Pages

7 April 2018

The Theft or Abuse of Your Personal Information by Governments, Facebook and Others Is Now the New Norm. What Lessons Have We Learned?

Paul R. Pillar

The sudden attention to the exploitation, including for political purposes, of information on millions of Facebook users in ways that ought to make those users uncomfortable—and to how Facebook does not seem to have cared about such abuses—has been tardy and myopic even though the attention is fully justified. It took the story about Cambridge Analytica’s mining of Facebook data to get that attention, even though the probability of such unwelcome exploitation of personal information has existed since the dawn of social media.

Almost no discussion of the current issue involving Facebook has put that issue in a broader context, which would provide perspective to similar questions of privacy and big data that have aroused controversy in the past. Specifically, commentary and reporting on the Facebook matter have made almost no reference to what was a headline item not long ago: collection of information on Americans as a by-product of foreign intelligence collection by governmental organizations such as the National Security Agency. This collection has involved bulk “metadata” on telephone calls that include the timing of calls and the phone numbers of participants but not the content of conversations. A related matter has been the intercepting of conversations that, although the target is a foreigner, involve a U.S. person on the other end of the line.

Similarly, when news stories and congressional hearings focused on these NSA activities just a couple of years ago, almost none of the coverage and commentary provided the perspective that would have come from comparing these activities with commercial collection of data on Americans. Only a few lonely voices like myself pointed out that Americans have more to fear from commercial enterprises exploiting personal information about them than from anything a government agency might do in this regard.

The government activity is subject to numerous checks and controls, whereas the commercial activity is subject to almost none. What NSA does with either metadata or intercepted content—besides being an object of congressional oversight—takes place under extremely strict controls internal to the agency or the executive branch that limit the officials who have access to such data in addition to limiting the use that can be made of it, even inside the intelligence community. Contrast that with the telecommunications companies; they have direct access to everything NSA could ever hope to acquire about the telephone calls of Americans, but Americans aren’t even given the faintest idea how the companies handle the data or who inside the companies has access to it. With the burgeoning of social media, the personal data at stake goes far beyond telephone calls.

Another difference involves the very raison d’être of the organizations involved. The intelligence agencies exist to perform a foreign intelligence mission. They are judged to be successes or failures according to how well they perform that mission. Tightly controlling and keeping secret the material they handle is important to accomplishing that mission.

In contrast, the commercial enterprises exist to make a profit. Their incentives regarding handling of the data they collect run in the opposite direction from the intelligence agencies’ incentives. Facebook’s business model centers on making personal information about its users available to advertisers and others willing to pay to exploit the data. (Remember, if you think you are using a product for free, then you are the product.) “There’s a sort of intrinsic problem with having for-profit entities with this business model in this position of so much public trust,” observes Tim Wu, formerly with the Federal Trade Commission and now a law professor at Columbia. “They’re always at the edge because their profitability depends on it.”

The customary arguments that there is more basis for worry about government collection of data than commercial collection have always been weak. The government is fundamentally different, we are told. “The phone company can’t arrest you.” Well, neither can NSA. Government involves an element of compulsion, we are told, that does not exist in the private sector. But if you want telephone service, you necessarily have to surrender all of the information about all of your phone conversations to the company that provides that service.

With regard to social media, there is an element of addiction, as reflected in apt comments today about how difficult it will be for many heavy users of Facebook to give it up even if they are upset about the privacy issue. This should place social media in some of the same conversations about government regulation as tobacco or opiates. As for commercial services requiring permission from their users before making use of their data, this is a joke not only because almost all users click the “accept” box without wading through the legalese in the terms of service. As Wu points out, Facebook’s privacy settings have been in large part a sham that do not prevent the sort of exploitation of data that is now an issue.

An irony about the government-vs.-private sector dimension of data exploitation involves one bit of exploitation by former Trump political adviser Steve Bannon. He used Cambridge Analytica, which in turn was using Facebook data, to test how some themes would play with voters in the 2016 election. One of those themes was the notion of a “deep state”. Thus while a governmental deep state that supposedly uses all its ample information to do whatever it wants is a fiction, non-governmental collection of personal information has helped to sustain that fiction in the minds of Americans.

The government-nongovernment dimension in exploiting data has come full circle in other ways. The personal information on Facebook users that Cambridge Analytica exploited helped to elect Donald Trump—with everything that election implies for how a Trump-led government touches those users’ lives, and no matter how strongly opposed to Trump many of them may have been.

Now Trump has named as national security adviser John Bolton, whose political action committee also was an early user of Cambridge Analytica’s operation. And related to those past controversies involving NSA, Bolton—although he was a loud accuser and complainer about requests from Susan Rice, when she was Barack Obama’s national security adviser, to “unmask” the identities of U.S. persons in intercepted communications—was himself one of the most prolific unmaskers. It is hard to imagine how Bolton, as an undersecretary of state for arms control, would have had as much legitimate reason for such unmasking as did a national security adviser looking at Russian interference in U.S. elections. Possibly Bolton’s requests had more to do with his well-established proclivity for trying to expel from the bureaucracy anyone whose views differ from his own. Fortunately there are checks in government on such abuses, although one has to wonder what will become of such checks with Bolton in charge of the national security policymaking apparatus.

The well-entrenched attitude that Americans have more to fear from what government does with their personal data than what commercial enterprises do with it is ultimately based not on understanding of actual hazards but instead on the crude ideology of “government bad, private sector good”. Perhaps the understandable uproar over Facebook’s practices will start to change that attitude, but don’t count on it.

No comments:

Post a Comment