Not long ago, debates about privacy and surveillance were theoretical. What’s the harm if Amazon and Google and Facebook know my thoughts and desires? They serve me better if they do, and they don’t run prisons or secret police forces.
Those of us who pushed for stronger protections from surveillance have often invoked hypothetical situations in which oppressive states use private data to profile and target undesirable populations or individuals.
We no longer need to conjure hypotheticals. On June 29, Facebook revealed to congressional investigators that it granted Mail.ru, a Russian internet company with close ties to the Kremlin, a special extension of the Facebook policy that allowed thousands of application developers access to massive amounts of user data.
Mail.ru ran applications on Facebook for years before 2015, allowing it to delve into Facebook profiles and activity from millions of users around the world. This was standard Facebook policy. Thousands of companies that built applications on the Facebook platform had access to potentially millions of users’ information.
Mark Zuckerberg had told Congress in April that it ended this policy of massive data sharing in May 2015. But in its 748-page response to questions from the House Energy and Commerce Committee, the company admitted that it had granted a handful of companies permission to continue to have access to that data for six extra months. Mail.ru was on the list of companies granted this favor.
While Americans have been justifiably appalled that an obscure political consulting firm, Cambridge Analytica, had rich behavioral data on at least 87 million voters, we should be more concerned that companies like Mail.ru had access to the same data.
The Russian company was founded by Yuri Milner, a businessman who was a major investor in Facebook. Mr. Milner sold his shares in Facebook in 2013 and left Mail.ru years earlier. The Paradise Papers, a collection of secret documents showing how the wealthy hide their money, showed that Mr. Milner had received hundreds of millions of dollars from the Russian government, which he invested in Facebook and Twitter. He has also invested in a development run by Jared Kushner.
Facebook has not released the full list of thousands of companies around the world that had similar, almost complete, access to our likes and desires for years. The public might never know how many of these companies were connected to other dangerous and destructive forces in the world.
Any oppressive state seeking to monitor troublesome elements of its population — such as gay-rights groups, religious minorities, political critics or human-rights workers — could use such front companies to collect Facebook information on critics and stifle dissent. Nationalist leaders like Rodrigo Duterte in the Philippines, Narendra Modi in India and Uhuru Kenyatta in Kenya use Facebook to spread propaganda and derogatory information about opponents and critics. Having access to extensive personal Facebook data on citizens could make such leaders more dangerous.
Myths about Facebook — that it helped democratic uprisings in Tunisia and Egypt and that it has connected brave activist movements of all kinds — have kept Americans under the spell of Mr. Zuckerberg and Facebook. The reality, as astute social media scholars have been warning for years, is that Facebook is much more likely to be the source of dangerous state surveillance of activists.
Facebook has no idea how much personal data it let companies have or how far it might have traveled. It might never know. And neither will we.
We do know about Mail.ru, although we do not know how the company might have used Facebook data, or what other groups in Russia might have then acquired or used that data. That should be enough to call for stiffer regulatory penalties on Facebook.
This week, the Information Commissioner’s Office in Britain issued its maximum fine of £500,000, about $600,000, against Facebook (what the company makes about every 30 minutes) for failing to protect its users by allowing Cambridge Analytica access to data without notice or permission. The report, which was prompted by concerns about efforts to influence voters in the 2016 Brexit campaign, found that Facebook “contravened the law by failing to safeguard people’s information” and “failed to be transparent about how people’s data was harvested by others.”
The European Union’s new General Data Protection Regulation might prevent future excesses. Brazil, Japan and South Korea are considering similar protections for its citizens.
In the United States, Facebook faces investigations of its data-sharing practices by the Department of Justice, the Federal Trade Commission and the Securities and Exchange Commission. Federal regulators have a poor record of fining companies that abuse the public trust or break the law. But these offices are likely to issue stinging reports on Facebook’s irresponsibility.
The process of holding Facebook to account will take many years. But the debate over privacy and surveillance is no longer about “what ifs.” Facebook has already made us vulnerable to abuses by hostile forces around the world. Responsible, accountable governments must do more to protect us.
Siva Vaidhyanathan is a professor of media studies at the University of Virginia and the author of Antisocial Media: How Facebook Disconnects Us and Undermines Democracy.