The Washington PostDemocracy Dies in Darkness

Lawmakers hope to use Facebook’s ‘oil spill’ privacy mishap to usher in sweeping new laws

Facebook chief executive Mark Zuckerberg speaks during the Samsung Galaxy Unpacked 2016 event in Barcelona on Feb. 21, 2016. (Manu Fernadez/AP)
Placeholder while article actions load

It was October 2010, and two members of Congress were furious with Facebook. In the eyes of then-Rep. Edward J. Markey and Rep. Joe Barton, the company had failed its users in allowing app developers to take personal data from them and their friends — and transmit it to marketers.

Fretting that those “series of breaches of consumer privacy” had affected millions on the social site, the bipartisan duo then sought to issue Facebook a subtle warning, touting the “comprehensive privacy legislation [that] is currently pending” on Capitol Hill.

Such legislation never passed. Almost eight years later, though, Facebook is once again under fire for a privacy mishap involving millions of users’ personal details landing in the hands of a third party, Cambridge Analytica, a data analysis firm that worked for the Trump campaign. And some members of Congress are once again threatening to act.

“I think that this privacy spill is politically the equivalent of the oil spill in the Gulf of Mexico,” said Markey, now a senator from Massachusetts, in an interview Thursday. “Because it involves our very democracy, I think [it] is going to draw more attention of the American public to this issue.”

The new catalyst is Cambridge Analytica. Facebook last week said the data firm in 2015 wrongfully obtained names, “likes” and other personal information from at least 30 million Facebook users, which it used to help create “psychographic” profiles of voters. In response, Cambridge Analytica said it “fully complies with Facebook’s terms of service.”

The incident, revealed last week, still has exposed Facebook and its chief executive, Mark Zuckerberg, to unprecedented criticism. The social networking company’s stock tumbled, wiping away billions of dollars in value. It took days for Zuckerberg to publicly address the crisis — and when he finally did, on Wednesday, he suggested there are “things like ads transparency regulation that I would love to see.”

A spokesman for Facebook didn’t immediately respond to a request for comment. On Wednesday, though, Zuckerberg personally pledged to “learn from this experience to secure our platform further and make our community safer for everyone going forward.”

Policymakers in the United States and around the world didn’t wait for Zuckerberg to speak to start scrutinizing the company, hoping that Facebook’s mistakes — and a general, turning political tide against the tech industry — might finally help them tame web giants’ appetites for consumers’ personal information.

On Friday, a powerful group of lawmakers, the Senate Commerce Committee, became the second panel on Capitol Hill to invite Zuckerberg to testify. Its leaders, Republican Chairman John Thune (S.D.) and Democratic Sen. Bill Nelson (Fla.), said in a statement they hoped to press the Facebook chief executive on his “plans to restore lost trust, safeguard users’ data, and end a troubling series of belated responses to serious problems.” And several investigations are underway, including at the Federal Trade Commission, which could slap Facebook with fines that spill into the millions of dollars.

“I think the allegations here absolutely highlight the limited rights Americans have to their data, and [they] should tee up a conversation about the kind of protections we need for the digital age,” Democratic FTC Commissioner Terrell McSweeny said in an interview. She declined to comment on the agency’s probe.

For now, the U.S. government isn’t totally lacking in laws that govern the ways that companies collect, swap and sell data. There are strict rules that govern the privacy of Americans’ financial transactions and health records, for example, and there are special protections for children younger than 13 who browse the Web.

But there’s nothing in federal rule books that requires tech giants, advertising behemoths and other barons of the digital economy to obtain a Web user’s permission every time they collect a specific piece of data about their online activity or swap or sell it with a third party. Companies like Facebook and Google aren’t required to minimize the volume of data they collect or delete it after a certain period of time, either.

Meanwhile, a key U.S. enforcement agency, the FTC, is strictly limited in its ability to issue fines. Often, it can only slap tech companies with major financial penalties on their second offense. Technically, its governing statute doesn’t mention privacy; it’s just supposed to probe those companies that act unfairly or deceive consumers, including those online. And the agency is severely hamstrung in its ability to write its own rules, too.

McSweeny, the FTC commissioner, said her agency should have “some kind of civil penalty authority” so it can punish the worst abusers.

Newly, though, McSweeny said she supported a “substantial policy conversation around the kind of data practices” used by firms like Cambridge Analytica. That includes psychographics, and “really powerful analytics and automated technology,” and “AI-driven systems that can be used for misinformation on a massive scale.”

“I think we should take these warnings for what they are,” she said.

To Republican Sen. Lindsey O. Graham (S.C.), meanwhile, there are myriad unresolved troubles with the Web — including terrorists who use it as a recruiting tool and “manipulation by foreign governments and intelligence services,” he said in an interview. “And then you’ve got the fact that data can be used for political purposes, probably outside people’s imaginations.”

Asked whether he believed that would merit a new law on these and other issues, Graham replied: “The long-winded answer is: yes.”

Zuckerberg’s early, broad support for greater regulation in the wake of the Cambridge Analytica controversy contrasts with the years of lobbying by Facebook and its tech peers in D.C. to stave off any new rules that would restrict the information they collect — the lifeblood of their business models.

“I think the tech sector has been enormously effective at arguing about all the benefit it provides through the explosion of digital commerce, and has been able to constantly push back against privacy legislation,” said Gene Kimmelman, the president of Public Knowledge, a D.C.-based consumer group.

In 2016, for example, the Federal Communications Commission under President Barack Obama sought to issue new privacy rules for the Internet. At the time, a top trade group for the tech industry, the Internet Association, urged the agency to leave companies like Facebook and Google untouched, focusing its efforts instead on providers like AT&T and Comcast.

Last year, an effort by Republican Rep. Marsha Blackburn (Tenn.) that would require these tech companies to obtain customers’ permission before selling their data to advertisers drew sharp opposition from a wide array of players, including Facebook and Google. Together, they shelled out nearly $30 million in lobbying expenses in 2017 on a range of issues, including a campaign to fight her proposal, according to federal records.

And Facebook joined with Google, Comcast and others this year in fighting a ballot measure in California that would allow consumers to opt out from having their information shared with advertisers while opening the companies to new lawsuits if they suffer data breaches. Facebook so far has spent about $200,000 to try to defeat the idea, state ethics records reflect.

In response, the tech industry stressed it isn’t unregulated or uncooperative.

“The internet industry routinely works with lawmakers and regulators as they evaluate legislative and regulatory proposals,” Noah Theran, a spokesman for the Internet Association, said in a statement. “Our companies comply with a wide variety of regulations, including on privacy, and frequently take part in the regulatory process on a host of issues. We will continue to be a productive part of the privacy conversation in the U.S. and around the world.”

Some Republicans in Congress also have been wary of additional regulation, raising the specter that any push to rein in the privacy practices of Facebook and the rest of Silicon Valley still faces a tough climb.

For example, in the aftermath of Facebook’s missteps, Thune, the Commerce Committee chairman, said it would “depend on how they react, what they decide to do on their own.”

Sen. John Cornyn (R-Tex.), meanwhile, acknowledged this week that “most people would be surprised at how much data mining takes place, how much information these companies acquire to sell advertising and to sell to third parties for various purposes,” he said. But on regulation, he added: “I would want to get information first before we consider something like that.”

For Markey, those statements suggest that political obstacles remain even years after one of his earlier warnings about Facebook — “given the deregulatory philosophy of Republicans combined with the still great monetary power of the tech community,” he said.

“But,” Markey added in an interview, “I’m eternally optimistic. That’s why I’m still here. I do know that the moment is coming.”