What Congress Should Ask Mark Zuckerberg

Since 2004, Facebook has shaped online social interactions around the world. With 2 billion users worldwide, it wields tremendous power over our civic engagement, our day to day routines and habits, and even over our moods and sentiments. In the process, the company’s mostly opaque data practices have become a flashpoint for debates about privacy in the digital age. Facebook has acknowledged that it permitted a quiz application developed by researcher Aleksandr Kogan, and used by roughly 270,000 people, to acquire information from upwards of 80 million users. This information was then given to Cambridge Analytica and used for political profiling during the 2016 presidential election.

While shocking to the public, this was not news to Facebook. The company became aware of Kogan and Cambridge Analytica’s violations of its data sharing policies in 2015 and obtained assurances from both that user data had been deleted. It had not been. Three weeks ago, and three years after it first learned about the data leakage, Facebook suspended Cambridge Analytica from its platform. These revelations have undermined the public’s trust in the platform as well as Facebook’s professed commitment to privacy. It has also opened questions about the extent to which federal regulators should police industries fueled by personal data.

In the coming days, Facebook CEO Mark Zuckerberg will testify before both houses of Congress about transparency and data use by his company. He will testify first at a hearing held jointly by the Senate Judiciary and Commerce committees on April 10 and then before the House Energy and Commerce Committee on April 11. CDT anticipates that members of Congress will ask about Facebook’s approach and commitment to the privacy of its users, its advertising-driven business model and susceptibility to abuse, and whether the company now believes it is time to support a comprehensive privacy law in the United States.

CDT hopes the following range of issues are addressed, and we also suggest the questions that Congress should ask.

Data Sharing with Third Parties

One of the biggest lessons to take away from the Cambridge Analytica revelations is the frequency and opacity in which data on the Facebook platform can be acquired or misused by third parties. Facebook has already announced that it will end its data sharing partnerships with data brokers, but this begs the question of what legal and technical protections are in place to ensure data is not misused. Facebook has recently promised a “full forensic audit” to learn if Cambridge Analytica deleted user data as promised. The company also quietly acknowledged that “most” of its 2.2 billion users likely have had portions of their data scraped and accessed by “malicious actors.”

Congress should ask:

• Are legal remedies sufficient to enforce Facebook’s data sharing policies? If not, has the company put in place any technical measures to ensure that third parties with access to Facebook data use it appropriately?
• With respect to auditing third parties, why hasn’t this been done sooner and with all third parties that access user data?
• How can Facebook be sure more user data has not been misused, and how can the company identify other third parties that may have inappropriately acquired or misused user data?

We might have expected Facebook to have already given deep consideration to these issue, but Facebook’s Chief Technology Officer recently stated that Facebook would begin evaluating potential threats from third parties before launching products.

Congress should ask:

• What this evaluation entails and, more important, why is Facebook only now doing this, particularly as such risk assessments should have been part of Facebook’s FTC-mandated privacy program?

Part of the challenge is that Facebook works with numerous different companies with different purposes and goals for reaching users.

Congress should ask:

• What user information or user traits are most valuable to Facebook’s advertisers and other major third parties with which it works?

Privacy By Design

Privacy by design calls for considering user privacy expectations throughout an entire product lifecycle, from formulation and development to testing and deployment. Facebook has repeatedly stressed that privacy by design is a “key part” of the entire product lifecycle at the company, and yet, Facebook users continue to perceive their privacy as being violated on Facebook’s platform.

Congress should ask:

• Why Facebook frequently defaults to user settings that promote sharing data across and outside the platform?

One important component of respecting privacy is to not upset user expectations, and yet Facebook routinely engages in data tracking activities that its users do not understand including sentiment analysis of user posts and messages. It also extensively tracks its users online. For example, Facebook gathers a tremendous amount of information about its users from their everyday web browsing and app usage. Over 70% of internet users do not expect this. Additionally, Facebook has been accused of creating “shadow profiles” of non-users.

Congress should ask:

• Does Facebook believes its users adequately understand how Facebook gathers detailed information through websites and apps that have “Like” buttons and other Facebook plugins?
• What information or types of profiles are maintained by Facebook about individuals who have not signed into its services?

Transparency and User Understanding

Facebook employs hundreds of designers to develop new products and tweak its interface to increase user engagement and drive advertising revenue. Over the past decade, it has repeatedly proclaimed a desire to improve and simplify the privacy options it offers users and to better explain how the Newsfeed and advertising products work.

Congress should ask:

• Why, despite Facebook’s publicly stated emphasis on usability and design, do Facebook’s privacy controls continue to be confusing and difficult for users to understand?
• Will Facebook commit to better explaining to users how data from and derived from their profiles and user activity is used so users can better determine how to set the privacy controls?

Approach to Ethics

Facebook has repeatedly engaged in data practices that raise ethical concerns. In response to its “emotional contagion” study in 2014, where Facebook manipulated its news feed to see if the company could impact users’ moods, Facebook instituted an “ethical review” process to govern sensitive research into its users. There have been lapses in this program, most notably last year when Facebook market research in Australia engaged in sentiment analysis of more than 6.4 million Australian youth, including 1.9 million high schoolers as young as 14 years old, to estimate when those children were at their most vulnerable, experiencing feelings of being “worthless” or a “failure” as part of research conducted for marketers.

Congress should ask:

• What governs the types of Facebook products, services, and research studies undergo this type of review?
• Where and how did Facebook’s ethical review process fail last year, and what has changed since?

The purpose of these sorts of reviews is to translate core ethical values of respect, diversity, beneficence and justice identified by the Menlo Report into corporate decision-making. Facebook has also maintained that this process allows for the company to consult with subject matter experts to help guide its research and ethical product development.

Congress should ask:

• What other specific values guide Facebook’s ethical review process? Have these been made public?
• What outside, independent voices/experts have been brought in weigh in on ethical issues at Facebook?
• How will Facebook support independent, ethical research that is appropriately vetted, provides more controls to users, and allows Facebook to ensure its users’ data is not being abused or used unethically?

Data Portability

Facebook has not always made it easy to export user information, and when start-ups like Power Ventures have sought to access user data with consent to power services that compete with the social network, Facebook aggressively combatted these features through technical measures and legal action under the Computer Fraud and Abuse Act. At the same time, data exfiltration efforts like those engaged in by Cambridge Analytica seem to have been easier than empowering Facebook’s users to access, transfer, and ultimately control their own information.

Congress should ask:

• How does Facebook limit the ability of users and third parties to export data?
• Will American users of Facebook be able to fully export their data?

Privacy Enforcement by the Federal Trade Commission

Facebook is currently under a 2011 consent decree with the Federal Trade Commission, which prohibited deceptive privacy statements, imposed user consent requirements, and required Facebook to implement privacy programs and undergo regular independent assessments. FTC consent decrees have been held up, by Facebook as well as federal regulators, as an ideal method to police companies who engage in unfair and deceptive data practices. Facebook has insisted it did not breach the terms of consent decree, even as the FTC has launched an investigation into Facebook’s data sharing practices.

Congress should ask:

• Does Facebook believe the terms of the FTC’s 2011 consent decree meaningfully improved Facebook’s privacy practices?
• How would Facebook improve the consent decree process?
• Were any issues raised by the independent assessments that Facebook has undergone in the meantime, and will Facebook be releasing these publicly?

Comprehensive Federal Privacy Regulation

In May 2018, the European Union’s General Data Protection Regulation goes into effect, and while Facebook has suggested that is open to being further regulated, Mr. Zuckerberg has also suggested that protections offered under the GDPR will not be extended in their entirety to U.S. citizens.

Congress should ask:

• Is Facebook providing U.S. citizens with the same rights available to Europeans under the GDPR?
• Are there provisions in the GDPR that Facebook finds problematic?
• What do you think comprehensive privacy legislation in the United States should include?
• How can privacy laws be designed to ensure they protect users equally without giving large companies a compliance-advantage?
• Does Facebook support comprehensive baseline privacy legislation in the U.S.?