Social media has a competition problem, and its name is Facebook. Today, Facebook and its subsidiaries are over ten times more valuable than the next two largest social media companies outside China—Twitter and Snapchat—combined. It has cemented its dominance by buying out potential competitors before they’ve had a chance to grow (like Instagram) and waging wars of attrition against others (like Snapchat) when it can’t. Because of its massive reach across much of the world, the platform can effectively censor public speech, perform psychological experiments, and potentially sway elections on the scale of a nation-state. And if users don’t like the way Facebook wields this power, there is nowhere else as ubiquitous or as well-populated for them to go.

It’s going to take multiple changes to fix the problems, in free expression and elsewhere, caused by Facebook’s dominance. If we’re going to have a real shot at it, one thing that needs to change is giving users meaningful control of their own data.

Facebook’s trove of user data is its most valuable asset, which presents a dilemma. Thanks to network effects, every user who joins a social network makes it more valuable for advertisers and more useful to everyone else. Without some access to the data Facebook has, it’s virtually impossible for upstart platforms to compete with the behemoth now used by nearly a third of the world.

At the same time, the ways Facebook chooses to share its data often go terribly wrong. Users have been rightfully outraged to learn about Facebook’s troublesome use and misuse of their data in the past, including the recent Cambridge Analytica scandal. Since these breaches of trust were often enabled by Facebook’s third-party Application Programming Interfaces (APIs), some analysts have come to the conclusion that there’s an unavoidable trade-off between interoperability and privacy.

There’s some truth to that, but it’s too simplistic. And it leads to appointing Facebook keeper and protector of the world’s data.

We believe there’s another way to look at it.

Facebook should let users take back control of their own data. This doesn’t raise the same privacy problems as letting third parties suck up everything about all of us. If done with care, it can be accomplished without opening the door to shady actors like Cambridge Analytica. In addition, Facebook has to start thinking differently about how it interacts with third-party developers. Instead of granting them access to data but forcing them to work within its walled garden, Facebook should serve as a hub, allowing developers to create new experiences for users that build off of the core service it offers and hosts. Ultimately, Facebook does not have to be any less diligent about protecting users from malicious actors. It just has to stop “protecting” them from legitimate competitors.

Facebook already recognizes that it is under pressure to improve its data portability story. Last week it announced that, along with Twitter, it was joining Microsoft and Google’s data portability initiative, the Data Transfer Project. While we applaud that move on behalf of all of these tech companies, our concern is that this, and similar, projects will be used to fend off regulation without substantially changing the status quo. The Data Transfer Project is a set of tools and standards to make it technologically easier to move data from one place to another. However, without substantive changes to the Facebook’s policies and processes, this project alone won’t give us meaningful portability away from the tech giants or tools that empower end-users themselves.

We think Facebook should:

  • Give users a tool for real data portability. That includes a way to export the rich contact list that Facebook hosts and the tracking data Facebook collects without meaningful consent.
  • Open up its platform policy to enable competitors, cooperators, and follow-on innovators. Allow developers to use Facebook’s APIs for software that modifies or competes with the core Facebook experience.
  • Interoperate with next generation of social networks via open standards. Adapt Facebook’s APIs to use the W3C’s social web protocols where appropriate, and allow open, federated services like Mastodon to work with Facebook as partners.

Let’s go into more detail on each of these.

Make data truly portable

Data portability allows a user to take their data and move it to a different platform. Many tech companies have long supported data portability as a core value.

Facebook, however, has a history of taking advantage of the data portability features offered by other companies as a means to an end: growing its own network. In its early years, for example, Facebook benefited immensely from Google's portability efforts. Facebook encouraged users to download their contacts lists from Gmail, then upload them to Facebook, in order to build out its social network.

At the same time, Facebook has always dragged its feet when it comes to portability from its own platform. In its early years, Facebook displayed users’ email addresses on their profile pages, not as text, but as images, making it frustratingly difficult to download lists of friends’ contact information, or even to copy and paste a single address into an email client. Until recently, Facebook’s data export tool provided users with an inscrutable, unparseable mess of text and HTML.

Europe’s General Data Privacy Regulation (GDPR), which took effect May 25, 2018, declares data portability a basic right for all European citizens. In accordance with GDPR, Facebook’s newest export tool allows users everywhere to download their data in the machine-readable JSON format. But Facebook’s export tool only includes a small subset of the data the company actually has about its users, and it falls short of empowering users to pick up their data and take their business elsewhere.

Facebook’s promise to work with the Data Transport Project is encouraging, but if they don’t use it as an opportunity to address wider issues with their current tools, it won’t mean substantial change for users.

Free the friends list

Facebook’s newest data-export tool exports friends lists—the building blocks of the social network, and arguably the data most critical to its competitive advantage—in the form of plain-text names without unique identifiers. This makes it impossible for a user to take their list of friends to a competing service. Any social network trying to parse Facebook’s list won’t be able to tell whether “John Smith” refers to John Smith in Haight-Ashbury, John Smith in Sri Lanka, or John Smith the 17th-century British explorer.

Facebook has claimed it doesn’t want to let users export their friends’ email addresses for privacy reasons, but remember that Facebook was more than happy to take advantage of Gmail’s tool to grow its own network. Facebook could build a better export tool without raising tough privacy questions. Associating names with unique identifiers, like “John Smith, user number 100372813,” would allow competing services to disambiguate common names.

It’s not just competing social media companies that would benefit. Facebook friends lists are essentially rich “contact lists” that give its other products, especially WhatsApp and Messenger, a distinct competitive advantage. Facebook was built on data ported from the incumbent services of its time. Now, it’s time to return the favor.

Let users see how they’re being tracked

Another area where Facebook’s tool is seriously lacking is in the advertisement data it exports. The company tracks whenever you use one of the hundreds of thousands of websites and apps that use Facebook technology, and it uses those data to target ads. You can see a list of plain-text “topics” that Facebook believes you’re interested in, but there is no record of the browsing data the company used to determine those interests.

With these trackers, Facebook is engaged in massive, nonconsensual surveillance of its users’ habits both on the web and on their phones. You can’t opt out of collection or delete these data—the best you can do is to stop it with a tracker blocker like Privacy Badger. We think Facebook should stop this entirely, but the least it can do is let you see what it knows: its detailed record of where you’ve been, what sites you’ve visited, and what advertisers have paid Facebook for your eyeballs.

Recently, Facebook has hinted at giving users the ability to delete historical tracking data about them. This would be a great step forward, but ultimately, users deserve full control of when and how they are tracked. That includes first-class access to the detailed data Facebook has.

Interoperate, Federate, Innovate 

Interoperability is the extent to which one platform’s infrastructure can work with others. In software parlance, interoperability is usually achieved through Application Programming Interfaces (APIs)—interfaces that allow other developers to interact with an existing software service. For example, Facebook’s APIs allow third-party apps to verify a user’s identity, access their data, and even post on their behalf with that user’s permission.

When big companies build interoperable platforms, it’s often a boon to everyone. “Follow-on innovators” can leverage the tools that a platform has pioneered to make better experiences for the platform’s users, to offer novel tools that build on the platform’s strengths, and to allow users to interact with multiple major services at the same time. For example, PadMapper started by organizing data about rental housing pulled from Craigslist posts and presenting it in a useful way; Trillian allowed users to use multiple IM services through the same client and added features like encryption on top of AIM, Skype, and email. On a larger scale, digital interoperability enables decentralized, federated services like email, modern telephony networks, and the World Wide Web. Facebook’s lack of true interoperability, especially for enhancing or competing services, is one of the ways it has cemented its position.

Use app review to protect users, not stifle innovation

The Cambridge Analytica scandal was a result of Facebook offering extremely powerful APIs to third-party apps. Facebook made it too easy for apps to request data about users and all of their friends, and too easy for users to agree to sharing data without understanding the implications.

In response to the scandal, Facebook has tightened control over their interoperable tools across the board and removed some of the more problematic APIs altogether. However, the scandal has also given the company an excuse to make life more difficult for would-be innovators. We must detangle the two if we’re going to reduce Facebook’s power.

Currently, the “platform policy” that Facebook requires developers to agree to in order to use its APIs is designed to protect Facebook’s interests as much as, if not more than, its users’. For example, Section 4.2 prevents offering “experiences that change the way Facebook looks and functions.” This explicitly prevents app developers from trying to improve the UI, or even allowing users to customize it for themselves. Other clauses, like “respect the limits we’ve placed on Facebook functionality,” similarly reflect Facebook’s desire to maintain tight control over the ways its users interact with their data in the platform.

Furthermore, Section 4.1 states, “Don’t replicate core functionality that Facebook already provides.” This gives the company grounds to reject any competitive social network that would federate its service with Facebook.

App review is an important practice, and Facebook should continue working to prevent malicious developers from leveraging its platform to harm users. However, the company should allow others to build on and differ from what it has created in meaningful ways. A platform as vast and powerful as Facebook should be a jumping-off point for innovators, not a means for the company to impose a single experience on everyone in its network.

Interface with the next generation of federated social networks

Successful interoperability is almost always powered by open standards. Email is a good example. Thanks to widely-adopted protocols like SMTP and IMAP, you can sign up for an account on FastMail and send messages to your friends who use Gmail, Yahoo, AOL, and Microsoft seamlessly. Email is a federated service: it comprises many decentralized, independent service providers that communicate with a set of common, open standards. As a result, users get to choose both the company they trust to host their messages and the software they use to access them.

Facebook should adapt their APIs to work with the World Wide Web Consortium’s recently-developed Social Web Protocols, like ActivityStreams and ActivityPub. This would give developers a stable, flexible interface to Facebook’s platform and make it possible for Facebook to interoperate with the next generation of federated services like Mastodon. In the future, Facebook could become just one of a vast network of independent social servers. Users could choose to host their data on the service with the features and policies that they preferred and still be able to interact with their friends on Facebook and elsewhere.

It’s Not Just Facebook

There was a time when data portability was seen as a positive goal for emerging tech companies: Mark Zuckerberg said recently — with a tone of regret — that it was something Facebook engineers considered, many years ago:

I do think early on on the platform we had this very idealistic vision around how data portability would allow all these different new experiences, and I think the feedback that we’ve gotten from our community and from the world is that privacy and having the data locked down is more important to people than maybe making it easier to bring more data and have different kinds of experiences.

We disagree that’s how the feedback Facebook is receiving from users and lawmakers should be interpreted. What users want is both security and real control over their experience — and they don’t want to cede how to do that exclusively to what Mark Zuckerberg decides is appropriate.

But, to be clear, a choice between having Facebook decide what your needs are, or Google or Twitter or Microsoft, can’t be enough either. When we’re talking about nearly 8 billion people, it’s inconceivable that a handful of (largely American) companies will be able to deliver that balance for everybody.

With initiatives like the Data Transfer Project, we are concerned that these companies are already acting as though the most important portability is between their own shared conception of what an Internet service is. The Data Transfer Project will enable users to move data directly between two services, but it remains to be seen what data Facebook lets you transfer and where it lets those data go. We know there’s more to the Internet than this decade’s version of a successful, venture-capital funded, West Coast company. All of these companies need to hand back over control of people’s data, so we can decide what we want to do with it.

How We Get There

Facebook has the power to make all of these changes on its own. Doing so would mean a more socially responsible company, a better experience for its users, and a more level playing field for its competition. If the company isn’t willing to help, governments may have to step in. Congress can pass laws that mandate real data portability, as the GDPR already does in Europe. Such laws should require that data like a user’s friends list be accessible to that user in a useful format. The Federal Trade Commission (FTC) has authority to impose “behavioral remedies” on companies that illegally maintain market power. Fixes for data portability and interoperability could be part of an antitrust remedy or negotiated settlement with the FTC.

And if some politicians are  reticent to regulate the tech industry, there’s still work that could be done to empower users to fix the problem themselves — by fixing laws that prevent users from taking their data back. Facebook and the other tech giants fence off their data, even from end-users, through their narrow terms of service that seek to limit what users — or their tools — can do on a site or service. Users shouldn’t have to fear losing access to their account just because they have decided to download or scrape their own data from it. And no one in the Internet ecology should fear prosecution from statutes like the CFAA for empowering users to move, delete or examine the data that big tech has on them.

None of these solutions is a panacea. Facebook wields other kinds of market power which smaller companies may not be able to overcome, and which we may need to address in other ways. But data portability and interoperability could help transform Facebook from an obstacle to a catalyst for innovation. If it were more feasible for users to take their data and move elsewhere, Facebook would need to compete on the strength of its product rather than on the difficulty of starting over. And if the platform were more interoperable, smaller companies could work with the infrastructure Facebook has already created to build innovative new experiences and open up new markets. Users are trapped in a stagnant, sick system. Freeing their data and giving them control are the first steps towards a cure.

This summer, EFF is looking at how corporate concentration is harming the Internet and how to fix it. Interoperability and data portability are just one set of tools, and Facebook is just one company. Stay tuned for more discussion about what’s wrong, who’s responsible, and the right and wrong ways to address it.