The Facebook Scandal: Illegal, or Just Unethical?

Posted by: Jensen Nevitt

facebookIf you have been paying any attention to the news of late, then you have heard of the Facebook/Cambridge Analytica scandal involving the dissemination of information relating to 87 million Facebook user profiles. This is not the first time that Facebook has gotten into trouble for infringing on the privacy of its users, and if left unchecked, it might not be the last. Even if it turns out that the actions of Facebook were not illegal, they were certainly unethical and deceitful. Congress has taken notice and wants answers. Given the outrage of users and declining trust in the company, perhaps it is time for further regulation of companies like Facebook that guard access to such vast amounts of personal information.

What Happened?

If you have not heard the background of the on-going Facebook scandal, then it might be time to familiarize yourself with what happened. “Why?”, you may ask. The answer is: you just might be one of the 87 million Facebook users whose personal information was accessed by Cambridge Analytica. Cambridge Analytica is a political data firm hired by the Trump campaign to identify an audience for political advertisements. Cambridge Analytica accessed the personal information of millions of users without those users being even slightly aware, which begs the question, “how can something like this even happen?”

In 2015, The Trump campaign hired Cambridge Analytica to collect data that allowed the campaign to disseminate targeted political advertisements. Cambridge Analytica hired Dr. Aleksandr Kogan to accomplish this. Dr. Kogan is a psychology professor at Cambridge University. To collect the desired information, Dr. Kogan created a personality survey application for Facebook users. To be able to take the survey, a user was forced to give consent to the application to enable the application to access the personal information of the user. The information collected included user identities, friend networks, likes, and even location information. This type of data mining is allowed by Facebook for academic purposes. It is not allowed to be sold or transferred, which is exactly what Dr. Kogan did to Cambridge Analytica.

What users did not realize when they granted the application access to their personal information, was that they were also granting the same access to the profiles of all their Facebook friends as well. 270,000 users took the personality survey. Through those 270,000 users, Cambridge Analytica gained access to what was originally thought to be 50 million profiles. In the weeks following the scandal, that number has increased to 87 million.

What Dr. Kogan did with his application was not disallowed by Facebook privacy settings at the time of the information gathering (it has since been prohibited). For the average person, it is hard to fathom that your personal information could be accessed through the actions of another user on Facebook. Yet, that is exactly what Facebook allowed.

When Facebook found out about the actions of Cambridge Analytica, it deleted the application from Facebook and sought assurances from the company that the data had been deleted. Cambridge Analytica originally denied that it had used the data, but later about-faced and assured Facebook that the data had in fact been deleted. Cambridge Analytica has tried to deflect blame from itself on to Dr. Kogan.

The Fallout

In the fallout from the scandal, Facebook stock plummeted, resulting in the company and Mark Zuckerberg personally losing billions of dollars. This article outlines how the Facebook founder lost $4.9 billion in one day (dropping his net worth to a lowly $70.4 billion). That figure was based on the day’s stock price of $172.56, but in the weeks since the original story emerged, the stock price fell even further to below $155.00 (after surpassing the $185.00 mark in the weeks preceding the story). As of the time of writing this blog, the stock price sits at $157.59.

In addition to plummeting stocks, Congress has taken notice of the situation, with the House Energy and Commerce Committee requesting the Mr. Zuckerberg personally appear before the committee to explain Facebook’s actions. Similar requests have been made by senators in the Senate Judiciary Committee and Senate Commerce Committee. On the other side of the pond, British Parliament is also requesting that Mr. Zuckerberg appear before it to explain what happened.

Furthermore, The Attorney General of Massachusetts is investigating the company, top executives are joining the #DeleteFacebook movement (including Elon Musk and Brian Acton), and Facebook members and investors alike are filing lawsuits against the company. But the biggest trouble that Facebook may yet face, stems from a 2011 settlement made with the Federal Trade Commission. Facebook got into trouble when it represented to users that their information was private, when in actuality Facebook allowed that “private” information to be made public.

Facebook has also been forced to look deeper into exactly what has occurred with users’ information, and has admitted that nearly all of its 2 billion users may have had their data scraped.

Current Remedies?

Legally, Facebook could be in trouble if it violated the 2011 FTC settlement. In the original complaint, the FTC alleged that Facebook violated 15 U.S.C. § 45(a) by committing “unfair or deceptive acts or practices, in or affecting commerce . . . .” Among other obligations, Facebook is prohibited from making misrepresentations about privacy to its users. Facebook must also obtain affirmative, express consent from its users to be able to make changes that override a user’s privacy settings. The settlement carries the force of law. If Facebook violates the settlement, it can be subject to a fine of up to $16,000 per violation. In other words, if the FTC were to find that Facebook violated the settlement all 270,000 times that a user took the survey, then Facebook could be liable for an amount up to $4.32 billion.

Is that a likely result? Probably not. I would posit that every single user who took the personality survey did so without understanding the full extent just what the user was granting to the application. The users were likely put on full notice of just what they were giving up. I would imagine that Facebook can afford some pretty decent lawyers – lawyers who assure that Facebook’s privacy agreement is in compliance with the 2011 settlement.

Another option that a user could take would be to sue in state court under the state’s privacy laws. The Facebook Terms of Service contain a forum selection clause that provides that any claims must be brought in either the United States District Court for the Northern District of California, or in a California state court in San Mateo County. The terms also contain a choice of law provision, which states that the laws of the state of California will apply to any dispute. Surprisingly enough, the terms do not contain an arbitration clause.

Under California law, operators of commercial web sites that collect personal information of users must post a privacy policy and must comply with that privacy policy. Among other things, the policy must state the “categories of personally identifiable information . . .” that the company collects and the “categories of third-party persons or entities . . .” with whom the company shares the information. A violation of the regulation must either be knowing and willful or negligent and material. Facebook has such a policy. It says that “[w]e do not share information that personally identifies you . . . with advertising, measurement or analytics partners unless you give us permission.” The policy also states that Facebook transfers information to “vendors, service providers, and other partners who . . . [conduct] academic research and surveys.”

I believe that it unlikely that Facebook violated the law. Facebook’s privacy policy is posted. It states that it will not divulge personally identifiable information without the user’s consent. In this case, the users who took the survey gave consent. The privacy policy explicitly states that Facebook shares information with partners who conduct research. Facebook believed that Dr. Kogan was performing research. It is highly unlikely that Facebook acted knowingly and willfully since it did not know the true purpose of Dr. Kogan’s quiz. The better argument is that Facebook negligently and materially violated its privacy policy. Even there, I do not think that it would be sensible to pursue a litigation, given the resources that Facebook has and the fact that Cambridge Analytica appears to be the real bad actor here.

If not in a court of law, then where should Facebook be judged? I think that the most likely place is in the court of public opinion. There is already evidence that Facebook is feeling the effects of that process. Facebook’s stock already plunged. Even Brian Acton, who is a billionaire because of Facebook, has joined the #DeleteFacebook movement (Brian Acton co-founded WhatsApp; Facebook purchased WhatsApp in 2014 for $19 billion).

What needs to be done?

Should a statute exist that prohibits this from happening again? Should Congress regulate privacy on a federal level? Should enforcement be on a national level, rather than in solitary lawsuits by individuals? These are all worthy questions that bear consideration given these recent events.

The EU recently adopted more stringent privacy protections that will come into effect this year. I think that it is time that Congress does the same and takes up this issue. One idea that I have heard is that we should treat data breaches the same way that we treat pollutants. Pollution is not an individual problem; it is a societal problem. In the pollution context, the Environmental Protection Agency enforces the Clean Air Act on behalf of all of society. Pollution was a national problem that needed a nationwide-level solution. The idea is that data breaches should be treated similarly because even though a breach may initially appear to harm only individuals, all of society could actually feel that harm. I know that this was technically not a data breach, since no hack took place, but it can be treated in much the same way.

Congress should take steps to assure that large companies (such as Facebook) are more careful with the private information that they guard. I think that a national statute is needed that establishes standards for data protection and gives authority to a federal agency to enforce those standards. Given the recent attention to this matter, perhaps now is the time for more accountability and transparency from companies like Facebook.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s