The Federal Trade Commission’s new probe into Facebook’s data-privacy practices cratered the company’s stock price and caused observers to wonder whether the social-media monopolist can survive regulatory scrutiny.
But William Kovacic, a former Republican FTC chairman who served on the commission from 2006 to 2011, says Facebook’s reputation isn’t the only one on the line.
“I think the credibility of the entire FTC [privacy] regime, especially as it’s been built up in this decade, is at stake here,” Kovacic said.
Recent revelations concerning the unauthorized transfer of data from up to 50 million Facebook users to Cambridge Analytica—a British political consultancy working for the Trump campaign—have upended the American debate on digital privacy. Experts say that Facebook’s behavior is strikingly similar to the data practices of most other tech platforms, raising the prospect that more companies may soon be sucked into the vortex of controversy.
But as the firestorm intensifies, doubts are growing about the FTC’s ability to police the privacy practices of large tech platforms. To Kovacic, the fact that Facebook seems to have ignored a 2012 FTC order to tighten its privacy standards suggests the commission has been ineffective so far.
“This settlement was intended to be a template for establishing broader policy standards across the industry,” said Kovacic, who left the commission less than two months before Facebook and the FTC reached a preliminary settlement in 2011 on charges that the company deceived its users over its data-privacy policies. “And you have to look back and ask, ‘Did it work? What went wrong?’”
The worries don’t just stem from ongoing leadership vacancies, which have plagued the commission for over a year. Experts say the FTC simply doesn’t have the money or personnel required to take on Silicon Valley’s giants, particularly as consumers hand over more and more of their data to corporations.
Couple that with major gaps in the FTC’s jurisdiction, and it’s not clear that the commission is up to its job as America’s chief digital-privacy enforcer.
“The FTC doesn’t have enough power to do what it needs to do, what needs to be done,” said Bob Gellman, a D.C.-based data-privacy consultant who spent 17 years as a privacy staffer in the House of Representatives.
That skepticism is driven in part by the FTC’s apparent failure to keep tabs on Facebook’s privacy standards following its first run-in with the social-media behemoth.
The consent decree approved by the commission in August 2012 required Facebook to submit to regular “privacy audits” to ensure it was complying with the FTC’s new guidelines. But news of the latest probe came only after a cascade of reports focused on Cambridge Analytica’s malfeasance, and it’s not clear whether the FTC was already tracking potential Facebook privacy violations before the press got involved.
“What kind of oversight did they exercise?” Kovacic asked. “You have to look at that because that was a big part of your compliance mechanism. If that failed, then you have to rethink what you’re doing.”
FTC spokesman Peter Kaplan said he could not comment specifically on the Facebook issue, but he said the commission believes the privacy audits that undergird FTC consent decrees work.
Kovacic also pointed to the 2012 dissent of J. Thomas Rosch, one of five FTC commissioners at the time of the settlement. Rosch worried the consent decree would not cover improper activity conducted through third-party “apps” running on Facebook’s platform. Kovacic believes that concern may have been vindicated, since a third-party research app was the precise vector through which Cambridge Analytica received Facebook’s user data.
“They’ve got to find out what went wrong,” Kovacic said.
Chris Hoofnagle, an FTC researcher at UC Berkeley’s School of Information, believes the FTC’s weakness on digital privacy stems largely from a lack of resources.
The commission’s budget is small when compared to agencies tasked with policing privacy in other industry areas, including the Consumer Financial Protection Bureau and the Health and Human Services Department. And it’s minuscule when compared to those in most European countries, many of which are in the process of creating dedicated agencies specifically tasked with regulating digital privacy.
“The FTC’s privacy activities are a small part of a small budget,” Hoofnagle said, noting that the commission has fewer than 60 employees devoted to privacy full-time. “Even with a full commission and staff, if Facebook fights this case, the FTC will have to drop other investigations in order to keep up.”
Kaplan told National Journal that the FTC has brought fewer than 20 data-privacy or data-security cases over the past two years. Gellman contrasts that number with the hundreds of data-privacy cases HHS brings against health care institutions each year. “The odds of being investigated for your privacy activities by the FTC are approximately the odds of being hit by a meteorite, unless your story hits the front page of the newspaper,” he said.
Gellman believes the commission simply lacks the “guts” to aggressively pursue the questionable privacy practices of digital platforms. “The agency is scared to death of the Congress, and has been for decades,” he said, adding that the 1975 Magnuson-Moss Act—which stripped the FTC of much of its rulemaking authority—was seen as a backlash to an overly aggressive commission. “Ever since then, the agency has one eye firmly fixed on Congress,” he said.
Major gaps in the FTC’s regulatory authorities also work to hinder effective privacy enforcement. “The FTC has huge holes in its jurisdiction,” Kovacic said. “It can’t touch not-for-profits, so if universities just shovel information out the door, the FTC has no role. Charities, no role. Insurance, no role. … You can’t be an effective national privacy regulator if those are carved out.”
To tackle the burgeoning problem of digital privacy, Congress could provide the FTC with new authorities and greater resources. But unless public pressure grows, experts are skeptical that lawmakers will risk targeting Silicon Valley’s business model so directly.
“There is absolutely no hope that this Congress is going to give the FTC more authority,” Gellman said. “The business community will be totally opposed, and the Republicans in Congress will be for the most part opposed.”
Without statutory changes, it’s hard to see how the FTC gets its hands around Facebook and other digital platforms playing fast and loose with consumer data.
“If you want the FTC to function as a truly effective national data-protection authority, you cannot do it with the existing configuration,” Kovacic said. “The platform itself is not up to the job. And you either have to fix the weaknesses, or you have to think about a new framework.”