European Union politicians, eager to reassure their privacy-conscious constituents they are taking tough action against Silicon Valley to safeguard their digital rights, have relentlessly touted GDPR as the ultimate bulwark against the modern digital surveillance state. In reality, GDPR has been an abject failure, rolling back previous protections and permitting Facebook to deploy facial recognition across the EU, effectively (in the absence of meaningful penalties to date) deferring to companies to decide where and how GDPR applies, exempting most US companies to permit them to harvest and resell EU citizen data without limitation and to make the most intimate EU citizen data, from healthcare records to intimate photographs to private sensitive messages all available to researchers around the world to mine and manipulate without limitation. Facebook’s academic research collaboration is moving rapidly forward, making the personal data of all EU citizens available for research by researchers across the world, potentially including government-funded researchers working directly with foreign adversarial governments on military research and misinformation campaigns directed at the EU. How does the EU see Facebook's work with Social Science One through the eyes of GDPR and does it believe that the benefits of permitting EU citizens to be mined and manipulated for “science” and the needs of foreign governments and for-profit companies outweighs the privacy and safety that EU citizens might expect from GDPR?
After years of public posturing and veiled threats against Facebook’s data practices, the European Union seems to be softening its stance of late. In place of the fiery rhetoric and threats of breaking up the company that have defined its previous stance towards Facebook, EU politicians over the past month have adopted a downright conciliatory tone towards the company.
European Commissioner for Competition Margrethe Vestager offered an olive branch to Facebook just last week, suggesting she did not believe that the EU should focus its efforts on breaking up the company, but rather working with it to share more data.
European Commissioner for Justice, Consumers and Gender Equality Věra Jourová similarly deferred to the company, offering that “Regulation will not solve Facebook’s problems stemming from lax data protection … Facebook has to look first and foremost at itself. If they want to, they can embrace a real change already now.” While her remarks were focused on Facebook’s call for greater government oversight over content moderation, they still reflect a marked shift from the EU’s previously more fiery and regulation-minded rhetoric.
The EU has also taken the opportunity to repeatedly praise the company in recent months, including for changes to its terms of service.
Just last month Commissioner Jourová “welcomed” Facebook’s streamlined terms of use, touting that the “European Commission [is] stand[ing] up for the rights of EU consumers” and that “users will clearly understand” how their data is being used by Facebook now.
Yet Facebook’s collaboration with SSRC to make the private data of its two billion users available for academic research under Social Science One poses unprecedented challenges to these privacy promises.
For example, Social Science One’s initial dataset announcement noticeably referenced “legal constraints” in providing research access to posts that users had previously deleted. However, once a user deletes a post, Facebook’s official policy requires it to remove the content from its servers after 90 days.
This raises the question of why there would be “legal constraints” to providing access to content that, in theory, shouldn’t even exist.
Asked to reconcile this discrepancy with its own written policies suggesting deleted user content would be wiped from Facebook’s servers within three months, the company declined to comment. Asked how Social Science One would handle the issue of deleted data more broadly, especially given the prominence it has assigned to replication and misinformation research’s explicit interest in deleted accounts, both Facebook and SSRC declined to comment. Asked to confirm that all posts and accounts deleted by users would be permanently deleted from Facebook’s servers, rather than permanently preserved and made available for researcher access, neither Facebook nor SSRC did so. Asked whether Facebook would consider Social Science One’s dataset to be separate from its own corporate holdings and thus exempt from its 90 day rule, Facebook declined to comment, while SSRC did not respond when asked how it would otherwise ensure research replication if, for example, foreign governments could mass delete entire bot networks, eliminating the very data at the heart of the initiative’s misinformation focus.
Much like Facebook’s own corporate research, Facebook’s two billion users are not permitted to opt out of Social Science One making their private data available to researchers all across the world.
In terms of limitations on just which researchers qualify to gain access to EU citizen data, SSRC declined to rule out researchers whose labs are primarily government-funded under military or intelligence contracts to study social media with the purpose of assisting their governments in conducting misinformation campaigns. While the research they propose to Social Science One must pass external review and will be funded by a specific set of predefined neutral funding agencies, SSRC declined to commit to any safeguards that would prevent foreign governments engaged in active misinformation campaigns from working with researchers they fund to conduct research on EU citizens through Social Science One in order to better understand EU information patterns to better target their misinformation campaigns.
In fact, SSRC astonishingly declined to rule out active manipulation of EU elections by foreign researchers. When asked whether American researchers could propose to actively suppress specific topics and artificially inflate others immediately before and during an election in order to determine whether they could intervene and sway that election, SSRC noted that such active manipulation was not part of its initial phase of activities but declined to rule it out as a future expansion of its activities.
Of course, it remains to be seen whether Social Science One’s policies will actually be adhered to at all.
Lest we forget, previous Facebook rules that strictly prohibited academic researchers from bulk transferring their legally harvested data to outside commercial entities didn’t stop an academic from shipping his archive of Facebook data to Cambridge Analytica.
Moreover, the prevailing view in academia has turned against honoring such legal contracts. As a member of Social Science One’s own Civic Engagement Committee put it recently “I have articulated the argument that ToS [Terms of Service] are not, and should not be considered, ironclad rules binding the activities of academic researchers. … I don't think researchers should reasonably be expected to adhere to such conditions, especially at a time when officially sanctioned options for collecting social media data are disappearing left and right.”
If the initiative’s own committee members don’t endorse adhering to legal agreements governing data use, why should researchers awarded access to its data do so?
Even the aggregation and differential privacy model upon which Social Science One is based is unlikely to be sufficient to protect the privacy of EU citizens. The tight inter-relatedness and mosaicked queries of its initial round of projects are likely to quickly exhaust even the most optimistic differential privacy budget, at which point intimate personally identifying information may be leaked. Differential privacy also notoriously struggles with the analysis of the very kind of significant outliers that are of greatest focus by many misinformation researchers.
Even with perfect differential privacy, only the identifying details of individuals and small groups are protected. Vulnerable minority groups subject to extreme discrimination and repression, including physical violence, are not typically protected under most differential privacy regimes given that their membership size is typically above the protective threshold for the kind of fine-grained research Social Science One focuses on.
In short, even the most advanced protective measures are not an absolute guarantee of privacy and safety.
In fact, one of Facebook’s other major privacy-protecting data analysis initiatives, its Disaster Maps, strictly prohibits government employees from directly accessing its secure portal that is protected by many of the same safeguards as Social Science One will be. Asked why this is, the company acknowledged that even the most advanced safeguards cannot entirely rule out the risk of harm to its users and sensitive data leakage and thus it relies on trusted third party NGOs to act as gatekeepers.
If Facebook, even with all of these privacy safeguards and in the context of emergency disaster response designed to save human lives, won’t grant untrusted users access to its Disaster Maps program for fear that sensitive information could still leak, why is Social Science One proceeding? Neither SSRC nor Facebook responded to requests for comment.
Both organizations do appear to recognize the insufficiency of these data safeguards alone, given the initiative’s prominent emphasis that it will also enforce rigorous auditing and network bandwidth limitations to limit the damage from potential unauthorized activity or data leaks.
EU citizens hoping for reprieve from IRB data ethics boards and academic journals will be sorely disappointed. Most university data ethics boards in the US have largely embraced the idea that research on social media data should not undergo ethical review, while the same journals that once condemned intrusive social media research now wholeheartedly embrace it. Even the universities with secondary data ethics reviews no longer appear to be enforcing them even for projects studying extraordinarily sensitive topics like estimating sexual orientation that could threaten the safety of and lead to physical violence against society’s most vulnerable populations.
This raises the question of how Social Science One fits within the privacy protections supposedly afforded to EU citizens by GDPR.
Unsurprisingly, Facebook itself did not respond to multiple requests for comment on why it believes Social Science One complies with GDPR and what steps it has taken to ensure that compliance and the protection of user data. Notably, it did not respond when asked whether it would be retaining deleted user content indefinitely on behalf of Social Science One instead of wiping it after 90 days.
Facebook does appear to recognize the GDPR implications of the initiative, however.
Graham Doyle, Head of Communications of the Irish Data Protection Commission confirmed that “Facebook have [sic] informed the Irish Data Protection Commission of the initiative with Social Science One. We are currently engaging with Facebook Ireland on this matter in order to ascertain more information and clarification on the full data processing cycle in relation to data sharing arrangements with the academic researchers and the impact it has on EU citizens.”
However, when asked when precisely Facebook actually informed the Irish DPC about Social Science One, whether the initiative could proceed in the interim while the Irish DPC conducts its review and when that review might complete, the organization said it would look into whether it could comment further but ultimately did not provide additional comment.
GDPR provides explicit exemptions for research use of data, raising the question of whether Social Science One is actually largely exempt from most of GDPR’s protections and safeguards.
The EU is certainly very much aware of Social Science One, with Vice-President for the Digital Single Market Andrus Ansip, Commissioner for Justice, Consumers and Gender Equality Věra Jourová, Commissioner for the Security Union Julian King and Commissioner for the Digital Economy and Society Mariya Gabriel issuing a joint statement just last week lauding the cooperation of Silicon Valley with the EU’s efforts to combat misinformation, with the report explicitly citing Social Science One as part of that success story.
Strangely, that press release also mentions that “Facebook reported on new access for researchers to … its URLs Data Set” while Social Science One actually announced that it had paused that dataset in light of its original design posing privacy and safety concerns. The EU did not respond to a request for comment on the apparent discrepancy.
Asked about the GDPR implications of Social Science One and especially the issues of its handling of deleted data, the prohibition on opting out, the initiative’s refusal to rule out active manipulation of EU elections and the limitations of differential privacy, a European Commission spokesperson pointed to the same press release in emphasizing the importance of initiatives like Social Science One in helping the EU to combat misinformation.
The Spokesperson further clarified that while GDPR still generally applies to research use of personal data, it provides numerous exemptions for research. The spokesperson emphasized that determining GDPR compliance and enforcement of violations therein is relegated to national data protection authorities. Though, given the lack of meaningful enforcement action to date, it is unclear whether those authorities will attempt to regulate or review research use of EU citizen data under Social Science One in any meaningful way.
It is also important to acknowledge that under some interpretations of GDPR by the EU itself, the kind of anonymized and aggregated data made available by Social Science One may not even be eligible for GDPR protection and thus Social Science One may not actually be beholden to any GDPR limitations of any kind.
Asked explicitly about this scenario and what happens when a research project exceeds its differential privacy budget and begins leaking personally identifiable intimate information and how that transition is treated under GDPR, the Commission notably did not provide a response.
Many of the research outputs of Social Science One that will be published in academic journals will directly benefit Facebook’s own commercial interests and effectively perform commercially beneficial research in proxy. Asked how this is handled under GDPR, especially given the privacy legacy of “research” like that of Cambridge Analytica, the Commission again emphasized that GDPR applies to research but also affords numerous exemptions for research.
Stepping back, Social Science One will enable researchers from all across the world, including those whose labs are primarily funded by adversarial governments engaged in misinformation operations against the EU, to freely mine the most intimate personal and private EU citizen data. That data may eventually include medical records, financial information, intimate photographs, communications and information regarding minors, highly sensitive vulnerable population membership and other enormously sensitive information shared over social channels EU citizens thought were private. EU citizens are prohibited from opting out of this research and both Facebook and the initiative have strangely declined to guarantee that content and accounts deleted by users will not be preserved for permanent researcher access. Even active manipulation and intervention in EU elections has not been ruled out. Moreover, despite its much-vaunted privacy safeguards, those protections may be rapidly exhausted due to the initiative’s research design, while other Facebook initiatives that use similar privacy protections acknowledge that they still pose a privacy and safety risk and thus require a layer of professional gatekeepers that are not part of the Social Science One model.
All of this would appear to be permissible under GDPR and in fact the entire initiative may even find itself exempt from any GDPR regulation at all.
This raises the question of just what benefit GDPR actually provides to the citizens of the European Union when their right to digital privacy, the protection of their data and the freedom to not be mined and manipulated seems little changed from the pre-GDPR era.
Asked explicitly what value the Commission sees GDPR as offering EU citizens given that it does little to curb them from being mined and manipulated by researchers, the Commission did not offer a response. Asked the same question, the Irish DPC similarly did not offer a response.
If the Commission itself cannot adequately articulate why GDPR benefits the EU's citizens compared with previous regulations and if initiatives like Social Science One can still proceed under its auspices, it suggests there is far less to GDPR than the public has been led to believe.
Putting this all together, once again we see the collision between the public rhetoric of politicians eager to claim political victories and tout their credentials in protecting the digital privacy of their citizens and the reality that most privacy legislation not only fails to protect privacy but actually often leads to less privacy, rolling back what few protections predated it. In fact, the few meaningful protections we have today mostly predate the desire of internet companies to exploit our personal information, written at a time when there were few companies lobbying for exemptions, whereas today’s privacy laws are typically sufficiently watered down and filled with exemptions to protect the powerful companies that have built their businesses upon our most intimate data.
Social Science One reminds us that for all the European Union’s rhetoric, GDPR has little to show for itself other than reversing the few real privacy protections that existed before it.
In the end, GDPR did not bestow privacy protections upon EU's citizenry. It stealthily stripped away the few real protections they actually had.
