Cambridge Analytica was bad, but Facebook’s collection of data is just the way the government wants it
It’s been almost two weeks since the Cambridge Analytica scandal broke for the third time since 2015, so it’s time to zoom out a bit and look more broadly at privacy law in the United States, and what those laws mean for a company like Facebook.
Like many stories that coastal elites and thought leaders make a fuss about, this one begins at that school in Cambridge, Massachusetts.
The idea of a “right to privacy” or “right to be left alone” all began in 1890 when two elitist Harvard law students were concerned about the intrusions upon their lives in high society posed by journalists and the fancy new instantaneous camera. Basically, they were worried their dinner parties would be ruined; so worried, in fact, that they wrote a law journal article about it that I assume at least four people have read. This article laid the foundation for the modern formulation of a “right to privacy.”
Let’s walk across the Harvard Yard (is that what people call it?) and skip forward 110 years to the dorm room of a computer science prodigy known by his Live Journal name Zuck On It. Mark Zuckerberg created Facebook for precisely the opposite reason as those snobby law students: he was an awkward computer geek and just wanted a way to meet girls. So even at first conception, we see the right to privacy (snobby law students) and Facebook (nerdy computer geeks) are fundamentally at odds. Remember, before Facebook, Zuckerberg got himself in trouble for making Facemash (think hot or not), which he built by hacking into the database of each Harvard house and taking the photos from each face book.
“Issues about violating people’s privacy don’t seem to be surmountable,” Zuckerberg said at that time (he’s always had a real pulse on the people), when agreeing to shutdown Facemash after being dragged in front of the Administrative Board. But, Zuckerberg was inspired nonetheless. If only he could get people to volunteer their photos and other information instead of him stealing it – then he wouldn’t have to waste his time with those pesky “privacy worries.” And the rest, as the saying goes, is history. Fifteen years later, Zuckerberg may have caught the ire of governing bodies far greater than the Harvard Administrative Board.
Or has he? The history of privacy law in the United States is long and complex, and the recent fervor about Facebook may be exposing just how toothless it can be, especially in the face of modern technology. That said, it’s also become a common view that corporations like Google and Facebook are omnipotent when it comes to data surveillance, but in reality their power is still tiny compared to that of the government.
May the Fourth (Amendment) be with you
Throughout history, people’s privacy concerns have typically centered around fears of government intrusion. So, the founders thought wise to include the Fourth Amendment, giving people the right to be “secure…against unreasonable searches and seizures,” by the government. In practicality, this means law enforcement has to get a warrant – demonstrating probable cause – to conduct a search or seizure. In the 1960s, the venerable Supreme Court proclaimed that the Fourth Amendment protects “people, not places” and introduced the idea that a person has a “reasonable expectation of privacy.” So, you as a person could expect privacy anywhere you might be, as long as that expectation was “reasonable,” whatever that means.
Third Party Doctrine
So far so good. But give it some time, and technology inevitably outpaces our laws (which, by the way, isn’t necessarily bad). Soon enough, the Court decided that the Fourth Amendment doesn’t protect data we share with a third party, a ruling now dubbed the Third Party Doctrine. In 1979 when this was first decided, it meant we couldn’t expect privacy in the phone numbers we dialed. But courts eventually expanded this to other electronic communication like some email data, bank records, and perhaps even extensive location surveillance. The Third Party Doctrine has found itself under attack recently, with Justice Sotomayor writing in a concurrence in 2012 that it is “ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”
As a side note, the government has always been aware of the increased intrusion posed by wiretapping. In 1986, Congress passed the Electronic Communications Privacy Act (ECPA), because while wiretapping of telephones was governed not only by the Fourth Amendment but also by another comprehensive set of statutes, it was unclear whether other electronic communications had such protection. The ECPA sets down extensive warrant requirements for wiretapping all wire, oral and electronic communications. This made it more difficult for law enforcement to get wires up, but made for better television once they did.
Stored Communication Act: Content is king
However, stored communication was treated differently (read: less protected) under the ECPA (specifically, the Stored Communications Act). At the time, not much of our data was “stored” anywhere. We had file cabinets in houses, to which it’s been long established that we have a “reasonable expectation of privacy.” But as email, social media, and cloud computing became widespread, more of our data became accessible through this hole in the statutory scheme. The Stored Communications Act breaks down stored communication into two components: (1) content and (2) metadata. If you think of it as a package, the content is what’s inside the package, and the metadata is the address telling the carrier where to take it.
First, on the content side under the Stored Communications Act (§ 2703), law enforcement can access data that has been remotely stored for more than 180 days without a warrant (i.e. with a subpoena). This could include data like emails, social media messages and comments, and text messages. Information stored less than 180 days still needs a warrant; but, keep in mind how long you’ve had your Gmail account. Do you really have less of an expectation of privacy for the emails older than 6 months? The law essentially says yes.
Let’s get meta
Now, on the metadata side, the government can get the follow with just a subpoena:
- Local and long distance telephone connection records, or session times and durations
- Length of service and type of service utilized
- Telephone or instrument number or other subscriber number or identity, including a network address
- Means and source of payment for such service (including any credit card or bank account info)
This content/ metadata divide may have made sense in 1986, when most people only had an identifier like a phone number and there was only one layer of metadata, but neither of these things are true now. If you’re shipping a package or sending a phone call, metadata might not be that much (although with phone records, it can get you pretty far). On the internet though, the metadata can tell you an awful lot. And, with powerful data aggregators and analytics tools, it’s much easier to find patterns and develop a fairly holistic picture of an individual using just metadata. Facebook is just one example of this, having gone to great lengths to aggregate both online and offline data to build more comprehensive profiles of users and non-users.
None of this is directly related to the Cambridge Analytica scandal, and that’s intentional. I’m hoping to write a serious of posts diving deeper into specific areas of privacy law and its various common law and statutory regimes. Understanding the basics of the ECPA is critical to understanding the foundational laws governing Facebook. To reiterate, it was last last wholly updated in 1986, when GM, Mobil, Ford and IBM sat atop the Fortune 500.
While the current controversy revolves around the fact that Facebook (and by way of violating their terms of service, Cambridge Analytica) has amassed immense quantities of data on all of us, keep in mind that in many ways it’s doing the government’s bidding for it. If the government doesn’t already have Facebook’s (and Google’s, Comcast’s, etc.) data, it doesn’t need a warrant to get it.
So when you read stories like this, don’t get mad at Facebook; that’s just the way the government wanted it. If a few centralized platforms are amassing petabytes of data, it makes it that much easier for governments to knock on their doors and demand they flip a switch, turning over that data into the government’s hands.
Subscribe to my newsletter, a weekly recap of the tech policy stories I thought were interesting, why they mattered, and what’s to come.