Now that it’s a public company, Facebook needs to significantly boost its revenues to bring them in line with shareholders’ expectations. That means finding new uses for the endless amounts of personal data the company collects from its users—but this prospect concerns privacy advocates, who say Facebook has outgrown existing privacy laws. Although regulators around the globe are increasing their scrutiny of Facebook, it might be years before they catch up.
The U.S. Federal Trade Commission, for example, will subject Facebook to 20 years of regular privacy audits after settling charges last year that the company engaged in “unfair and deceptive practices” such as misleading people about whether information they disclosed on the site would stay private. The FTC has a mandate to protect consumers from false advertising, but its ability to restrain Facebook is limited because current U.S. privacy laws are decades old. They’re written to shield medical and financial information, even motor vehicle and movie rental records, but they don’t address many practices common online today, such as compiling profiles of online behavior to target ads.
That might change under a “Privacy Bill of Rights” that the Obama administration unveiled this year; it calls for giving people more control over what companies do with personal information. But the process of developing laws based on it has just begun. Legislation proposed in January by the European Union, where privacy laws are traditionally stricter, could go much further. It includes a “right to be forgotten” that lets consumers require a company to delete their personal data and even remove traces of it from other websites. However, it will be years before any part of the proposal becomes law.
Some legal scholars believe that Facebook should be subject to specific consumer protection regulations. As the largest social network, it faces little competitive pressure, and people have few options if they don’t like how the company handles their information. Chris Hoofnagle, a scholar at the University of California, Berkeley, who studies the economics of privacy, says situations similarly stacked against the public have caused lawmakers to intervene in the past. Credit card providers, for example, must now make sure that all product literature spells out exactly which fees and debts a person will become liable for. Hoofnagle says Facebook could eventually be subject to similar rules, requiring it to notify users about the income it derives from their data and whether any of that data has been transferred to other companies.
Given how rapidly Facebook has reeled in new users, it seems people are not very concerned about protecting their privacy on the site. But they should be, says Alessandro Acquisti, a researcher at Carnegie Mellon University. He worries about not only what Facebook can do with personal information now, but what could be inferred from such data a few years down the road. For instance, in 2009 he showed that Social Security numbers can be guessed using public data, some of it from social networks.
Acquisti is particularly concerned that Facebook could combine external data with what it already knows about its users—a step that would be invisible to users. One potential solution, he says, would be to encrypt personal data in a way that prevents a social or ad network from identifying a person but still allows targeting of advertisements. However, such technology is still not fully developed and would also limit what can be done with a data storehouse, so legislation to require its use is unlikely anytime soon.