Feeding the Beast: Facebook and Its Government Trade Partners should conform transparently to common US consent law

By Sheila Dean

Consumer facing consent UI/UX and transparent third party data inventory could remedy the social network’s global fall from grace.  Far more work is ahead to produce a legitimate privacy enforcement environment.

Facebook’s neglect of third party vendor Cambridge Analytica crossed the line for its users. Unfortunately, social networks with poor third party operations security are everywhere. It was Facebook today, but it could be any number of poorly secured vendors tomorrow. Prior to this event, users and developers alike refused to face the nature of beast they are feeding.

Some form of regulatory intervention is in the offing. The US government is already deep in the core of Facebook’s operations for regulatory enforcement of an FTC consent decree. Facebook, like Palantir and others, also worked for the US government as big data analytics contractors in 2013’s PRISM scandal. Facebook has licensed deep profile information to the US government and any foreign government who would pay, including Russian social media operations. Special counsel Robert Mueller could easily ask FBI staffers embedded at Facebook’s HQ, if this was the collusion they were looking for. If the US government and its regulators are already so involved, regulation may be the lighter hand of justice. Users may need a criminal investigation into US government abuses of power, conflicts of interest, embezzlement or related crimes involving foreign entities. The more likely crime is one of banal disinterest in privacy law enforcement.

Facebook is the beast US corporatism built. The US government, afterall, is still an investor in Facebook. How do we get shareholders, like the CIA, to conform to American privacy law provisions and boundaries? As partial owner, the US government may have access to any of its information assets. What does it mean if a US agency profited from data services rendered to Russia for psychological operations? The potential for abuse is now material fact, if it is not the scene of a crime of opportunity.

Facebook’s policy problem lies in a one-size-fits-all EULA contract allowing complete opacity of its vendors. The blanket consent from one Terms of Service contract hardly covers the third party range where personal data was processed by Cambridge for resale to political operatives. The average consumer does not know who has their data once it goes into a social network. If Facebook showed consumers the edge advertising market for their data as notification, they would be legally required to provide means of express consent to license their personal data.

Facebook, like many online services, needs to get out of partisan and government information business lines or the elections intrigues will continue. It’s time to ask US government agencies, like the DoD and CIA, to surrender their shares in public ISP companies back to the free market. Their co-ownership in private data conflicts with public interest.  Public trade transfer deals featuring government licensed technologies should not be opaque to the US consumer when their personal information is involved in a trade.

Third party risk and liability will still be a problem for society online. Legal enforcement is needed to limit the scope of exchange and sale of personal data based on legitimately sourced and applied US consumer consent. Facebook, and those emulating its brazen business model, should now comply to better defined, transparent data inventory mapping for users to knowingly permit, or more likely deny, unwanted third party exchanges.

We can forgive Facebook as an institution for being led down the wrong path, endorsed and coddled by government insiders. Some later revealed themselves in full view of the public as disgraceful sycophants, soliciting Mark Zuckerberg's permissions and favors, during Congressional disciplinary hearings. Government beneficiaries managed to evade legal consent notice requirements which do, in fact, apply to any information they collect on US Citizens. Board members from the most celebrated privacy non-profits, think tanks, and policy advisors with doctorates from the best universities in the United States have consulted Facebook. Who can help Facebook if their elite battery of advisors endorsed the fantasy they can break US common consent law with no consequences? 

GET LITTLE CAESAR A TOWEL, PLEASE.

It does seem everyone around Facebook is telling them they are so useful and exceptional they don’t have to conform to the law. That line of doctrine misled Facebook to be used as a powerful social tool to connect the world with corruption. They broke laws. Unfortunately, they didn’t do it by themselves. They had lots of enablers and government partners urging them on.

Information security and integrity audits will send any phony fixer lawyers and their marketing apologist firms packing.  One could speculate Facebook's cyber-insurance rates are expected to skyrocket. As we wait on the results of Facebook’s audit, they will confront fines, more civil suits, possible company insolvency and criminal due process for its lack of restraint. Regulatory law enforcement should work to close privacy law enforcement gaps. Their current presence inside Facebook failed to enforce fair, lawful security of private data. 

Even if the government reforms the enforcement conventions for impacted privacy, will fair trade practices emerge from the ashes to cover global data brokerage exchanges? Non-profit interest groups and companies cannot just scuttle away a people's inherent data ownership rights because these rights didn't originate with their nation state or they seem inconvenient to consider. Identity sovereignty is natural and inherent to our humanity. Administrators are talking over each other instead of to each other across the globe and then stony radio silence follows. This conflict is based on differences over the origin of rights in personal data governance. There is very little real debate or statesmanship on this idea.

So here is a working 5 point public policy fix to confront international data exchange stakeholders, as well as US agencies, not playing fair with data owners.

  • Close enforcement gaps and actively enforce existing privacy law concerning notice & consent.
  • Require government partners and non-profits (partisans, research firms) to self-identify to consumers in UX/UI transactions; which legally require notice and consent (like trade transfer deals).
  • Adopt or enact Right To Be Forgotten policy in the US.
  • Recognize the rights of the individual Data Owner in business reporting with monthly exchange statements as an audit requirement as a matter of human rights and fair trade.  If you can’t manage to bring in the data owner as part of your business, consulting them on how much to sell their data for, who to authorize as a  seller and reseller to and how to sell it, you’re in the wrong business.
  • Recognize essential individual data ownership is paramount to rights of government transfer entitlement and/or embargo thereof. For the US, that is conformance to Privacy Act of 1974 provisions to actively procure and heed individual consent preferences in most cases. For other governments, that means they need to get express consent to profit from personal data of a US citizen using public platform services.

Individual data ownership rights are not in conflict with other rights and can stand with other recognized rights. Particularly, that of self-defense, protection from theft of labor and the diverse perils of slavery, human trafficking and unfair trade practices. We are not the middle man to be cut from the exchanges. Data owners are in fact used and spent as the monetary currency itself. Current exchanges brokering personal data are in an adverse power differential contrary to Principle One of Fair Trade Practices. They are more on par with serfdom. Facebook’s serfs are Exhibit A of a raw deal. Now the world needs a fair trade upgrade.


When Facebook-Cambridge Analytica was not alone

Facebook has a long road ahead. However, for every Facebook, there are thousands of smaller businesses on the freemium model looking toward them as examples of successful business behaviour. While Facebook is a successful company, their CEO appeared before Congress when everyone saw how they failed the public. Help yourself to a better example. If Facebook wants to BE that better example, their actions need to exceed our privacy expectations of baseline evasive legal compliance. Examine how competition can serve Internet users better through right choices and fair exchanges.

Read more

EU's Safe Harbor Invalidation means 'You are free to do better.'

Europe’s privacy offices are now empowered to do more than look the other way at compromised data transfers.

Data transfer practice at US companies have reputedly poor standards facing the rest of the globe, particularly developed countries in the EU. The plain sense of the Safe Harbor agreement was to create a protected data pipeline to and from countries across the Atlantic. Unfortunately, actions conducted by US and UK intelligence authorities really victimized Europe’s data partnerships in the vagaries, compromising the intent and integrity of Safe Harbor agreement.  This is has led to an Irish based uprising to successfully invalidate a law that provided no useful protections for data transfers.   The ruling will impact the way e-commerce is conducted nearly immediately.

Privacy officers are scrambling to gird themselves under Article 25, EU privacy law. The are throwing out ‘model contracts’  as life savers, now they have been dumped overboard.  They are consulting each other on the would-be Safe Harbor 2.0.  Some coming in the form of binding contract resolutions, deferring to the standards of third party countries (Switzerland), auditing the existing data transfer priorities in order to produce a legal, viable alternative to continue commerce and trading.  Some are even still standing on the sinking ship saying, “You may still honor the Safe Harbor stand… BLUB, BLUB…*!”

There is enormous potential for good to come from an upset; that privacy counsel, Daniel Solove, attributed to “cavalier attitudes” of US governance toward EU data protections.  The legal privacy vacuum opened up by the Safe Harbor invalidation can now be filled with far better standards for the human rights of computer users in Europe. 

The EU has initiated an atmosphere of conditional embargo with some potential for US-EU commerce based on practice that has failed to protect consumers. Unlawful smash & grabs of non-criminal data based on US laws conducted by the Five Eyes/ECHELON group violates computer users everywhere. The EU now has an opportunity to impose standardized consumer data protections with some real teeth on countries in violation of UNHRC privacy rights. They have cause to cease business relations with any county that doesn’t honor its agreements and violates the human rights of its citizens.  While no country wants to pause commercial relations for long, the standards erected now could influence the way US companies collect and distribute data in a global economy respecting privacy.

There are terrific, diverse solutions for a higher global privacy standards. Almost instantly, the Snowden Treaty became a relevant goto for trade reform standard discussions. This suggests trade relations standards would not be harmed or frozen indefinitely over government spying, if companies assume socially responsible protections that do far better than existing law and governance policy. Privacy officials can now bring their most ethical and use friendly solutions for data management to the table to reform conventional business practices that even the most lazy and apathetic corporate counsels would be forced to conform to. US businesses may see the the data protections as a legal relief to require company wide adoption of encryption for all of their consumer and company products. Socially responsible privacy practice has legal means to flourish now the Safe Harbor falsehood has fallen apart.  Finally, they are free to do better.


Reports have indicated that at least 4,500 US companies will be impacted by the Safe Harbor ruling. US businesses will sustain some suffering under drafting of Safe Harbor 2.0 scaffolds, but it’s really for the best.