Commentary: Facebook Can’t Be Trusted. It’s Time to Regulate It.

Nicholas Economides
Updated

Using public data posted on a web site is legal. This is the bread and butter of Internet marketing companies. But according to a recent New York Times investigation, Cambridge Analytica collected data from Facebook users and their friends without consent, leaving both companies potentially liable for their actions.

Cambridge certainly compiled a significant amount of information from 50 million Facebook profiles. But that data pales in comparison to the quality and quantity of user information that Facebook, and especially Google, have collected over the years. This is what we should really be concerned about.

It’s time for the government to regulate companies like Facebook before their collection practices irreparably harm users’ privacy.

The underlying problem with Google, Facebook, and other tech companies is that they are easily able to accumulate immense amounts of information based on consent agreements, written in fine print, that users must sign to use their services.

In Facebook’s case, it’s likely that the company creates a user profile by combining their name, age, location, photos, likes, and opinions with publicly available U.S. census information, such as average income at a specific zip code.

Google is able to create a much more complete user profile, most of which comes from its search service. Google can identify the IP (Internet protocol) address (basically a computer’s Internet ID) of a user, match it to their physical location, and determine the residence they are accessing the Internet from. Adding in information from personal assistants such as Google Assistant and Android cell phone movement and use, Google can map much of a person’s activity throughout the day.

At some point, it is realistic that Google will be able to know practically everything about a person. That could even extend to information about someone’s health. If Google begins to compile health data, the company could learn how often users get sick and which illnesses they suffer from. Eventually, Google might be able to predict a user’s longevity much better than an insurance company could.

Consumers can take some actions to protect their privacy from Google. To start, they can delete all browser cookies, set their browsers to stop collecting cookies, and quit using the Chrome browser.

Even if users do this, though, Google can still harvest data from them using their IP addresses. These addresses, assigned by a phone or cable company, are hard to change. But there are still ways around direct browser surveillance. People can use an anonymous browser like Tor, which bounces browsing signals to various parts of the world before they reach the desired website. For even more secure browsing, users can pay for a virtual private network (VPN), as many Chinese do to avoid state censorship and surveillance.

Facebook CEO Mark Zuckerberg delivers the keynote address at Facebook's F8 Developer Conference in San Jose, California. Facebook is under fire for the Cambridge Analytica data privacy scandal. Justin Sullivan/Getty Images
Facebook CEO Mark Zuckerberg delivers the keynote address at Facebook's F8 Developer Conference in San Jose, California. Facebook is under fire for the Cambridge Analytica data privacy scandal. Justin Sullivan/Getty Images

These steps, while cumbersome, can make Google’s surveillance more difficult. But they would hardly hamper Facebook and other websites that make users “volunteer” their info. To fix that, we’ll need strict regulation of Internet companies like Facebook.

First, we need to convert all information collection contracts to be “opt-in” and not “opt-out” by default. With an opt-in contract, Facebook would collect information only if a user consented to it. Second, companies like Facebook should be required to provide service to consumers even if they opt out of sharing info with the company. Therefore, opting in would not become a requirement for having a Facebook account.

Third, once accounts are opt-in by default, users should be allowed to sell their data to the company. This would give users a fair choice: get paid to share information, or receive no money but still keep their account. Fourth, the transfer, copy, and sale of some very sensitive types of information should be restricted completely. For example, personal medical information should in no circumstances be moved off of the company’s servers.

The Facebook-Cambridge fiasco is an important wakeup call, but it is likely only the beginning of a thorough examination of tech companies’ widespread collection and possibly illegal use of user data. That will take time. The best way to begin the process is for the government to begin holding companies like Facebook and Google accountable for the information they collect.

Nicholas Economides is a professor of economics at the NYU Stern School of Business.