Gathered in a Washington, D.C., ballroom last Thursday for their annual "tech prom," hundreds of tech industry lobbyists and policy makers applauded politely as announcers read out the names of the event's sponsors. But the room fell silent when "Facebook" was proclaimed — and the silence was punctuated by scattered boos and groans.
These days, it seems the only bipartisan agreement in Washington is to hate Facebook. Democrats blame the social network for costing them the presidential election. Republicans loathe Silicon Valley billionaires like Facebook founder and CEO Mark Zuckerberg for their liberal leanings. Even many tech executives, boosters and acolytes can't hide their disappointment and recriminations.
The tipping point appears to have been the recent revelation that a voter-profiling outfit working with the Trump campaign, Cambridge Analytica, had obtained data on 87 million Facebook users without their knowledge or consent. News of the breach came after a difficult year in which, among other things, Facebook admitted that it allowed Russians to buy political ads, advertisers to discriminate by race and age, hate groups to spread vile epithets, and hucksters to promote fake news on its platform.
More from ProPublica:
How Do You Identify Fake News?
John Bolton Skewed Intelligence, Say People Who Worked With Him
American Voting Machines Are Old and Vulnerable, But Who Will Pay for New Ones?
Over the years, Congress and federal regulators have largely left Facebook to police itself. Now, lawmakers around the world are calling for it to be regulated. Congress is gearing up to grill Zuckerberg. The Federal Trade Commission is investigating whether Facebook violated its 2011 settlement agreement with the agency. Zuckerberg himself suggested, in a CNN interview, that perhaps Facebook should be regulated by the government.
The regulatory fever is so strong that even Peter Swire, a privacy law professor at Georgia Institute of Technology who testified last year in an Irish court on behalf of Facebook, recently laid out the legal case for why Google and Facebook might be regulated as public utilities. Both companies, he argued, satisfy the traditional criteria for utility regulation: They have large market share, are natural monopolies, and are difficult for customers to do without.
While the political momentum may not be strong enough right now for something as drastic as that, many in Washington are trying to envision what regulating Facebook would look like. After all, the solutions are not obvious. The world has never tried to rein in a global network with 2 billion users that is built on fast-moving technology and evolving data practices.
I talked to numerous experts about the ideas bubbling up in Washington. They identified four concrete, practical reforms that could address some of Facebook's main problems. None are specific to Facebook alone; potentially, they could be applied to all social media and the tech industry.
The Cambridge Analytica data loss was the result of a breach of contract, rather than a technical breach in which a company gets hacked. But either way, it's far too common for institutions to lose customers' data — and they rarely suffer significant financial consequences for the loss. In the United States, companies are only required to notify people if their data has been breached in certain states and under certain circumstances — and regulators rarely have the authority to penalize companies that lose personal data.
Consider the Federal Trade Commission, which is the primary agency that regulates internet companies these days. The FTC doesn't have the authority to demand civil penalties for most data breaches. (There are exceptions for violations of children's privacy and a few other offenses.) Typically, the FTC can only impose penalties if a company has violated a previous agreement with the agency.
That means Facebook may well face a fine for the Cambridge Analytica breach, assuming the FTC can show that the social network violated a 2011 settlement with the agency. In that settlement, the FTC charged Facebook with eight counts of unfair and deceptive behavior, including allowing outside apps to access data that they didn't need — which is what Cambridge Analytica reportedly did years later. The settlement carried no financial penalties but included a clause stating that Facebook could face fines of $16,000 per violation per day.
David Vladeck, former FTC director of consumer protection, who crafted the 2011 settlement with Facebook, said he believes Facebook's actions in the Cambridge Analytica episode violated the agreement on multiple counts. "I predict that if the FTC concludes that Facebook violated the consent decree, there will be a heavy civil penalty that could well be in the amount of $1 billion or more," he said.
Facebook maintains it has abided by the agreement. "Facebook rejects any suggestion that it violated the consent decree," spokesman Andy Stone said. "We respected the privacy settings that people had in place."
If a fine had been levied at the time of the settlement, it might well have served as a stronger deterrent against any future breaches. Daniel J. Weitzner, who served in the White House as the deputy chief technology officer at the time of the Facebook settlement, says that technology should be policed by something similar to the Department of Justice's environmental crimes unit. The unit has levied hundreds of millions of dollars in fines. Under previous administrations, it filed felony charges against people for such crimes as dumping raw sewage or killing a bald eagle. Some ended up sentenced to prison.
"We know how to do serious law enforcement when we think there's a real priority and we haven't gotten there yet when it comes to privacy," Weitzner said.
Last year, Facebook disclosed that it had inadvertently accepted thousands of advertisements that were placed by a Russian disinformation operation — in possible violation of laws that restrict foreign involvement in U.S. elections. FBI special prosecutor Robert Mueller has charged 13 Russians who worked for an internet disinformation organization with conspiring to defraud the United States, but it seems unlikely that Russia will compel them to face trial in the U.S.
Facebook has said it will introduce a new regime of advertising transparency later this year, which will require political advertisers to submit a government-issued ID and to have an authentic mailing address. It said political advertisers will also have to disclose which candidate or organization they represent and that all election ads will be displayed in a public archive.
But Ann Ravel, a former commissioner at the Federal Election Commission, says that more could be done. While she was at the commission, she urged it to consider what it could do to make internet advertising contain as much disclosure as broadcast and print ads. "Do we want Vladimir Putin or drug cartels to be influencing American elections?" she presciently asked at a 2015 commission meeting.
However, the election commission — which is often deadlocked between its evenly split Democratic and Republican commissioners — has not yet ruled on new disclosure rules for internet advertising. Even if it does pass such a rule, the commission's definition of election advertising is so narrow that many of the ads placed by the Russians may not have qualified for scrutiny. It's limited to ads that mention a federal candidate and appear within 60 days prior to a general election or 30 days prior to a primary.
This definition, Ravel said, is not going to catch new forms of election interference, such as ads placed months before an election, or the practice of paying individuals or bots to spread a message that doesn't identify a candidate and looks like authentic communications rather than ads.
To combat this type of interference, Ravel said, the current definition of election advertising needs to be broadened. The FEC, she suggested, should establish "a multi-faceted test" to determine whether certain communications should count as election advertisements. For instance, communications could be examined for their intent, and whether they were paid for in a nontraditional way — such as through an automated bot network.
And to help the tech companies find suspect communications, she suggested setting up an enforcement arm similar to the Treasury Department's Financial Crimes Enforcement Network, known as FinCEN. FinCEN combats money laundering by investigating suspicious account transactions reported by financial institutions. Ravel said that a similar enforcement arm that would work with tech companies would help the FEC.
"The platforms could turn over lots of communications and the investigative agency could then examine them to determine if they are from prohibited sources," she said.
Last year, ProPublica found that Facebook was allowing advertisers to buy discriminatory ads, including ads targeting people who identified themselves as "Jew-haters," and ads for housing and employment that excluded audiences based on race, age and other protected characteristics under civil rights laws.
Facebook has claimed that it has immunity against liability for such discrimination under section 230 of the 1996 federal Communications Decency Act, which protects online publishers from liability for third-party content.
"Advertisers, not Facebook, are responsible for both the content of their ads and what targeting criteria to use, if any," Facebook stated in legal filings in a federal case in California challenging Facebook's use of racial exclusions in ad targeting.
But sentiment is growing in Washington to interpret the law more narrowly. Last month, the House of Representatives passed a bill that carves out an exemption in the law, making websites liable if they aid and abet sex trafficking. Despite fierce opposition by many tech advocates, a version of the bill has already passed the Senate.
And many staunch defenders of the tech industry have started to suggest that more exceptions to section 230 may be needed. In November, Harvard Law professor Jonathan Zittrain wrote an article rethinking his previous support for the law and declared it has become, in effect, "a subsidy" for the tech giants, who don't bear the costs of ensuring the content they publish is accurate and fair.
"Any honest account must acknowledge the collateral damage it has permitted to be visited upon real people whose reputations, privacy, and dignity have been hurt in ways that defy redress," Zittrain wrote.
In a December 2017 paper titled "The Internet Will Not Break: Denying Bad Samaritans 230 Immunity," University of Maryland law professors Danielle Citron and Benjamin Wittes argue that the law should be amended — either through legislation or judicial interpretation — to deny immunity to technology companies that enable and host illegal content.
"The time is now to go back and revise the words of the statute to make clear that it only provides shelter if you take reasonable steps to address illegal activity that you know about," Citron said in an interview.
Cambridge Analytica obtained its data on Facebook users by paying a psychology professor to build a Facebook personality quiz. When 270,000 Facebook users took the quiz, the researcher was able to obtain data about them and all of their Facebook friends — or about 50 million people altogether. (Facebook later ended the ability for quizzes and other apps to pull data on users' friends.)
Cambridge Analytica then used the data to build a model predicting the psychology of those people, on metrics such as "neuroticism," political views and extroversion. It then offered that information to political consultants, including those working for the Trump campaign.
The company claimed that it had enough information about people's psychological vulnerabilities that it could effectively target ads to them that would sway their political opinions. It is not clear whether the company actually achieved its desired effect.
But there is no question that people can be swayed by online content. In a controversial 2014 study, Facebook tested whether it could manipulate the emotions of its users by filling some users' news feeds with only positive news and other users' feeds with only negative news. The study found that Facebook could indeed manipulate feelings — and sparked outrage from Facebook users and others who claimed it was unethical to experiment on them without their consent.
Such studies, if conducted by a professor on a college campus, would require approval from an institutional review board, or IRB, overseeing experiments on human subjects. But there is no such standard online. The usual practice is that a company's terms of service contain a blanket statement of consent that users never read or agree to.
James Grimmelman, a law professor and computer scientist, argued in a 2015 paper that the technology companies should stop burying consent forms in their fine print. Instead, he wrote, "they should seek enthusiastic consent from users, making them into valued partners who feel they have a stake in the research."
Such a consent process could be overseen by an independent ethics review board, based on the university model, which would also review research proposals and ensure that people's private information isn't shared with brokers like Cambridge Analytica.
"I think if we are in the business of requiring IRBs for academics," Grimmelman said in an interview, "we should ask for appropriate supervisions for companies doing research."