From Geofeedia to Cambridge Analytica, social media companies seem helpless to stop outside companies from repurposing the data of their users for surveillance and profiling against their terms of service, even as they themselves actively exploit their users for their own commercial profit and engage in their own sharing and profiling activities from special data partners to medical research. While the social media platforms continually reassure policymakers and the public that they have things under control, it seems not a month goes by without yet another company making headlines for its use of social media data for surveillance or profiling against the platforms’ terms of use. If the social platforms still can’t reign in unauthorized commercial use of their platforms and misuse of user data in violation of their terms of service, why should policymakers and the public continue to trust them to safeguard their two billion users’ privacy and data?
Last month the Washington Post reported on a company using Facebook and Twitter data for employment screening of minors. Within weeks both social media platforms had restricted the company’s access to their data and issued statements noting that its activities were strictly against their terms of service.
In response to publicity regarding the company, Twitter reiterated that “We strictly prohibit the use of Twitter data and APIs for surveillance purposes, including performing background checks.” Facebook noted that it prohibited developers from using data from its platform to evaluate individuals for hiring or eligibility decisions.
Despite Facebook initially revoking most of the company’s access to user data, the startup continued to scrape public user data, prompting Facebook to issue a statement that “Scraping people's information on Facebook is against our terms of service” and that it had launched an investigation into the scraping activity with the potential of blocking the company entirely from its platform.
Yet, the real question is how, after a year of scandals and intense press, policymaker and public scrutiny over its ability to safeguard user data, Facebook finds itself once again on the defensive over misuse of the data it is tasked with protecting.
Once again Facebook finds itself confirming that an outside company has been harvesting and misusing user data without its knowledge.
Once again Facebook has been forced to confirm that its platform is simply so porous and so poorly protected that yet another company was able to simply walk right up and begin harvesting user data for psychological profiling.
Once again Facebook has had to acknowledge that a company has been exploiting user data in direct violation of its written terms of service, reiterating that written legalese buried on a distant webpage somewhere in Facebook’s vast corner of the web can do little to actually stop prohibited behavior.
How should we trust social platforms like Facebook if they cannot stop bad actors from misusing their platforms? Again and again we see that simply adding a line to a terms of service document does nothing to stop the prohibited behavior. Indeed, the ethical review boards of most US universities and the academic community as a whole has largely determined that legal prohibitions on data misuse do not apply to academics. It appears the commercial world is little different in its willful dismissal of written usage guidelines.
In a world in which written terms of service are no longer viewed as binding by the public, companies, universities or governments, how exactly can social platforms protect themselves?
It all comes down to cybersecurity. To the monitoring and security processes employed by websites.
After all, most websites have terms of service that prohibit users from hacking into their servers and stealing their source code. Despite a legal prohibition on hacking, companies still expend enormous effort protecting their source code under the assumption that bad actors won’t feel bound by legal terms of service.
Similarly, when it comes to data misuse, social media companies need to stop pointing to their terms of service and arguing that since they ask bad actors politely not to steal or misuse data, it isn’t their fault when it happens.
Instead, social media companies need to start treating user data with the same respect and safeguards they treat their own corporate data.
Facebook invests heavily in securing its internal corporate communications, source code and other data it views as important. It must invest the same level of care in protecting user data.
User data is more complex of course in that it is being accessed every moment from the outside world. Yet, so are a company’s email and collaborative systems. Companies typically employ behavioral analysis to flag accounts acting suspiciously, yet it appears few such safeguards are being applied to user accounts.
The company did not respond to a request for comment on how it missed this latest misuse, whether it was aware of the misuse prior to media reporting about it and if it plans to take additional action to better secure user data from such misuse in the future. It also did not respond when asked what it would say to the public and policymakers concerned that this latest episode reinforces the fact that it simply cannot protect its user data and that it does not take the security and safety of its users seriously enough.
Putting this all together, after a year of privacy scandals and a never-ending stream of reassurances that it can handle data protection and security on its own, if yet another company can simply walk in its door and begin mass harvesting Facebook data against its terms of use to perform prohibited psychological profiling, it really is time for Facebook to concede that it can no longer protect its user data. Instead of empty promises, Facebook must simply admit defeat and make certain that the public and policymakers understand that it cannot protect its user data from misuse and that they should take action accordingly.
At the end of the day, the only way we will solve data misuse from social platforms is if governments intervene and place real financial penalties on the platforms that are large enough for them to take notice. Even million-dollar fines are inconsequential to companies that earn billions a quarter. Imagine in the current case, if Facebook had to pay a million dollars per account that was misused by a company. A fine of hundreds of millions of dollars would certainly get Facebook’s attention and if those funds were provided to the users whose data was misused, it would allow them to profit from their personal data in the way Facebook does each day. More to the point, if Facebook faced financial ruin for failing to protect user data, it might start taking the safety of its users a bit more seriously.
