The drumbeat to regulate Big Tech began pounding long before the Cambridge Analytica scandal rocked Facebook—six long years ago, the Obama administration pushed a “Privacy Bill of Rights” that, like most other legislative attempts to safeguard your data online, went nowhere. But this time, as they say, feels different. Thanks to repeated lapses from not just Facebook but all corners of Silicon Valley, some sort of regulation seems not only plausible but imminent.
US politicians have called for Facebook CEO Mark Zuckerberg to appear in person before Congress. Some tech-focused legislation is currently wending its way through the Capitol’s corridors. And regulators in other countries have already clamped down on tech.
In an interview with WIRED editor-in-chief Nicholas Thompson Wednesday, Facebook CEO Mark Zuckberg seemed if not outright welcoming toward regulation, at least accepting of it. “There are some really nuanced questions though about how to regulate, which I think are extremely interesting intellectually,” says Zuckerberg, who points to the bipartisan Honest Ads Act, cosponsored by senators Mark Warner, Amy Klobuchar, and John McCain, as an example of the sort of bill his company can get behind.
The Honest Ads Act, legislation that calls for increased transparency behind who pays for political ads online, makes for a convenient example, though, in part because Facebook has already implemented many of its provisions. The bill, introduced last October, also appears to have languished, making it a non-substantive threat. Meanwhile, critics say it wouldn’t have stopped Russian propagandists from flooding Facebook in the first place.
Besides, even the Honest Ads Act’s sponsors have noted that it addresses a very small piece of a very large problem. And it does nothing to address the data privacy concerns that rightly create so much angst among anyone with any sort of presence online. Which is to say, everyone. For that, the US would need something much bigger.
“We do not have an omnibus privacy legislation at the federal level,” says David Vladeck, former director of the Federal Trade Commission’s Bureau of Consumer Protection. “We don’t have a statute that recognizes generally that privacy is a right that’s secured by federal law. And that puts us at the opposite end of the spectrum from some of the other major economies in the world.”
It’s not that living in the US puts you totally in the privacy hinterlands. The FTC has a modicum of authority, and has used it when companies grossly overreach—as it did against Facebook in 2011, when the company failed to keep its promises regarding how it treated their data. Facebook had made user information public, even if they'd previously had more restrictive privacy settings, and allowed third-party developers to mine the data not just of the Facebook users who downloaded their apps, but of all of those peoples' friends. (If that sounds familiar, well, it's precisely what allowed the Cambridge Analytica fiasco.)
Even then, though, Facebook got off with a scolding. It had to sign a consent decree, essentially a promise that it wouldn’t stray again. That's gone unchecked until this week, when the FTC reportedly opened an investigation into the Cambridge Analytica scandal, and could fine Facebook up to $40,000 per violation—with 50 million people impacted, the potential fine hypothetically stretches into the trillions.
But the threat of retroactive fines clearly hasn't done the trick. The FTC, meanwhile, can only work with the legislative tools it’s given. So what would it look like if Congress gave it better tools? Other countries might offer something like an outline, if not an outright blueprint.
In Finland, officials feel that their strong public education system and a coordinated government response have been enough to stave off Russia’s propaganda; Sri Lanka banned Facebook, WhatsApp, and Instagram entirely. Which is to say, it's a wide gamut.
On the data privacy front, the most recent high-profile model comes from the European Union, where General Data Protection Regulation becomes the law of the land on May 25. GDPR focuses on ensuring that people who use online services know not only exactly what data those companies will take, but how they put it to use.
Zuckerberg, at least, seems supportive of those levels of transparency—although they’re also, since GDPR’s passage, an inevitability. “I think what tends to work well is transparency, which I think is an area where we need to do a lot better and are working on,” Zuckerberg tells WIRED. “I think guidelines are much better than dictating specific processes.”
Rough guidelines also seem like a more plausible approach in the US due to both precedent and practicality. The EU approach to privacy law has long been highly detailed and prescriptive, says Vladeck, which sounds good in theory but can create issues in practice. “The implementation of it, in my view, is going to be ineffective, because it places an enormous regulatory burden on some parties, and worse, it places an enormous regulatory burden on the data protection authorities that need to enforce it,” says Vladeck. “I don’t think we could simply take the European regulation and simply adopt it in the United States. But I think there are a lot of elements in it that could provide guidance.”
One danger of an overly prescribed law is that technological solutions can outpace those mandates. Zuckerberg points to Germany, where hate speech laws require Facebook and other companies to remove offending posts within 24 hours. “The German model—you have to handle hate speech in this way—in some ways that’s actually backfired,” Zuckerberg says. “Because now we are handling hate speech in Germany in a specific way, for Germany, and our processes for the rest of the world have far surpassed our ability to handle that. But we’re still doing it in Germany the way that it’s mandated that we do it there. So I think guidelines are probably going to be a lot better.”
Zuckerberg also raises the question of the use of artificial intelligence in weeding out unwelcome uploads. “Now that companies increasingly over the next five to 10 years as AI tools get better and better will be able to proactively determine what might be offensive content or violate some rules, what therefore is the responsibility and legal responsibility of companies to do that,” Zuckerberg says.
Here, too, Facebook’s getting out ahead of any potential legal requirements; it already scans for nudity and terrorist content, and remains hard at work at AI that can spot what Zuckerberg calls “really nuanced hate speech and bullying.”
Eventually, though, Silicon Valley may run out of ways to appease regulators. By now there have been too many data breaches, too much negligence, whether by Facebook, Equifax, or the government itself. “I do think increasingly that there’s a sense that we need it,” says Vladeck.
At the very least, when regulation does come, Facebook has an open invite to help inform what happens, albeit in gruff terms. “Mr. Zuckerberg needs to testify before the Senate and answer some tough questions about Russian activity on the platform, and the way his company protects—or doesn’t—its users’ data,” said Senator Mark Warner in a email to WIRED Wednesday.
And if it doesn’t pitch in, Congress has a model for privacy protection waiting for it, at least philosophically, just an ocean away.
