In his congressional testimony, Facebook founder and CEO Mark Zuckerberg seemed to understand the importance of protecting both the security and privacy of Facebook’s 2.2 billion users. People in the United States have come to realize the power of technology companies in their daily lives – and in politics. As a result, what they expect of those companies is changing. That’s why I believe, privacy protection must now become part of what has been called corporate social responsibility.
To its credit, the massive social network has begun taking action. Zuckerberg has promised the company will apply the protections of the European Union’s General Data Protection Regulation to all users around the world. It will also require political advertisers to provide additional transparency, as a new weapon in the reported “arms race” Facebook finds itself in with Russian propagandists. And the company is partnering with researchers to better understand its role in elections.
But there are those in Congress and in Europe who don’t think Facebook has gone far enough yet. European Data Protection Supervisor Giovanni Buttarelli, for example, has suggested Facebook views its users as “experimental rats.”
In my view as a scholar of law and ethics in the technology industry, Facebook – and other leading tech firms such as Google and Twitter – should join nations around the world and declare that privacy and cybersecurity are human rights that must be respected.
It’s not enough to just connect more people
Zuckerberg himself has already embraced the idea that internet access is a human right. And his company is planning to “connect the next 5 billion people” who have yet to go online. That will, of course, also create plenty more Facebook users just as the company’s growth plateaus in the West.
Several countries – as varied as France, Finland, Costa Rica and Estonia – have also taken the stance that all people should have access to the internet. The former head of the UN’s global telecommunications regulator has said governments should “regard the internet as basic infrastructure – just like roads, waste and water.” Global public opinion seems to overwhelmingly agree.
It’s not enough, though, to rely on human rights law. The International Covenant on Civil and Political Rights already includes a right to privacy, as does the UN’s Universal Declaration of Human Rights. But it’s not uncommon for countries to shirk their treaty responsibilities. And efforts to clarify the right to privacy in the digital age have been contentious.
Facebook could take action: Its market power alone could make it a major advocate for privacy and cybersecurity around the world. The company could, for example, back efforts to modernize international privacy law. Facebook could also require its vendors and partners to provide world-class cybersecurity protections for users and their information. It could, in short, lead a global race to the top and in the process promote cyber peace. In coordination with other technology companies, those efforts would only be more likely to succeed.
Options for immediate action
In the short term, I suggest Facebook formally, and publicly, demonstrate that the company understands the enormous role it plays in global affairs. A good start would be for the company to follow other industries’ examples by publicly disclosing its cybersecurity and data privacy practices as part of its integrated corporate report.
Another logical next step would be for Facebook to provide its users with a paid subscription option and thereby allow them to completely opt out of having their personal data packaged and sold for advertising. However, that creates a different ethical problem, because poorer people would not be able to afford to keep their data private and still use Facebook. The main way to address that problem is to flip the relationship and have Facebook pay people for their data. One economist estimates the value could be as much as US$1,000 a year for the average social media user.
Proposed new laws could also help. The CONSENT Act, for example, would require data-gathering social networks to get clear consent from users before being able to “use, share, or sell any personal information.” The Federal Trade Commission would enforce those rules. Lawmakers could go farther still and let the FTC impose larger fines for data breaches, make platforms liable for hosting illegal information, or even require companies to establish ethical review boards similar to universities.
Richard Stolley, founding managing editor of People Magazine, famously (and somewhat ironically) described privacy as “fragile merchandise.” This merchandise, which we have all entrusted to Facebook, once broken, is not easily fixed. Zuckerberg told Congress he understands this fact, and that his firm needs to rebuild users’ trust. If Facebook declared its support for both privacy and security as inalienable human rights akin to internet access, that could help the company get started, before policymakers in the U.S. and around the world step up to have their say.
Scott Shackelford, Associate Professor of Business Law and Ethics; Director, Ostrom Workshop Program on Cybersecurity and Internet Governance; Cybersecurity Program Chair, IU-Bloomington, Indiana University