The Washington PostDemocracy Dies in Darkness

No, Mark Zuckerberg, we’re not really in control of our data

From alleged political bias to his personal character, here were the big issues from Facebook CEO Mark Zuckerberg’s hearings on Capitol Hill. (Video: Jhaan Elker/The Washington Post)

The Mark Zuckerberg that showed up in a suit in Washington this week is mature. He’s sweat-resistant. But he’s still hiding something.

Some 45 times — I was counting — the Facebook CEO told members of Congress that we’re in control of our data, when it’s plainly impossible for most people to figure out how to do so. That makes it hard to buy what he’s selling, even if it’s free.

Zuckerberg’s testimony on Capitol Hill was as much about personal technology as it was political theater. Members of Congress spent many hours attempting to figure out just how Facebook works. You can poke fun at their octogenarian ignorance, but they were just as confused as many Americans. Zuckerberg has never really explained just how much data Facebook collects and what it does with it. As Sen. John Neely Kennedy put it, Zuckerberg’s user agreement “sucks.”

What if we paid for Facebook — instead of letting it spy on us for free?

This week was Zuckerberg’s chance to reintroduce himself as the face of Facebook and introduce changes that make Facebook less creepy. There wasn’t any Steve Jobs-style unveiling, but I reviewed his performance just like any tech launch. Whatever action lawmakers might (or might not) take next, each of us still needs to decide how much Facebook belongs in our lives.

Zuckerberg 2.0 is an upgrade from the hoodie-clad hacker many Americans met in the movie “The Social Network.” When the man put on a suit and let politicians grill him for 10 hours, Facebook too became a grown-up enterprise. Facebook’s onetime motto “move fast and break things,” has been replaced by the snoozer “move fast with stable infrastructure,” Zuckerberg said with a smile.

Zuckerberg told Congress he’s idealistic and promised he wants to fix many of the problems in his product, even if it costs a lot of money, and was willing to embrace some new regulation. That’s not something we hear from most CEOs.

But he wasn’t nearly as thoughtful on the problem that cuts closest to the business that’s made him a billionaire. On questions about data privacy, Zuckerberg gave generic assurances. “We never sell your data,” he said repeatedly, even though that’s not really the issue.

Whenever he was questioned why Facebook collects so much data, he wheeled out: “You have control over your information.”

That’s like saying anyone can control a 747 because it has buttons and dials. Many pilots even opt for autopilot.

Yes, when you publish a photo or post on Facebook, you can set an audience — just friends or public. (There’s a drop-down menu that says “Who should see this?”) But Zuckerberg acts like keeping your cousin from seeing photos of your escapades in Cancun is the end of the data challenge. It’s not.

Facebook is hiding behind bad product design. Rather than minimizing the amount of data it collects or setting defaults that truly prioritize privacy, Facebook presents a theater of controls and settings that few people use.

The issue is how much data Facebook is collecting about us on its own. Well beyond what we choose to post, Facebook can track the location of your phone, what apps you’re using and even what websites you visit using its well-known “Like” button and an invisible tool called the Facebook Pixel. Facebook’s data-mining operation can tap real-world activity such as when you use a store loyalty card. It generates biometric data from your photos.

Beyond the information you volunteer like age and employer, Facebook draws inferences about your ethnicity, politics and more — information that’s useful for regular advertisers and darker forces alike. (The Russia-linked Internet Research Agency bought more than $100,000 worth of ads from Facebook as part of its efforts to manipulate the 2016 U.S. elections.)

Sen. Richard J. Durbin got to the heart of the matter when he asked Zuckerberg whether he would be comfortable sharing the name of the hotel where he was staying. After a long pause, Zuckerberg said that he would not.

“I think that may be what this is all about,” Durbin said. “Your right to privacy. The limits of your right to privacy and how much you give away in modern America in the name of quote, 'connecting people around the world.' ”

Many websites, including The Washington Post, use tracking and ad-targeting technologies, but Facebook has used the sheer volume of its data to dominate the online ad business along with its equally data-hungry rival Google.

Facebook is now in the data-privacy spotlight. Could Google be next?

Facebook does allow you to adjust how some off-Facebook and third-party data is used to target ads, and I wish anyone the very best of luck at figuring out how. As a tech columnist, I’ve spent days studying the many places you have to tap and make adjustments. I wish Congress had asked Zuckerberg to get out his phone and show the world exactly how we’re in control.

In March, Facebook announced it would be streamlining its privacy controls in coming months. Zuckerberg didn't show off these new designs to Congress, but the company says there will be easier-to-comprehend features that explain how Facebook is using a person’s data. Bringing settings currently in 20 places into one is a good start, but privacy experts have said the changes are ultimately “lipstick on a pig” because they don't address needs for better defaults and for deleting data.

Moreover, there’s a giant gap between what most people think Facebook is doing with our data and what’s really going on. We signed up for Facebook to stalk our family and friends, not to be stalked by a corporation.

It’s all there, Facebook counters, in its nearly 6,000 words of data policy and terms of service — 16 pages, if you print it out, single-spaced. Asked how long the average Facebook user spends studying that document, Zuckerberg said he didn’t know and admitted most people probably don’t read the whole thing. (Hey Congress, how about requiring Facebook and others publicly report how long users look at their terms before clicking through?)

That gap in understanding is part of the reason Zuckerberg got hauled in front of Congress for the Cambridge Analytica flap. Facebook allowed our friends to hand over troves of our data to third-party apps without asking us first. (After that data left Facebook, the company did little to ensure that it was handled properly, and now can’t totally account for it. Asked Rep. Frank Pallone Jr. “How can consumers have control over their data when Facebook doesn't have control over the data itself?”) Facebook has closed that particular loophole, but the point is millions of us technically agreed to that happening in the first place. It was buried somewhere in user agreements.

As Rep. Bobby L. Rush asked, “Why is the onus on the user to opt in to privacy and security settings?”

If Facebook wanted us to be in control of our data, it could put at the top of its home page a button that says “stop tracking me everywhere.” (I’d even pay a subscription fee for it.) There would be another one that says “reset my data.” But the reality is, if we all used those tools, it would probably be a disaster for Facebook’s business, which is based on having the largest pile of data to target its ads. Zuckerberg doesn’t want to talk about how his business is inseparable from its surveillance.

During one exchange, Rep. Anna G. Eshoo asked a question that cut to the core of the matter: “Are you willing to change your business model in the interest of protecting individual privacy?”

Zuckerberg replied, “I'm not sure what that means.”

I think he did.