Facebook is one of the "Why's" we need a Data Protection Agency
Over and over in the last 20 years we’ve watched low-cost or free internet communications platforms spring from the good intentions or social curiosity of tech folk. We’ve watched as these platforms expanded in power and significance, selling their influence to advertisers. Twitter, Facebook, LinkedIn, Google—they grew so fast. One day they’re a lovable new way to see kid pix, next thing you know they’re reconfiguring democracy, governance, and business.
Facebook’s recent debacle is illustrative. It turns out that the company let a researcher spider through its social network to gather information on 50 million people. Then the Steve Bannon-affiliated, Robert Mercer-backed U.K. data analysis firm Cambridge Analytica used that data to target likely Trump voters. Facebook responded that, no, this was not a “breach.”
OK, sure, let’s not call it a breach. It’s how things were designed to work. That’s the problem.
For years we’ve been talking and thinking about social networks as interesting tools to model and understand human dynamics. But it’s no longer academic—Facebook has reached a scale where it’s not a model of society as much as an engine of culture. A researcher gained legitimate access to the platform and then just ... kept going, and Cambridge Analytica ended up with those 50 million profiles. The “hack” was a true judo move that used the very nature of the platform against itself—like if you gave MacGyver a phone book and he somehow made it into a bomb.
What’s been unfolding for a while now is a rolling catastrophe so obvious we forget it’s happening. Private data are spilling out of banks, credit-rating providers, email providers, and social networks and ending up everywhere.
So this is an era of breaches and violations and stolen identities. Big companies can react nimbly when they fear regulation is actually on the horizon—for example, Google, Facebook, and Twitter have agreed to share data with researchers who are tracking disinformation, the result of a European Union commission on fake news. But for the most part we’re dealing with global entities that own the means whereby politicians garner votes, have vast access to capital to fund lobbying efforts, and are constitutionally certain of their own moral cause. That their platforms are used for awful ends is just a side effect on the way to global transparency, and shame on us for not seeing that.
So are we doomed to let them take our data or that of our loved ones and then to watch as that same data is used against us or shared by hackers? Yes, frankly. We’re doomed. Equifax Inc. sure won’t save us. Do we trust Congress to bring change? Do we trust Congress to plug in a phone charger? I’ll be overjoyed to find out I’m wrong. In the meantime, turn on two-factor authentication everywhere (ideally using a hardware dongle like a YubiKey), invest in a password manager, and hold on tight.
The word “leak” is right. Our sense of control over our own destinies is being challenged by these leaks. Giant internet platforms are poisoning the commons. They’ve automated it. Take a non-Facebook case: YouTube. It has users who love conspiracy videos, and YouTube takes that love as a sign that more and more people would love those videos, too. Love all around! In February an ex-employee tweeted: “The algorithm I worked on at Google recommended [InfoWars personality and lunatic conspiracy-theory purveyor] Alex Jones’ videos more than 15,000,000,000 times, to some of the most vulnerable people in the nation.”
The head of YouTube, Susan Wojcicki, recently told a crowd at SXSW that YouTube would start posting Wikipedia’s explanatory text next to conspiracy videos (like those calling a teen who survived the Parkland, Fla., shooting a “crisis actor”). Google apparently didn’t tell Wikipedia about this plan.
The activist and internet entrepreneur Maciej Ceglowski once described big data as “a bunch of radioactive, toxic sludge that we don’t know how to handle.” Maybe we should think about Google and Facebook as the new polluters. Their imperative is to grow! They create jobs! They pay taxes, sort of! In the meantime, they’re dumping trillions of units of toxic brain poison into our public-thinking reservoir. Then they mop it up with Wikipedia or send out a message that reads, “We take your privacy seriously.”
Given that the federal government is currently one angry man with nuclear weapons and a Twitter account, and that it’s futile to expect reform or self-regulation from internet giants, I’d like to propose something that will seem impossible but I would argue isn’t: Let’s make a digital Environmental Protection Agency. Call it the Digital Protection Agency. Its job would be to clean up toxic data spills, educate the public, and calibrate and levy fines.
How might a digital EPA function? Well, it could do some of the work that individuals do today. For example, the website of Australian security expert Troy Hunt, haveibeenpwned.com (“pwned” is how elite, or “l33t,” hackers, or “hax0rs,” spell “owned”), keeps track of nearly 5 billion hacked accounts. You give it your email, and it tells you if you’ve been found in a data breach. A federal agency could and should do that work, not just one very smart Australian—and it could do even better, because it would have a framework for legally exploring, copying, and dealing with illegally obtained information. Yes, we’d probably have to pay Booz Allen or Accenture or whatever about $120 million to get the same work done that Troy Hunt does on his own, but that’s the nature of government contracting, and we can only change one thing at a time.
When it comes to toxic data spills, it’s hard to know just how exposed you are. Literally all of us have been hacked—hard and a lot and mostly behind our backs. At least we could start to understand how bad it is. We could teach high school students to check the DPA site, to manage their own breaches. You’d go to the website to get good information about recovering from identity theft or a new social security number (we should also get rid of social security numbers as identification, but that’s another subject). It would have the forms you need to restore your identity, assert that you’d been hacked, and protect yourself. A nice thing for a government to do.
Let’s keep going! Imagine ranking banks and services by the number of data breaches they’ve experienced. Or a national standard for disclosure of how our private information is shared. (These ideas have been floated before in lots of different forms; the point is, how nice would it be if there was one government agency insisting on it in the same way that we have nutrition labels and calorie counts on our packaged foods?) The Consumer Financial Protection Bureau was headed in this direction—if it can survive the current maelstrom, maybe its mandate could be expanded.
So: Lots of helpful information, plenty of infographics, a way to track just how badly you’ve been screwed, and, ideally, some teeth—the DPA needs to be able to impose fines. I’m sure there’d be some fuss and opposition, but, come on. The giants have so much money it would hardly matter. And consider this from their perspective: How much better will it be to have your lawyers negotiate with the DPA’s lawyers instead of being hauled before Congress every time someone blows a whistle on your breaches?
The EPA’s budget is more than $8 billion, a little on the high side for the digital version. You could pull this off with $15 million or $20 million for tech infrastructure and to support a team—four engineers to build the platform, some designers, and then a few dozen graphic artists to make the charts and tables. Add on $2 billion for management and lawyers, and you’ve got yourself a federal agency.
I know that when you think of a Superfund site, you think of bad things, like piles of dead wildlife or stretches of fenced-off, chemical-infused land or hospital wings filled with poisoned families. No one thinks about all the great chemicals that get produced, or the amazing consumer products we all enjoy. Nobody sets out to destroy the environment; they just want to make synthetic fibers or produce industrial chemicals. The same goes for our giant tech platforms. Facebook never expected to be an engine that destroys America. Lots of nice people work there. Twitter didn’t expect to become the megaphone of despots and white nationalists. But the simple principles of “more communication is better” and “let’s build community” and “we take your privacy seriously” didn’t stand a chance under the pressure of hypergrowth and unbelievable wealth creation.
Unfortunately, ethics don’t scale as well as systems. We’ve poisoned ourselves, and more than a little. Given the money and power at stake, it’s going to be hard to get everyone to admit we’re sick. But we owe ourselves—and, cliché though it may be, we owe our children—to be more pragmatic about treating the symptoms.