state level, without baseline legislation that applies to all data. This approach allows for finely tailored laws with different levels of protection depending on the sensitivity of data, said Ellen Goodman, a professor of law at Rutgers University and cofounder of the Rutgers Institute for Information Policy and Law. But as big data increasingly blurs the lines between sectors, this approach is getting pushback.
鈥淚nconsistent regimes create a lot of loopholes between laws,鈥 Goodman said. 鈥淎nother con is that there are large swaths of data that aren鈥檛 covered by anything.鈥
Corporate lobbying booms鈥攁nd tech companies take notice
While data privacy laws were developing around the world, the power of corporate lobbying in the US was beginning to take hold. Businesses expanding their lobbying efforts in the 1970s in response to heavy regulation in the 1960s. The culture continued to flourish and build upon itself even when the political environment favored small government, as corporations became more confident in their ability to affect outcomes, according to by Lee Drutman, senior fellow in the political reform program at New America. This culture continues today: was spent on lobbying in 2017.
At first, tech companies weren鈥檛 a part of this growing movement. The early days of the internet were driven by a that eschewed government interference and trumpeted the innovations of private business. However, in the early 2000s Microsoft was sued by the Justice Department over antitrust issues, to a lengthy legal battle that eventually resulted in the company having to make Windows interoperable with competitors. Tech companies began to that the law may pose a challenge to their ambition.
Since then, the lobbying spend of tech companies has grown dramatically. Companies across think tanks to influence the policy debate and campaign funds to curry favor. Several Silicon Valley executives and high level officials in President Barack Obama鈥檚 administration between positions at tech companies and the government.
鈥淚 think the tech sector, particularly Google, had an outsized influence on policy in that administration,鈥 said Gigi Sohn, a distinguished fellow at the Georgetown Law Institute for Technology Law and Policy and former counselor to FCC Chairman Tom Wheeler.
Tech companies鈥 rapid economic growth and 鈥攖hat are strongly anti-regulation and socially liberal鈥攈ad bipartisan appeal. 鈥淏oth [parties] have been falling over each other to identify as the party of this burgeoning digital economy,鈥 McChesney said.
A lack of expertise cracks the door open to lobbying
However, have a background in technology, and the , which provided bipartisan expertise on issues in science and technology, was cut in 1995 and never re-established.
鈥淸Lawmakers] rely on industry to give them their 鈥榝acts,鈥欌 said Sohn. 鈥淲hen you don't give government the resources they need to educate themselves on these issues, they have no one to rely on but industry and underfunded public interest advocates.鈥
This lack of expertise made it easy for tech companies to use their lobbying power to change the conversation as pro-privacy bills gather momentum. After President Donald Trump broadband privacy rules in 2017 enacted under President Obama, lawmakers introduced similar legislation at the state level around the country. One of the most closely watched was California鈥檚 Assembly Bill 375, which required Internet Service Providers (ISPs) such as Comcast and AT&T to ask for California residents鈥 consent before sharing their information with a third party, data protection demands.
Ernesto Falcon, a legislative counsel with the Electronic Frontier Foundation who supported the bill, was optimistic about its passage when it was first introduced due to public support of the issue. It was voted through three committees and introduced on the Senate floor. Then Google and Facebook joined the opposition fight.
Suddenly lawmakers were with suggestions that the bill had unclear definitions, would result in constant consent pop-ups and could prevent ISPs from sharing information about potential violent threats, arguments that Falcon calls 鈥渋llegitimate.鈥 He said he reached out to the tech companies asking what they specifically wanted to see changed but received no response.
鈥淏ecause it was Silicon Valley making these arguments along with telecom companies, it started to sound more confusing,鈥 he said. 鈥淢any of these folks weren鈥檛 sure what this bill did by the time it actually came to the vote.鈥
The majority of lawmakers chose not to vote on the bill and it died in the last session, which Falcon believes was the tech companies鈥 goal. 鈥淭hey know their position against privacy is unpopular,鈥 Falcon said. 鈥淭hey鈥檇 rather never have opportunities to be brought to light where politicians have to make the choice: Are you for or against privacy?鈥
Tech鈥檚 lobbying power could still shape politics post-Cambridge Analytica
The tech industry has met its limits elsewhere. Despite in Brussels, the tech industry wasn鈥檛 able to deter the passage of GDPR.
鈥淭he European Commission and legislators have probably been immune toward the lobbying of those big tech companies because if they had really impacted the legislation, then [GDPR] wouldn鈥檛 have been so strict,鈥 said Maja Brkan, an assistant professor in EU law at Maastricht University, who focuses on data protection and privacy.
The GDPR will set a new standard for data protection, and --including Japan, Argentina, New Zealand and Israel鈥攁re pushing similar legislation as not to lose out on the cross-border free flow of data. This could put further pressure on the US to break the data privacy law drought.
The road ahead for US privacy law isn鈥檛 clear cut.
Some believe the lobbying power of tech companies in the US would derail an attempt at an omnibus bill. Alvaro Bedoya, founder of Georgetown Law鈥檚 Center on Privacy and Technology, in a New York Times op-ed that President Obama鈥檚 attempt at a cross-sectoral bill was gutted after the tech industry weighed in. 鈥淚f the United States tries to pass broad rules for personal data, that effort may well be co-opted by Silicon Valley, and we鈥檒l miss our best shot at meaningful privacy protections,鈥 he wrote.
Not to mention, has shown that privacy regulations could actually increase the power of incumbents could be more easily absorbed by a larger company. This is both in terms of cost of cookie management software and the customer鈥檚 comfort level in explicitly consenting to share data with multiple companies.
But public outcry over the issue is prompting lawmakers to act. In April, Senators Amy Klobuchar and John Kennedy introduced the . The Act covers a host of privacy updates, such as requiring websites to inform users of their data collection practices, provide users control over privacy settings and alert users within 72 hours if their data has been compromised.
In the meantime, tech companies鈥 lobbying efforts haven鈥檛 abated. While Zuckerberg publicly conceded the need for regulation, Facebook was spending money to undermine a California privacy and an Illinois (though the company after media coverage).
As for the stalking apps?
The Location Protection Privacy Act was re-introduced in 2014, but similar industry concerns. The legislation never left the Senate floor, and Sen. Franken resigned over sexual misconduct allegations in 2017.
Stalkerware, in the meantime, continues to thrive: A recent study found that intimate partner surveillance are still rampant. FlexiSpy鈥檚 starts at just $68 per month, and a year of from SPYERA for just $489.
June 7, 2018
The Location Privacy Protection Act should have been an easy bill to pass.
First introduced by Senator Al Franken in 2011, the bill companies from collecting or disclosing location information from a device without a user鈥檚 consent. It sought to undermine so-called 鈥渟talking apps鈥 such as SPYERA and FlexiSpy, that allowed users to install software on someone鈥檚 phone without their knowledge and track their location. In , Sen. Franken shared an example of how this software had been used against victims of domestic abuse:
鈥淭his victim had decided to get help, and so she went to a domestic violence program located in a county building. She got to the building, and within five minutes, she got a text from her abuser asking her why she was in the county building. The woman was terrified, and so an advocate took her to the courthouse to get a restraining order. As soon as she filed for the order, she got a second text from her abuser asking her why she was at the courthouse and whether she was getting a restraining order against him. They later figured out that she was being tracked through a stalking app installed in her phone.鈥
The tech industry saw the bill in a different light. Industry groups expressed concerns about the impact on the development of location-based services, given the bill also required companies to get customer consent before sharing location information with third parties. They for self-regulation. 54 organizations lobbied the bill, including Google, Facebook, Microsoft eBay and wireless communications industry group CTIA.
The Location Privacy Protection Act isn鈥檛 unique when it comes to opposition from the tech industry. The United States has taken a light-touch approach to regulating data privacy, largely due to the concern of stifling innovation. That hesitation seems to have only grown as the tech industry in the US became one of the country鈥檚 biggest economic exports: Five of the most valuable companies in the world include , , , and .
In the meantime, consumer privacy bills have been introduced to Congress over the past decade, but there hasn鈥檛 been a major data privacy law passed at the federal level since 2009.
When Cambridge Analytica came to light, the conversation around privacy and data protection changed dramatically. Public in Facebook plummeted, while lawmakers and even CEO Mark Zuckerberg the growing need for regulation. At the same time, The European Union鈥檚 General Data Protection Regulation (GDPR) became enforceable , and its regulatory repercussions will soon hit US shores. The omnibus bill the use of all EU citizens鈥 data, even if the company using the data is outside the EU. Some have speculated that Facebook for Cambridge Analytica鈥檚 misuse of data under GDPR鈥檚 comprehensive rules.
As the fallout from Cambridge Analytica continues and Europe makes a major legislative step forward with the GDPR, there is the need for deeper conversation around data privacy in the US. Why has the US stagnated on data privacy laws since 2009?
There are a number of reasons that range from the US value of private enterprise, historical approach to data privacy laws and the meteoric growth of the tech sector. But there鈥檚 one factor that could stall legislation beyond the current crisis: The tech industry鈥檚 massive lobbying power.
Tech industry lobbying has ballooned over the last decade. , , and spent nearly $50 million on lobbying efforts combined in 2017, according to data from the nonpartisan nonprofit MapLight Foundation. It鈥檚 the most that any of those companies have spent on lobbying in a single year, and over six times what they spent combined in 2009. The increase comes at a time when promising new technologies, including artificial intelligence, automated cars and machine learning are developing faster than ever. Slowing down that innovation could have serious consequences for their bottom line.
鈥淎ll those companies, their livelihood and future depend tremendously on what the US government and other governments do in terms of tax policy, trade policy, labor policy, consumer rights policy and privacy,鈥 said Robert McChesney, professor of communication at University of Illinois at Urbana-Champaign and author of the book Digital Disconnect: How Capitalism is Turning the Internet Against Democracy. 鈥淭hese are all government laws and policies that will determine whether a company is exceptionally profitable or whether it doesn鈥檛 exist.鈥
Many industries spend significantly to fight for friendly policy. But the tech industry鈥檚 appeal to both sides of the aisle and their financial ability to fund a defense against any bill of their choosing paints an uncertain picture of data privacy laws in the US moving forward.
When the US and Europe diverged
The US hasn鈥檛 always lagged on privacy regulation. The US actually created the framework that underpins privacy regulations around the world today. In the early 1970s, a Senate advisory committee created a code for automated personal data systems called the Fair Information Practices (FIPs), a set of principles for business and government entities that collect, use and disclose personal information. This laid the groundwork for the US鈥 first comprehensive data privacy law, the 1974, which governs the use of personal data stored on federal government databases. The FIPs the OECD鈥檚 established in 1980 as well as the in 1995, the precursor to GDPR.
However, given the FIPs were a set of principles and not legislation, the way data privacy laws developed was largely dependent on the values of different societies. In Europe, where data privacy and protection is considered a in the chilling way the Nazis used databases to track and target Jews and other minority groups during World War II, more comprehensive and consumer-oriented legislation was successful. Whereas in the US, where a high value is placed on and individual freedoms, a sectoral approach that attempted to the benefits of commercial activity and protection of individual privacy developed instead.
鈥淭he United States is a very free-market pro-capitalist society, that has really impacted how we think about privacy,鈥 said Joe Jerome, policy counsel for data and privacy at the Center for Democracy and Technology.
The sectoral model governs through a combination of legislation, regulation and self-regulation, only passing laws for specific industries: Health data is protected by , for example, while data of children under 13 is protected under . This has resulted in a patchwork quilt of laws at the federal and state level, without baseline legislation that applies to all data. This approach allows for finely tailored laws with different levels of protection depending on the sensitivity of data, said Ellen Goodman, a professor of law at Rutgers University and cofounder of the Rutgers Institute for Information Policy and Law. But as big data increasingly blurs the lines between sectors, this approach is getting pushback.
鈥淚nconsistent regimes create a lot of loopholes between laws,鈥 Goodman said. 鈥淎nother con is that there are large swaths of data that aren鈥檛 covered by anything.鈥
Corporate lobbying booms鈥攁nd tech companies take notice
While data privacy laws were developing around the world, the power of corporate lobbying in the US was beginning to take hold. Businesses expanding their lobbying efforts in the 1970s in response to heavy regulation in the 1960s. The culture continued to flourish and build upon itself even when the political environment favored small government, as corporations became more confident in their ability to affect outcomes, according to by Lee Drutman, senior fellow in the political reform program at New America. This culture continues today: was spent on lobbying in 2017.
At first, tech companies weren鈥檛 a part of this growing movement. The early days of the internet were driven by a that eschewed government interference and trumpeted the innovations of private business. However, in the early 2000s Microsoft was sued by the Justice Department over antitrust issues, to a lengthy legal battle that eventually resulted in the company having to make Windows interoperable with competitors. Tech companies began to that the law may pose a challenge to their ambition.
Since then, the lobbying spend of tech companies has grown dramatically. Companies across think tanks to influence the policy debate and campaign funds to curry favor. Several Silicon Valley executives and high level officials in President Barack Obama鈥檚 administration between positions at tech companies and the government.
鈥淚 think the tech sector, particularly Google, had an outsized influence on policy in that administration,鈥 said Gigi Sohn, a distinguished fellow at the Georgetown Law Institute for Technology Law and Policy and former counselor to FCC Chairman Tom Wheeler.
Tech companies鈥 rapid economic growth and 鈥攖hat are strongly anti-regulation and socially liberal鈥攈ad bipartisan appeal. 鈥淏oth [parties] have been falling over each other to identify as the party of this burgeoning digital economy,鈥 McChesney said.
A lack of expertise cracks the door open to lobbying
However, have a background in technology, and the , which provided bipartisan expertise on issues in science and technology, was cut in 1995 and never re-established.
鈥淸Lawmakers] rely on industry to give them their 鈥榝acts,鈥欌 said Sohn. 鈥淲hen you don't give government the resources they need to educate themselves on these issues, they have no one to rely on but industry and underfunded public interest advocates.鈥
This lack of expertise made it easy for tech companies to use their lobbying power to change the conversation as pro-privacy bills gather momentum. After President Donald Trump broadband privacy rules in 2017 enacted under President Obama, lawmakers introduced similar legislation at the state level around the country. One of the most closely watched was California鈥檚 Assembly Bill 375, which required Internet Service Providers (ISPs) such as Comcast and AT&T to ask for California residents鈥 consent before sharing their information with a third party, data protection demands.
Ernesto Falcon, a legislative counsel with the Electronic Frontier Foundation who supported the bill, was optimistic about its passage when it was first introduced due to public support of the issue. It was voted through three committees and introduced on the Senate floor. Then Google and Facebook joined the opposition fight.
Suddenly lawmakers were with suggestions that the bill had unclear definitions, would result in constant consent pop-ups and could prevent ISPs from sharing information about potential violent threats, arguments that Falcon calls 鈥渋llegitimate.鈥 He said he reached out to the tech companies asking what they specifically wanted to see changed but received no response.
鈥淏ecause it was Silicon Valley making these arguments along with telecom companies, it started to sound more confusing,鈥 he said. 鈥淢any of these folks weren鈥檛 sure what this bill did by the time it actually came to the vote.鈥
The majority of lawmakers chose not to vote on the bill and it died in the last session, which Falcon believes was the tech companies鈥 goal. 鈥淭hey know their position against privacy is unpopular,鈥 Falcon said. 鈥淭hey鈥檇 rather never have opportunities to be brought to light where politicians have to make the choice: Are you for or against privacy?鈥
Tech鈥檚 lobbying power could still shape politics post-Cambridge Analytica
The tech industry has met its limits elsewhere. Despite in Brussels, the tech industry wasn鈥檛 able to deter the passage of GDPR.
鈥淭he European Commission and legislators have probably been immune toward the lobbying of those big tech companies because if they had really impacted the legislation, then [GDPR] wouldn鈥檛 have been so strict,鈥 said Maja Brkan, an assistant professor in EU law at Maastricht University, who focuses on data protection and privacy.
The GDPR will set a new standard for data protection, and --including Japan, Argentina, New Zealand and Israel鈥攁re pushing similar legislation as not to lose out on the cross-border free flow of data. This could put further pressure on the US to break the data privacy law drought.
The road ahead for US privacy law isn鈥檛 clear cut.
Some believe the lobbying power of tech companies in the US would derail an attempt at an omnibus bill. Alvaro Bedoya, founder of Georgetown Law鈥檚 Center on Privacy and Technology, in a New York Times op-ed that President Obama鈥檚 attempt at a cross-sectoral bill was gutted after the tech industry weighed in. 鈥淚f the United States tries to pass broad rules for personal data, that effort may well be co-opted by Silicon Valley, and we鈥檒l miss our best shot at meaningful privacy protections,鈥 he wrote.
Not to mention, has shown that privacy regulations could actually increase the power of incumbents could be more easily absorbed by a larger company. This is both in terms of cost of cookie management software and the customer鈥檚 comfort level in explicitly consenting to share data with multiple companies.
But public outcry over the issue is prompting lawmakers to act. In April, Senators Amy Klobuchar and John Kennedy introduced the . The Act covers a host of privacy updates, such as requiring websites to inform users of their data collection practices, provide users control over privacy settings and alert users within 72 hours if their data has been compromised.
In the meantime, tech companies鈥 lobbying efforts haven鈥檛 abated. While Zuckerberg publicly conceded the need for regulation, Facebook was spending money to undermine a California privacy and an Illinois (though the company after media coverage).
As for the stalking apps?
The Location Protection Privacy Act was re-introduced in 2014, but similar industry concerns. The legislation never left the Senate floor, and Sen. Franken resigned over sexual misconduct allegations in 2017.
Stalkerware, in the meantime, continues to thrive: A recent study found that intimate partner surveillance are still rampant. FlexiSpy鈥檚 starts at just $68 per month, and a year of from SPYERA for just $489.