While Facebook thrives in the marketplace, the company is under siege by angry critics both inside and outside of government over privacy issues. The Federal Trade Commission (FTC) claims that Facebook violated its 2011 privacy consent decree and may impose a fine on the company of up to $5 billion. The FTC alleges that Facebook did not do enough to protect user data from being improperly exploited by Cambridge Analytica, which used that data to supply strategy advice to the Trump campaign.
In one sense, the fine is the least of Facebook’s worries; other initiatives are in development to alter the way the company does business. With her usual lack of caution, Senator Elizabeth Warren has called for the breakup of Facebook, Amazon, and Google on the ground that their allegedly monopolistic practices tend to squash smaller upstarts, leading to what she laments as a rapid decline in competition and innovation across an industry that has been defined by fierce competition and high levels of innovation. Warren doubled down on her position by recently unveiling a new bill imposing criminal liability—including jail time—on corporate executives for simple negligence in carrying out their manifold duties.
Piling on, Rhode Island’s David Cicilline, who chairs the House Subcommittee on Antitrust, Commercial and Administrative Law, has called for aggressive FTC investigation and antitrust remedies against Facebook. On the Senate side, Ron Wyden of Oregon wrote the FTC urging the direct imposition of fines against Mark Zuckerberg personally. There are other efforts like these afoot in many states and in the European Union.
Yet, as this war continues, Facebook’s stock maintains its high market value and is up 41% year-to-date. Indeed, Facebook, sensing the inevitable, has already accounted for a fine on its books, only to see investors bid up the price of its shares by 9 percent in after-hours trading. That market assessment is instructive because it predicts that Facebook’s platforms, including the highly profitable Instagram, will continue to attract and retain users in the months and years ahead, notwithstanding public knowledge of its allegedly porous privacy policies. That rise in market price is indirect but powerful evidence that many of Facebook’s users are not concerned with any flaws in the company’s business model. The remainder are probably banking on two factors. The first is their own ability to take defensive measures by limiting the kinds of information they place on the site. The second is the additional protections that Facebook has incorporated since the Cambridge Analytica data breach. In sum, Facebook users are looking forward, not backward.
In most discussions of the legal issues, Facebook’s liability under the terms of the consent decree is treated as a self-evident proposition. But a careful review of the key provisions of the decree when set against the Cambridge Analytica fiasco shows that the FTC’s case is more tenuous than conventional wisdom holds. The basic objective of the 2011 decree was to prevent, with the consent of the individual user, disclosure to third parties of “covered information”—i.e., personal information about users, including “nonpublic user information” that “is restricted by one or more privacy settings.” The key provision is Article II, which states that Facebook had to “clearly and prominently disclose” its intent to share designated nonpublic information “prior to any sharing of a user’s nonpublic information by [Facebook] with any third party[.]”
The key word in Article II is “sharing,” which, given its ordinary meaning, means that Facebook has taken the information in question and has itself or through its agents supplied that information to some person not otherwise entitled to receive it. The limited scope of the prohibition makes perfectly good sense because Facebook can well organize its own internal affairs to block its agents from making the forbidden disclosures, and, when such measures break down, institute corrective actions post-breach to control the damage.
The prohibitions contained in Article II do not reach, however, the related risk that a third party might deceitfully steal data from the overall system. Article IV addresses this issue by ordering Facebook to “maintain a comprehensive privacy program” with two key objectives: To design its new and existing products in ways that are likely to secure that information, and to take steps “to protect the privacy and confidentiality of covered information” by “the identification of reasonably foreseeable, material risks, both internal and external, that could result in Respondent’s unauthorized collection, use or disclosure of covered information[.]”
The appropriate plan in question is covered by an extensive verification program that uses independent, outside investigation to confirm that Facebook remains in compliance with the requirements of the consent decree. There seems to be no charges prior to the current situation that Facebook was not in compliance with any of the protective obligations imposed by Article IV. Nor does the 2011 decree contain, it should be stressed, any explicit remedies, including any schedule of fines, to deal with instances of breach.
The difficulty with the FTC’s case is that its allegations regarding the Cambridge Analytica breach do not seem to fall neatly into Facebook’s obligations under Article II or Article IV. Every account of the Cambridge Analytica story makes it painfully clear that the company was shut down because of its extensive willful misconduct. But it is critical to note, as Vox reports, the nature of its wrongs: “In March, the New York Times and Observer reported that Cambridge obtained private Facebook data—specifically, information on tens of millions of Facebook profiles—from an outside researcher who provided it to them in violation of his own agreement with Facebook.” It appears that Cambridge Analytica stated in its original solicitation that it would only collect data for academic purposes. It then was able to get many people to sign up to the program, after which the company used the app to collect data not only from those who consented, but also from their Facebook friends who had not consented.
At this point, it seems clear that Facebook itself had a strong, if useless, legal remedy against Cambridge Analytica and said outside researcher for the losses it suffered because of their misappropriation of data. Those losses should cover the substantial reputational hit that comes with the entire scandal as well as any financial losses that flow to Facebook by virtue of the scandal. At the same time, the interposition of two actors—the outside researcher and Cambridge Analytica—goes a long way to insulate Facebook from responsibility under the 2011 consent decree. As regards Article II, it would be odd to say that Facebook engaged in the “sharing” of data taken from it against its will. It is also difficult to make out a charge against Facebook under Article IV. Critically, the decree does not hold Facebook strictly liable in the event that its defenses against third party misappropriation have been breached. Its program was obligated, in the words of Article IV, to be “reasonably designed” to address the privacy risks, “appropriate to [Facebook’s] size and complexity, the nature and scope of [Facebook], and the sensitivity of the covered information[.]”
This section would be an important source of liability if there were some allegation that either Facebook or its external examiner knew of this particular risk of wholesale misappropriation. But the accounts thus far have stressed the decision of Facebook not to invest sufficiently in settings that might have prevented the collection and use of this data, until the entire matter blew up in March 2018 with the revelations of a whistleblower, Christopher Wylie, about how Cambridge Analytica collected the information.
Finally, in addition to the weaknesses in the government’s theory, the computation of the fine cannot be based on the 2011 consent decree. The current thinking runs as follows: “If the company's found to have violated the agreement, it could face penalties of up to $40,000 per user per day, which could in theory add up to billions, if not trillions of dollars.”
These numbers just do not add up. It would be foolish to insist that the FTC could not find some areas of specific negligence in Facebook’s procedures since the 2011 decree that may well constitute independent grounds for imposing a fine under the FTC’s general oversight authority. But that fine should be a tiny fraction of the commonly cited $5 billion figure, because the stated amount of daily damage to individual users, which works out to $14.6 million per user per year, is at least several thousand times any actual (and unspecified) loss. There is no deterrence or retributive rationale that supports the penalties so imposed. One wonders whether the fine would be the same if Cambridge Analytica worked for the Clinton campaign?
Notwithstanding this egregious inflation of damages, apparently, Facebook has decided to throw in the towel on contesting the size of the fine, but its acquiescence has to be in large measure strategic, for the real risk lies in so-called structural remedies. Facebook is a networked firm whose value to users depends on the number of other like-minded individuals accessible on the platform. Break it into constituent companies and its user value is likely to go down. Yet, ironically, the privacy risks from unauthorized data breaches will be at least as large, and perhaps greater, given that smaller firms are likely to have fewer funds to invest in security. The market demand for privacy remains, and, as is so often the case, the best fixes come from technology that can be constantly adjusted and improved, and not from the dangerous overreach of the half-baked legal proposals so much in vogue today.