As bad as things looked for Facebook two weeks ago when the Cambridge Analytica scandal surfaced, things actually got worse this week. First, the company upped to 87 million the estimated number of people whose personal information was siphoned off without authorization — 74% more than was first reported. Cambridge Analytica used that information in 2016 to try to raise support for Donald Trump by targeting voters with messages designed to play to their susceptibilities.
Then on Wednesday, Chief Executive Mark Zuckerberg told reporters that personal information from every Facebook user who left the default search settings in place is likely to have been "scraped" off the site by third parties. "I would assume if you had that setting turned on, that someone at some point has accessed your public information in this way," Zuckerberg said. The information was almost certainly gathered for commercial reasons, not altruistic ones. After all, your public profile on Facebook can be quite revealing — it includes anything you've ever shared on Facebook under the least restrictive privacy setting, potentially including your friends list, your likes, your photos and the places you've visited.
In short, Zuckerberg confirmed again what critics of his company have been saying for years: Personal information shared on Facebook can spread far and wide, often unbeknownst to the person who posted it. You may think of Facebook as a place to huddle electronically with your friends, but it's also a platform for Facebook and countless other companies to collect data about you. And Facebook has repeatedly shown itself unable, or perhaps unwilling, to restrain those companies, let alone keep its own promises to users about how personal data will be handled.
The good news is that Congress may have reached the end of its rope when it comes to online privacy scandals. The glare from lawmakers is so intense that Zuckerberg himself will appear before House and Senate committees next week — a first for the youthful billionaire. And in anticipation of the verbal beating lawmakers are expected to inflict, Facebook has taken an encouraging series of steps to reduce the information that third parties can extract from the social network.
But lawmakers need to stop relying on internet companies to police themselves. And while the Federal Trade Commission has broad authority to crack down on unfair and deceptive privacy practices, the court orders it has obtained against Facebook and other internet companies haven't stopped the abuses. Internet users should have clear privacy rights under federal law that regulators and the courts can enforce. At a minimum, those should include the right to know what data is being collected about them and to limit its use. In other words, instead of continuing blithely along the path of unfettered data collection and sharing, we need to give internet users more control over the data generated by what they say and do online.
The European Union is well ahead of the U.S. government on this issue, having adopted a General Data Protection Regulation two years ago. The rules, which will go into effect May 25, require companies that want to collect personal data from an EU citizen to obtain the person's "freely given, specific, informed, and unambiguous" consent — not just overall, but for each type of use the company might find for the data (for example, separate consents would be required to use an email address for in-house marketing and to share the address with a third party).
Under the EU rules, users must also be able to revoke the consent they've given and to retrieve the data a site has collected on them, giving them a clearer picture of what's being recorded. Meanwhile, new rules for the companies that obtain data from other sites will effectively expose how internet users are tracked online, bringing much needed transparency to the world of advertiser-supported sites and services. The mandates are backed by eye-popping penalties — up to 4% of a company's worldwide earnings.
Zuckerberg said Wednesday that his company will extend the European Union's privacy protections to all of its users worldwide, which is the silver lining in the cloud cast by Cambridge Analytica. But Facebook users shouldn't be the only ones covered by such a shield. Proposals for a consumer privacy bill of rights have been circulating in Washington since 2012. It's time for lawmakers to translate their outrage over the latest privacy scandal into durable protections for internet users.