Questions Congress Should Ask Mark Zuckerberg
In light of the Cambridge Analytica revelations, Facebook CEO Mark Zuckerberg agreed to testify before Congress.
Published by The Lawfare Institute
in Cooperation With
In light of the Cambridge Analytica revelations, Facebook CEO Mark Zuckerberg agreed to testify before Congress. He’s coming for a two-day tour, testifying first at a joint Senate judiciary and commerce hearing on April 10 then at the House Energy and Commerce Committee on April 11.
Zuckerberg will be expected to explain just how the events of the Cambridge Analytica episode took place. Aleksandr Kogan, a Cambridge University professor, offered an app-based personality quiz and then passed the data collected through the app to Cambridge Analytica, who used it to target voters in the 2016 election. For an overview on issues of legal liability related to the data transfer, we recommend the primer by Andrew Keane Woods.
Security and privacy will be key foci during the hearings. On the national security side, Facebook’s erred by failing to take security measures to prevent misuse of its data (not simply in sharing the data); here, the misuse was in service of efforts to influence American elections. We expect that there will be questions about what Facebook is doing to prevent foreign influence in our elections—and what role the government should or shouldn’t play in regulating or modifying the operation of private companies when U.S. national security could be impacted. We also expect privacy issues and calls for regulation to come up.
In anticipation of his testimony, we propose the following questions that members of Congress should ask Zuckerberg:
Technical Security Measures
Facebook does not always make it easy to export data, and Facebook users have complained about the difficulty they face when exporting their own data. In the past, when companies such as Power Ventures sought to gather user information (with consent) to provide a consumer service, Facebook vigorously opposed them through technical and legal means, even suing such companies under the Computer Fraud and Abuse Act. Yet, in this case it appears that Facebook handed over data with ease.
- Does Facebook have the ability to limit the export of data, and if so, has it taken any steps to make it more difficult for third parties, foreign adversaries, data brokers and the like to export Facebook data for nefarious purposes?
- What technical and legal measures could you take to assure that third parties with access to Facebook data use it appropriately? Are you using any today? What do you intend to do going forward?
National Security and Foreign Adversaries
Given that Russia considered Facebook one of its best tools for sowing discord prior to the 2016 election, it and other adversarial governments may try to use Facebook in the future for similar purposes.
- What steps are you taking or planning to take in order to prevent an adversarial country from using user data to interfere with our internal democratic process? What is Facebook’s corporate responsibility to ensure that it does not become a tool used by foreign adversaries to manipulate American democracy?
- Do you have the technology or capabilities to detect when a foreign entity is attempting to buy a political ad? Is this process automated and able to flag concerning parties? If so, how often are ads and parties flagged? Do you have any procedures to inform key government players when a foreign entity is attempting to buy a political ad or when it may be taking other steps to interfere in an election?
- Can you share any data or analysis on the rates at which adversarial states are now attempting to manipulate Americans? Are there any other trends of nefarious action or interference that you can share that to help us better understand the nature of bad actions that have been taken, or will be taken, by adversarial states to manipulate American persons?
- Do you expect Russia to try to use Facebook to manipulate voters in the 2018 midterm election?
User Concerns and Transparency
Kogan collected the data of personality quiz app users and their friends. Many complaints about Facebook’s data-sharing practices stem from the fact that they expose friends of app users to privacy risk when they did not necessarily consent to any terms of service on the app.
- Should users expect that their personal data will not be shared if they have maximum privacy settings in place? What can users do to prevent their information from being shared in this manner?
- What information does Facebook provide on its data sharing with third parties, either to individual users or to the public regarding the scale of data sharing? Do you expect this to change?
Regulation and Remedies
You told the New York Times that Facebook could be open to regulation, and regulation is certainly one way to address the privacy and security concerns that have been raised thus far. But, for a company as large as Facebook, regulation could be more beneficial than detrimental. As one writer explains, regulations impose compliance costs that “Facebook will be able to throw money at to solve, but every smaller platform will find incredibly costly.” At a time when Facebook has already demonstrated its willingness (and ability) to squeeze smaller companies into using Facebook’s platform, one wonders whether this call for regulation is yet another play toward consolidating power.
- Could additional regulation help Facebook grow more powerful? Why should we not be looking at enforcement power, through legal liability or the Federal Trade Commission for example, to go after Facebook specifically?
- In 2011 the Federal Trade Commission accused Facebook of deceiving consumers, promising to keep information private and then breaking that promise. The case was ultimately settled. But the rules set forth in the 2011 consent decree could not prevent misuse of data in Kogan’s case. Is the government under-enforcing existing regulations and legal tools such as the FTC Act?