What the Hacking Scandal Means for Regulation of Social Networking Services
This post is part of "CDT Fellows Focus," a series that presents the views of notable experts on tech policy issues. This week, CDT Fellow Omer Tene is our guest contributor. Posts featured in "CDT Fellows Focus" don't necessarily reflect the views of CDT; the goal of the series is to present diverse, well-informed views on significant tech policy issues.
One of the most alarming lessons of the News of the World (NoW) phone hacking scandal applies to social networking services (SNS). Consider the fact that until a few weeks ago, one of the properties in Rupert Murdoch’s media portfolio was MySpace, the most popular SNS in the United States until 2008. It is disconcerting to think that control over such a treasure trove of personal information rested with a corporate group harboring the ethics and practices of NoW.
To generate a flow of exclusive stories and maintain its edge in the fiercely competitive British tabloid market, NoW allegedly hacked the voicemail of Milly Dowler, a murdered school girl; of relatives of British soldiers killed in Iraq and Afghanistan; and of victims of the 7 July 2005 London terrorist bombings. In the course of hacking Dowler’s voicemail, private investigators acting for NoW allegedly deleted some messages (to free up space for additional hacking), giving false hope to Dowler's family who thought she might have deleted the messages herself and therefore still be alive. In addition, the NoW allegedly bribed police officers and blackmailed individuals into coughing up information about their acquaintances.
[An interesting side-issue concerns the data security flaw permitting much of the hacking. Mobile phones come equipped with a default four-digit PIN, which customers are expected to change, but very few do. This enabled private investigators to call the target’s number and when unanswered, enter the default PIN to retrieve their messages. The lesson, well known to data security professionals, is that no matter how robust a data security system, it can always be infiltrated if users do not manage their passwords prudently. While it may take a super-computer billions of years to crack an encryption algorithm; it takes only a second or two to enter a password which is written on a Post-it note on the computer screen.]
The allegations against NoW led to the closing of the tabloid, ending the newspaper’s 168 year history. They also caused Murdoch to drop his bid to take over broadcasting giant BSkyB, 39% of which were already owned by Murdoch’s News Corporation. If the recent furor rendered Murdoch unfit to own a broadcasting outfit, how would you assess his ownership of a SNS?
SNS are stewards of a vast eco-system of personal data. They know more about us than anyone else except (perhaps) the government. Their knowledge extends far beyond information we post voluntarily, such as status updates, photos, videos and friend requests. It includes our interaction with the service; the profiles and posts we look at; whom we interact with, as well as the content of our messages. It now extends to where we are geographically; and as the web increasingly becomes social, where we hang out online. It is augmented by ripening face recognition technologies and by tens of thousands of applications (“apps”) which enhance the SNS and enrich it with additional layers of information.
We must keep a sharp eye on SNS providers to prevent personal data from falling into wrong hands. The threat of ex post liability may not suffice, given that the value of data is steadily rising while the criminal justice system remains slow and cumbersome. Indeed, in 2009, the London Metropolitan Police decided not to pursue an investigation into the NoW transgressions. (This month, Scotland Yard Assistant Commissioner John Yates expressed "massive regret" for that decision). Ex ante measures are necessary to reduce risk and keep businesses honest.
Government entities around the world, including the European Commission, the Council of Europe, the OECD, and the United States government, are currently reviewing the legal framework for data protection and privacy. Hopefully, they can find ways to incentivize SNS providers to implement technological and organizational measures to integrate privacy into their backbone and culture, without resorting to prescriptive regulation. To sustain the enormous benefits of SNS to innovation and the Internet economy, regulation should be a last resort.
This will not be easy. Some of the concepts discussed during the review process, such as the “right to oblivion”, seem unworkable or contradictory to important fundamental rights such as the freedom of speech. Others, like the principles of “accountability” and “privacy by design” remain murky, leaving much room for interpretation and (hopefully not open-ended) discussion. At the end of the day, it may turn out that apparently procedural issues, such as the rules for applicable law; the role and position of chief privacy officers (CPOs) (in the United States) – or data protection officers (DPOs) (in Europe); and the funding and powers of regulatory agencies; are the ones to effect the greatest change.