Facebook's idiosyncratic approach toward safeguarding the personal information of its users has attracted more political outrage than the company has ever experienced. The American and British legislatures have invited Mark Zuckerberg to visit and be complained at in person, the Federal Trade Commission has let leak an investigation, and German officials are officially vexed.
What irks them is the revelation that a third-party Facebook app masquerading as a personality quiz extracted information that was sold to the political consulting firm Cambridge Analytica, which in turn provided services to Republicans. A short line is being drawn from Facebook data-profiteering to the election, still unfathomable to many Democrats, of some guy named Donald J. Trump.
Given the political leanings at Facebook, it seems unlikely that such an effect was deliberate. In 2016, Sheryl Sandberg, the company's chief operating officer, struggled to find praise sufficiently fulsome to describe Hillary Clinton; in return, Sandberg was imagined as a Clinton Cabinet official. This was approximately the same time as the flap over Trending Topics, during which we learned that Facebook's stable of editors seemed to shun conservative news sites instinctively.
In any event, the joint anti-Zuck strike force being assembled in conference rooms this week in Washington, London, and Berlin seems to be arming for a skirmish that ended years ago.
The history is this: Starting in 2010, third-party developers who convinced a Facebook user to install their apps could vacuum up a tremendous amount of information. The so-called Open Graph API included not only a user's name, birthdate, politics, and religion—private direct messages could be requested too—but also his or her friends' data. You could argue that Facebook's disclosures were insufficiently descriptive. But technically, this wasn't a data leak; users gave consent, however attenuated.
Facebook gave the fields it provided developers names like "friends_religion_politics," "friends_likes," and "friends_photo_video_tags," but a more descriptive term might be "commercially useful information that is certain to be monetized." The user IDs provided were globally unique, kind of a Facebookish Social Security Number, so companies could use multiple apps to correlate and compile cross-referenced profiles by the millions.
The Graph API's features were no secret. They were shouted to the world via press release. At his 2010 announcement at a San Francisco conference, Zuckerberg boasted that developers would now be able to download and retain Facebook data. "We've had this policy where [third-party developers] can't store and cache any data for more than 24 hours, and we're going to go ahead and we're going to get rid of that policy," Zuckerberg said. CNET reported that the audience cheered.
Four years later, Facebook reversed course, saying it had chosen to discontinue those features of the Graph API. The equivalent of a global Facebook-wide identifier would be replaced with application-specific IDs. Friend data would be sharply restricted. The changes took effect in April 2015.
No Senate hearings or congressional investigations convinced Facebook to pull the plug. No flurry of investigative news articles preceded it (there appears to have been not one New York Times or Washington Post article discussing the Graph API in the prior year). No Federal Trade Commission investigation loomed; Facebook had already reached a privacy settlement with the agency in 2011 that altered the Graph API not one whit.
The most likely explanation for the 2014 policy shift is the simplest: The company realized, however belatedly, that even Facebook users want more control over how they share their information. Market pressure (or, perhaps, market dominance and less fear of alienating developers) had closed a privacy loophole. At the F8 conference that year, Zuckerberg said, "We take this really seriously because if people don't have the tools they need to feel comfortable using your apps, then that's bad for them and it's bad for you. But it will prevent people from having good personalized experiences and trying out new things but it also might hurt you and prevent you from getting some new potential customers. So we need to do everything we can to put people first and give people the tools they need to build a sign in and trust your apps."
Today it's almost tempting to feel sorry for Zuckerberg, who must be puzzling over why it took politicians eight years to discover the existence of a feature that has been publicly documented since its inception and was discontinued three years ago.
Zuckerberg must also be contemplating a second oddity. There was no privacy outcry when Barack Obama's 2012 campaign took advantage of the same Graph API to exfiltrate information of tens of millions of Facebook users without each voter's knowledge and consent.
Time.com's report immediately after the election was laudatory. Extracting data from Facebook, it said, "will transform the way campaigns are conducted in the future." It concluded, presciently, that by 2016 the Obama campaign's approach "is almost certain to be the norm."
The Obama campaign's extensive harvesting of social graph data triggered Facebook's internal safeguards, according to an article a year later in The New York Times Magazine. But Facebook allowed it to continue. "It was more like we blew through an alarm that their engineers hadn't planned for or knew about," Will St. Clair, a programmer for the campaign, told the magazine. "They'd sigh and say, 'You can do this as long as you stop doing it on Nov. 7.'"
"We ingested the entire U.S. social graph," Carol Davidsen, director of data integration and media analytics for Obama for America, told The Washington Post this week. "We would ask permission to basically scrape your profile, and also scrape your friends, basically anything that was available to scrape. We scraped it all."
It would be impolite, of course, to accuse the Democratic politicians demanding Zuckerberg's scalp of double standards. Perhaps Sen. Amy Klobuchar (D–Minn.), who wants to interrogate Zuckerberg in person, has only recently immersed herself in API specifications. Perhaps Sens. Ed Markey (D–Mass.) and Richard Blumenthal (D–Conn.), who issued their own demands to Zuckerberg, happened to miss the 2013 article about how the Obama campaign "blew through an alarm." (The inexplicable is not limited to Capitol Hill: A cadre of left-leaning privacy activist groups who remained mum before now believe the Federal Trade Commission should investigate.)
The danger now is regulatory overreach. It's possible to acknowledge that Facebook's original Graph API was leaky—user notification and consent could have been handled far better—while being worried about what Washington officialdom may concoct as suitable punishment for Internet companies. Good laws and sound policy are rarely made during times of moral or partisan panic.