yesIssie LapowskyNone
×

Get access to Protocol

I’ve already subscribed

Will be used in accordance with our Privacy Policy

Politics

Facebook's plan for privacy laws? 'Co-creating' them with Congress

In a newly published white paper, Facebook makes a case for a light-touch approach to privacy regulation that involves maximum flexibility for businesses.

A finger touching a phone with the Facebook logo

Facebook argues the best way to write privacy policy is to do it with industry input.

Image: Rafael Henrique/SOPA Images/LightRocket via Getty Images

Facebook's 16-year history is riddled with privacy blunders. There was Mark Zuckerberg's original sin of scraping students' photos to build a Hot or Not copycat at Harvard. There was the launch of News Feed, when Facebook began broadcasting every action users took on the platform to all of their friends. And, of course, there was the 2018 Cambridge Analytica scandal that exposed, though not for the first time, just how much data the company was willing to give away to third parties in the name of growth.

Now, the social networking giant has a modest proposal for lawmakers drafting privacy rules around the world: Let us help you write them.

In a new white paper published Wednesday, Facebook pushes for a light-touch approach to privacy regulation that involves maximum input from and flexibility for businesses. These, of course, are already the sorts of policies most tech giants are lobbying for behind closed doors. But the paper pushes for this collaboration to happen out in the open.

It argues, for instance, that the best way to design privacy regulations is through "policy co-creation," in which governments and companies work together to prototype policies and test their viability before they're implemented. It makes a case for regulations that "avoid or remove strict, one-size-fits-all design requirements," opting instead for laws that "regulate the process for making privacy design decisions, not the outcome of those processes."

In Singapore, Facebook has already tested these concepts through an organization it launched called Trust, Transparency and Control Labs. Together with the Singapore government, TTC Labs created what the paper calls a "regulatory sandbox," where startups could design new types of privacy notices and consent features and get feedback from regulators.

Of course, the United States is not Singapore, and Congress has hardly met Facebook with open arms recently. Protocol spoke with Facebook's deputy chief privacy officer, Rob Sherman, about what the company is proposing, who it's trying to convince, and why anyone should trust Facebook now.

This interview has been edited and condensed for clarity.

Who is this for? Who is the intended audience?

I think there are a number of intended audiences. One of the things we've realized in thinking about these problems within Facebook is governments are thinking about the right ways to regulate. Experts are thinking about what the right practices are, and companies are thinking about how to build for privacy and build for the communities they're serving. But they're not necessarily talking to each other.

Part of what we're trying to do is create a conversation that brings together those sets of stakeholders into a common conversation. It's something we've started to do through our Trust, Transparency and Control Labs initiative, which we founded. It holds a series of design jam workshops with experts, governments and companies to try to develop design solutions to some of these problems and put them out in openly accessible formats, so people can have examples of what it looks like to improve their practices.

A lot of the points in the paper struck me as Facebook saying lawmakers need to work with industry to collaborate on these regulations. That's something I imagine a lot of the industry would agree with, but regulators and privacy advocates would be pretty hesitant about. All I see them wanting to do lately is punch Facebook in the nose. What's giving you the sense this collaborative spirit exists in Congress?

In some of our efforts outside the U.S., already we've found a fair amount of interest on the parts of other companies and governments to have some of these conversations, because it all helps us get to a shared, better place.

One example is the regulatory sandbox we built with the Singapore government. This involves 14 companies working in a startup accelerator. They have resources, including privacy and nonprivacy expertise from Facebook, but also the ability to work with the government on best practices. That helps the government learn what works and what doesn't for smaller startups. And it helps the companies, and us for that matter, learn how to do these things at scale in practice.

That's Singapore. Right now, in the U.S. there's a lot of point-scoring trying to beat up on Big Tech. Why is this the moment to step in and say: The real solution to the privacy debate is to let us help you write these rules?

Getting this right is really critical. For people to be comfortable using Facebook, they need to trust we are both handling their data appropriately and communicating with them straightforwardly about that. The best way to do that is by talking to them, but also talking to other stakeholders in the ecosystem.

I also think when you look at areas outside of privacy — the financial sector's a good example — there are examples of co-created policies where industry gets together with experts and government to figure out what the right path forward is.

Have you broached this possibility with anyone in Congress, and if so, who? And how are those conversations going?

We view this as the beginning of the conversation, rather than the end. There aren't specific efforts with members to announce.

Communicating your privacy policy to the user comes last. First you need to have the policy in place that protects people's privacy. Where does Facebook stand in terms of privacy legislation that has been proposed in Congress? Is there anything you're supportive of?

We've been participating pretty actively in a number of different discussions around what privacy regulation might look like at the federal level and the state level. I think a lot of the discussions are going to align with the framework of giving people increased, clear rights over their data, the idea of putting specific obligations on companies to handle data responsibly, and identifying a regulator that's empowered to do that. Getting to a place where there's consistent federal standards around how we approach privacy is important so we can have a specific standard we can build to.

Are any of the bills in Congress bills you support?

I don't think we've expressed views on specific bills. The goal really at this point is to have conversations with a number of different stakeholders and try to get to the best place regardless of what bill is getting traction.

What about the California Privacy Rights Act, which looks like it has a good shot in November and would rewrite the California Consumer Privacy Act, which was a big deal when it was passed. Would this make things harder for you or do you support it?

It's something we've spent a lot of time thinking about. If it becomes law, it's something we will aim to comply with. It moves closer to something like [Europe's General Data Protection Regulation], when it comes to broadening the topics the legislation covers and giving people more rights over their data. I know there's a lot of debate on the ballot measure.

So, you aren't backing it or fighting it?

We haven't taken a position either for it or against.

Given you've been working on privacy at Facebook since 2012, how do you think you missed the possibility that giving app developers access to data on people's friend networks could be a privacy risk? If you're asking to be at the table with regulators to write the rules around privacy, they're going to point to the fact that you didn't get it right last time and ask why should they trust you now? So, explain how you missed that risk, or is it possible it wasn't missed, it's just that the business incentives of growing the platform outweighed the potential privacy risks?

When you look at the way we've approached communicating with people about their data in the context of the Facebook platform, that's something that's seen a pretty significant evolution over the years. It used to be the app permissions screen had a lot of information because that was the best practice at the time. It included the app developers' privacy policy with information they'd be getting and all of this detail. Over time, we've shifted toward simpler consent screens that are very clear about what developers wanted and that ask people to make a yes or no choice. That was an effort based on research and our understanding of how people interacted with those things.

A lot of the investment today is also around third-party oversight and making sure we have robust systems in place to make sure we're enforcing our policies and making sure developers that get access to data through Facebook's systems, even with people's consent, are adhering to the standards they've agreed to.

Obviously it was a problem that people didn't know what they were agreeing to in the permissions page, but the communication part came after the policy was created allowing app developers to access people's friends' data in the first place. How did you miss that that was a privacy flaw?

It was something we considered and that we improved over time as a part of the way that we approached Platform. You saw changes in 2014. You saw changes in 2018. In parallel to that you saw changes in the way we communicated.

It's clear there's a lot we could have done differently back then to avoid some of the challenges that we're facing now, but I think we've tried to invest really aggressively in addressing those and getting to a better place. The hope is that the learnings we've made through making mistakes and trying to improve our approach will help other companies and the broader policy discussion get to a more nuanced place.

People

Expensify CEO David Barrett: ‘Most CEOs are not bad people, they're just cowards’

"Remember that one time when we almost had civil war? What did you do about it?"

Expensify CEO David Barrett has thoughts on what it means for tech CEOs to claim they act apolitically.

Photo: Expensify

The Trump presidency ends tomorrow. It's a political change in which Expensify founder and CEO David Barrett played a brief, but explosive role.

Barrett became famous last fall — or infamous, depending on whom you ask — for sending an email to the fintech startup's clients, urging them to reject Trump and support President-elect Joe Biden.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.

People

Amazon’s head of Alexa Trust on how Big Tech should talk about data

Anne Toth, Amazon's director of Alexa Trust, explains what it takes to get people to feel comfortable using your product — and why that is work worth doing.

Anne Toth, Amazon's director of Alexa Trust, has been working on tech privacy for decades.

Photo: Amazon

Anne Toth has had a long career in the tech industry, thinking about privacy and security at companies like Yahoo, Google and Slack, working with the World Economic Forum and advising companies around Silicon Valley.

Last August she took on a new job as the director of Alexa Trust, leading a big team tackling a big question: How do you make people feel good using a product like Alexa, which is designed to be deeply ingrained in their lives? "Alexa in your home is probably the closest sort of consumer experience or manifestation of AI in your life," she said. That comes with data questions, privacy questions, ethical questions and lots more.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

People

Poshmark made ecommerce social. Wall Street is on board.

"When we go social, we're not going back," says co-founder Tracy Sun.

Tracy Sun is Poshmark's co-founder and SVP of new markets.

Photo: Poshmark/Ken Jay

Investors were keen to buy into Poshmark's vision for the future of retail — one that is social, online and secondhand. The company's stock price more than doubled within a few minutes of its Nasdaq debut this morning, rising from $42 to $103.

Poshmark is anything but an overnight success. The California-based company, founded in 2011, has steadily attracted a community of 31.7 million active users to its marketplace for secondhand apparel, accessories, footwear, home and beauty products. In 2019, these users spent an average of 27 minutes per day on the platform, placing it in the same realm as some of the most popular social media services. This is likely why Poshmark points out in its S-1 that it isn't just an ecommerce platform, but a "social marketplace." Users can like, comment, share and follow other buyers and sellers on the platform.

Keep Reading Show less
Hirsh Chitkara
Hirsh Chitkara (@ChitkaraHirsh) is a researcher at Protocol, based out of New York City. Before joining Protocol, he worked for Business Insider Intelligence, where he wrote about Big Tech, telecoms, workplace privacy, smart cities, and geopolitics. He also worked on the Strategy & Analytics team at the Cleveland Indians.
People

Affirm CEO Max Levchin: ‘I see an ocean of opportunities’

The fintech startup's stock soared more than 90% in its IPO debut today.

It was a blockbuster debut for Affirm. The fintech startup's shares soared more than 90% when it went public on Wednesday.

The day itself began quietly for CEO Max Levchin: He kicked it off with a Zoom call with his kids, made a latte for his wife and joined a group chat with some high school friends, one of whom is recovering from COVID-19. "We were very happy to hear that he's doing well," he told Protocol shortly after his startup began trading on the Nasdaq Global Exchange.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.

Protocol | Enterprise

Twilio CEO Jeff Lawson explains how he decided to face off with Parler

Also, why he thinks the $3.2 billion purchase of Segment will help Twilio's customers help their customers and why he's OK with being reliant on AWS.

"I think in a society, words matter, actions matter," Twilio CEO Jeff Lawson said. "That's why companies have things like Terms of Service and acceptable use policies."

Photo: Twilio

Cloud computing companies were one of the few segments of society that enjoyed 2020. But even companies like Twilio, whose stock price tripled over the last 12 months, have had enough of 2021 already.

Last Friday, in the wake of the deadly attack on the Capitol, Twilio sent a letter to the right-wing social media app Parler notifying the company that it was violating Twilio's acceptable use policy for two of its authentication services. Parler decided to turn off Twilio's services rather than moderate calls for violence against elected officials on its app, which became a moot point after AWS cut Parler off from its own computing and storage services Sunday evening.

Keep Reading Show less
Tom Krazit

Tom Krazit ( @tomkrazit) is a senior reporter at Protocol, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire. He served as executive editor of Gigaom and Structure, and most recently produced a leading cloud computing newsletter called Mostly Cloudy.

Latest Stories