During almost ten hours of hearings this week, Facebook CEO Mark Zuckerberg faced questions from nearly 100 members of Congress. And more than a dozen of them brought up the Federal Trade Commission. While questions about that agency may not have made for the sexiest soundbites, its actions may prove to be one of the most important factors in whether Congress actually regulates Big Tech, or just continues to talk about doing so.
The FTC is more of a law enforcement agency than a rule-making one, and one of its primary mandates is protecting consumers from unfair and deceptive practices. Following revelations about Cambridge Analytica, a political marketing firm that improperly obtained personal information from approximately 87 million Facebook user profiles, the FTC announced that it was opening an investigation into Facebook’s privacy practices. Tom Pahl, the acting director of the FTC’s Bureau of Consumer Protection, said in a statement that the agency is “firmly and fully committed to using all of its tools to protect the privacy of consumers.”
This is a big deal — the company’s stock took a hit as reports of the investigation surfaced — in part because Facebook has been in the agency’s sights before. In 2012, the social media behemoth reached a final settlement with the FTC over charges that the company previously deceived consumers by saying their information would remain private “and then repeatedly allowing it to be shared and made public.” The complaint specifically references the fact that users’ data could be obtained by third-party app developers in ways that could have caught those users unaware, which is awfully reminiscent of Facebook’s current fiasco.
As part of an agreement known as a consent decree, Facebook promised to institute and maintain a comprehensive privacy program. William Kovacic, who was an FTC commissioner until 2011 and is now a professor at the George Washington University School of Law, says the agency viewed that privacy program as “a flagship” designed to show how serious the FTC was about making broad protections a rule of the road for the entire tech sector. “If there’s a violation and you don’t do something, your flagship policy is in jeopardy,” Kovacic says. “The stakes here are huge.”
So are the potential fines for violating that consent decree, one of the “tools” the FTC has at its disposal. Each violation could merit a fine of more than $40,000, per user, per day. Multiply that by the 87 million users affected by the Cambridge Analytica leak, and theoretical fines quickly jump into the trillions — a potentially devastating figure even for Facebook, which has a market capitalization of about $480 billion as of this writing. Though Kovacic says it’s unlikely the FTC would ever pursue such a ruinous amount, it could be a bargaining chip. The question, he says, is how big of a number would show that the FTC is very serious about its policy and its decree. “It’s hard to imagine the commission would walk away without a lot of zeroes,” he says.
Facebook has plenty to lose if the FTC proves it violated the agreement, a result that would give merit to allegations that the company isn’t nearly as serious or diligent about privacy as it claims to be. But the FTC also has the potential to look flat-footed. If there was a violation, the FTC is at risk of appearing like it can’t enforce its own decrees. If there wasn’t — if the model policy didn’t actually prohibit the lax practices that led to the Cambridge Analytica scandal — then the agency may look like it can’t handle the increasingly pressing issue of protecting Americans’ privacy. “If the FTC wants to protect themselves as an institution,” one former FTC attorney says, “they might go guns blazing and really try to hammer Facebook.”
Some Republicans have argued that the FTC has sufficient authority to keep tech firms in check, so additional regulations from Congress are unnecessary. Rep. Frank Pallone, a Democrat, said on Wednesday that his GOP colleagues have too often said that new protections are not needed “because the Federal Trade Commission has everything under control. Well, this latest disaster shows just how wrong the Republicans are.” If Republicans want to have a good rebuttal to such statements, then they have reason to hope the FTC is aggressive in its Facebook investigation.
It is not yet clear there was a violation on Facebook’s part, though lawmakers like Connecticut Sen. Richard Blumenthal alleged as much to Zuckerberg’s face during this week’s hearings. Zuckerberg repeatedly said he believes Facebook abided by the wording of the decree, even if it failed in other respects. Company lawyers are no doubt scouring that document closely.
How is it possible that there was no violation of that agreement when so many users feel Facebook violated their trust? Facebook has argued that, technically, there was no “data breach” at all in the Cambridge Analytica case. The company says that a researcher collected data from user profiles in 2013 under the auspices of academic research, then improperly sold that information to a commercial firm, which developed ties to Donald Trump’s 2016 election campaign. The researcher did so by creating an app that about 300,000 people linked to their Facebook profiles. That app then scooped up information about those users but also hundreds of those users’ friends, ballooning the number of affected people into the tens of millions.
Facebook says this isn’t a breach because, though the company has since changed its policies, that was simply how the platform worked at the time. “The way that the platform worked, that you could sign into an app and bring some of your information and some of your friends’ information,” Zuckerberg said during the hearings “is how we explained it would work.” In effect, he suggested that the 87 million users consented to having the researcher end up with their data, just not the firm he sold it to, because selling the information violated Facebook’s policies.
Zuckerberg has apologized for not better policing app developers. He has also announced that Facebook is reviewing tens of thousands of apps that had access to large amounts of users’ data in previous years. But he has maintained that Facebook was still acting by the book. “The system basically worked as it was designed,” Zuckerberg said on Tuesday. “The issue is that we designed the system in a way that wasn’t good.” So far as the FTC investigation goes, this will be an argument that the wrongdoing was done by third parties more than the company itself.
One former FTC attorney notes that Facebook could have failed to disclose information relevant to enforcing the decree, which was written at a time when the technological landscape was less complex. Zuckerberg said during this week’s hearings that the company did not notify the FTC when it became aware in 2015 that a heap of user data was in a place it wasn’t supposed to be because Facebook asked for the data to be deleted and believed it had been. A key factor in an investigation like this, Kovacic says, is the extent of knowledge and culpability on the part of the actor. “A crucial ingredient of this investigation will be to determine when the company became aware of this anomaly and what they did as it became apparent,” he says.
These kinds of tick-tock details will be uncovered as the non-public investigation, which could take months or longer, unfolds. Kovacic notes that the probe has potential to go beyond Cambridge Analytica, winding into a broader examination of the company’s practices, especially if Facebook fights the agency rather than negotiating a new settlement. “You might prefer to wrap things up,” he says, “short of having an exacting study of how you do business by the FTC.” The Department of Justice could also get involved, potentially pursuing civil penalties in court.
Yet agreeing to new conditions or more exacting oversight controls would also be a tricky business for Facebook. “The best the FTC can do is ‘fence in’ Facebook’s behavior to curb how misleading and surprising the company’s information sharing is,” explains Berkeley Law Professor Chris Hoofnagle. He adds that though he believes it is very unlikely for Facebook, “such fencing in” can send companies “on a long-term death spiral.” Part of the reason that won’t happen this time, he says, is simply how widespread the use of the social media platform is. “Facebook will survive any assault by the FTC,” he writes in an email, “because there is no substitute for consumers to go to.”
While privacy is part of the FTC’s mandate, it also oversees other areas like advertising and antitrust. Some critics believe the agency — which did not stop Facebook from purchasing rivals like Instagram and WhatsApp — is partly to blame for the lack of alternatives. “They’re really culpable and they really helped shape the structure of the modern Internet,” says Mark Stoller, a fellow at the Open Markets Institute. He believes the FTC is hesitant to crack down on big corporations but is under political pressure to do the investigation and may do so this time.
If the FTC doesn’t come out of this looking like a cop on top of the beat, more lawmakers may argue that it’s time to enshrine privacy protections and rules about data consent into law, or even set up a new government agency dedicated entirely to data security. During the hearings Wednesday, Rep. Raul Ruiz, a Democrat from California, cited the “weakness of the current system” and failures of tech firms to self-police in arguing that a new bureau might be necessary.
“Would it be helpful if there was an entity clearly tasked with overseeing how consumer data is being collected, shared and used, and which could offer guidelines, at least guidelines for companies like yours to ensure your business practices are not in violation of the law,” Ruiz asked at the House hearing, “something like a digital consumer protection agency?”
As Zuckerberg responded to so many other questions about specific proposals, he expressed a hedging openness to the idea. “Congressman, I think it’s an idea that deserves a lot of consideration,” he said. “But I think the details on this really matter.”