Facebook, the world’s largest social media company, has shown yet again that it does not deserve our trust. A New York Times investigation revealed that Facebook shared its users’ private data, without its users’ consent, with other tech giants including Microsoft, Amazon, and Netflix.
The Times report revealed that Facebook parceled out deeply personal information from its users to other companies without first asking if that was alright. Facebook users’ private messages went to Netflix, Spotify and the Royal Bank of Canada. The names and contact information for their friends went to Sony, Microsoft, and Amazon. Yahoo even got a real-time feed of what users’ friends were up to—without telling either the user or their friends.
Press investigations have exposed, time and again, that Facebook and other tech companies too often will choose their profits over your privacy. This underscores the need for stronger privacy laws across the country, and for Congress to refrain from preempting the privacy rights that states have granted their own citizens.
The California Consumer Privacy Act, enacted in June, set a foundation for better privacy law in the United States. It grants the people of California the right to know what information companies have about them, the right to access and delete information, and the option to tell companies not to sell their data. EFF and our allies are working to strengthen this law, and we hope other states will adopt similar laws.
Tech industry groups such as the Internet Association, which counts Facebook as a member, have asked California legislators to weaken even these basic privacy protections. Big tech companies are also now calling for a national privacy law, after years of claiming self-regulation would be enough to keep them in line—a claim that’s obviously not true— but only if a national law “preempts” and rolls back vital state protections.
We are particularly troubled by the Times’ new report that Facebook is undermining user privacy by misinterpreting the term “service provider,” which is an exception to the privacy rules in the FTC’s 2011 consent order with Facebook.
Many data privacy rules properly limit transfers of personal data from one company to another. Such transfers increase the risks of theft by hackers, misuse by employees and contractors, and new uses never anticipated by the consumers who supplied the data.
Many of these privacy rules have an exception for transfers by a company to one of its “service providers.” For example, a rule might generally require a company to get consumer consent before sharing consumer data. But that company might not be required to get consent before storing consumer’s data with a third-party data storage service, provided the storage service does nothing with the data except store it. California’s new data privacy law contains such an exception, as do many other data privacy laws and bills.
So we are especially alarmed by the Times’ new report of how Facebook’s privacy director, Stephen Satterfield, interprets the “service provider” exception to the data privacy rule:
With most of the partnerships, Mr. Satterfield said, the F.T.C. agreement did not require the social network to secure users’ consent before sharing data because Facebook considered the partners extensions of itself — service providers that allowed users to interact with their Facebook friends. The partners were prohibited from using the personal information for other purposes, he said. “Facebook’s partners don’t get to ignore people’s privacy settings.”
To the contrary, the kinds of company-to-company data sharing described in the new Times article do not fall within any reasonable definition of “service provider.”
As lawmakers across the country write new rules to prevent the next data privacy scandal, we must ensure that any exceptions for “service providers” are narrow and clear, and leave no room for the kind of misinterpretation apparently used by Facebook to violate its users’ privacy rights.
We also urge lawmakers to consider using many of the legislative tools available to give people the control they crave over the data they provide to Facebook and other companies that trade in data.
This includes requiring opt-in consent to collect personal data. Also, laws should require companies to act as an information fiduciary—a steward with duties of loyalty and care—over people’s data. Laws should also include the right for everyone to have a private cause of action to take companies to court if they break data privacy rules.
This newest Facebook scandal shows that laws like these are long overdue.