In December 2019, a Columbia Law School fellow named Lina Khan co-authored an article in the Harvard Law Review comparing social media executives to used-car salesmen.
In it, Khan and her co-author, Columbia Law professor David Pozen, dismissed as "implausible" the idea that a company like Facebook or Google, which makes its money from personalized ads, could ever truly put its users' privacy first.
"As long as such companies make most of their money through personally targeted advertisements, they will be economically motivated to extract as much data from their users as they can," they wrote, "a motivation that runs headfirst into users' privacy interests as well as any interests users might have in exercising behavioral autonomy or ensuring that their personal data is not stolen, sold, mined, or otherwise monetized down the line."
The article was a full-throated condemnation of the very business model that dominates the web and a call for regulation that would actually force tech companies to protect users' privacy. "By and large, addictive user behavior is good for business. Divisive and inflammatory content is good for business. Deterioration of privacy and confidentiality norms is good for business," the article reads.
Now, as she takes over as chair of the Federal Trade Commission, it's a critique Khan might be able to translate into action.
Ever since Khan was first nominated to the FTC, another piece of her writing, in which she built a novel antitrust case against Amazon, has been cited endlessly as evidence that she'll be coming for the ecommerce giant (Disclosure: I'm married to an Amazon employee). That speculation only increased after Sen. Amy Klobuchar unceremoniously let slip that Khan would not only join the commission, but also lead it. But while Khan built her name on competition policy, her writing on online ads deserves its own close read. It offers insights into how Khan thinks about online privacy just as she prepares to become one of the country's chief privacy enforcers.
Paging Dr. Zuckerberg
While Khan might not describe herself as a privacy scholar per se, Pozen, her co-author on the privacy article, said that Khan's views on personalized advertising are a natural outgrowth of her views on competition. She is, after all, is best known for pushing the theory that pricing isn't the only metric for measuring the harm monopolies can do to consumers. There are other harms, like, for instance, privacy violations. "Lina has emphasized the point that there are a much broader set of potential harms from companies getting so powerful that can't be captured by their monetary prices," Pozen said, noting that ad-funded businesses are often cheap or even free, "but that very same model also creates an obvious and massive privacy concern."
The 2019 article grapples with an increasingly popular concept in privacy law that proposes turning tech companies into "information fiduciaries." Just as these companies have a fiduciary duty to maximize profits for their shareholders, the thinking goes, they could also be required to be fiduciaries — which is to say, legally-bound stewards — of user data.
The idea has been floated in privacy legislation at the state and national level — and Khan and Pozen more or less rip it to shreds.
The enormously successful business of behavioral ads, they argue, is so at odds with user privacy that a company like Facebook could never truly uphold its duty to shareholders while also upholding its duty to user privacy. In a world in which information fiduciaries existed, Khan and Pozen argue, user privacy would still come second, rendering the duty meaningless. "The social media executive who is exhorted to treat users well [...] yet not required to place users' interests first resembles, instead, the used-car dealers and restaurateurs who are classic examples in the case law of service providers who are not ordinarily fiduciaries for their customers," the article reads.
Proponents of information fiduciaries often point to the fact that doctors are bound by certain duties of care for their patients in order to suggest that the same concept could be applied to tech. But once again, Khan and Pozen show how that idea would border on ridiculous if doctors also made all their money on ads.
"Imagine visiting a doctor — let's call her Marta Zuckerberg — whose main source of income is enabling third parties to market you goods and services," they write. In Khan and Pozen's telling, this Dr. Zuckerberg flings ads for pills and procedures at patients based on their demographic, economic and psychological profiles, and gets paid every time patients even look in their direction.
"They are also continually updated in light of information Dr. Zuckerberg collects on you; to be sure she does not miss anything, she has planted surveillance devices all around your neighborhood as well as her office," Khan and Pozen write, asking ominously whether this system could "plausibly be reconciled with a commitment to prioritizing your health?"
To Chris Hoofnagle, faculty director at Berkeley Center for Law & Technology and author of a book on the FTC, this line of thinking is precisely what differentiates Khan from other regulators and lawyers. "Most attorneys are basically snowed by business people. The business people come in and say: 'This is how the tech works.' Most lawyers can only nod along," Hoofnagle said. "Khan is a realist and has spent a lot of time studying the business models of these different companies."
Cleaning house and writing rules
The article goes so far as to liken abuse of user data to environmental pollution and calls for "clear prohibitions and economic disincentives, rather than morally laden standards" to deal with that pollution. The question now is what Khan can do about any of that as chair.
While the chair of the FTC has more power than individual commissioners, Khan still won't be able unilaterally to bring a case against individual tech companies, a decision that falls to FTC staff. But she will have the power to staff the FTC with people who share her outlook on both competition and online privacy.
"The cases the attorneys get to work on, the topics the attorneys explore, what cases make it and don't in terms of getting dropped or getting pursued, all of those decisions are made by the bureau heads," said Ashkan Soltani, former chief technologist for the FTC. "Who the chair chooses to install as the bureau chiefs will have a huge implication on the approach the agency takes moving forward."
Soltani said while the FTC has suffered from lack of funding and authority, part of its inaction in recent years has had to do with inertia among the never-changing staff. Some inside the agency, he said, refer to themselves as the "webes" as in "we be here," while individual chairs cycle in and out. One of the most significant changes Khan could make, Soltani said, is to "clean house."
"She has congressional backing on a lot of this stuff," he said, noting that she was confirmed to the commission with bipartisan support. "That essentially would permit her to say: 'I think Congress is looking for a refresh.'" He also encouraged Khan to elevate the office of chief technologist, his former role, enabling the chief technologist to consult on enforcement cases in the same way the Bureau of Economics currently does.
Another important change, Hoofnagle said, would be to develop a new basic internet privacy rule. The FTC, which has rule-making authority, already has rules regarding children's online privacy and financial privacy, which give the FTC the ability to seek damages from violators. "The FTC could pass a rule that says: If you materially mislead a consumer through third-party information sharing, it is an unfair practice, and violators of that rule would have to pay money damages," Hoffnagle said.
Former acting chair Rebecca Slaughter already signaled her interest in reinvigorating rule-making within the FTC by forming a new rule-making group earlier this year. "I believe that we can and must use our rule-making authority to deliver effective deterrence for the novel harms of the digital economy and persistent old scams alike," Slaughter said at the time.
Slaughter and Khan also have some overlap in how they see the connection between competition and privacy, two issues that the FTC has authority over, but which are often handled along different tracks. Khan and Pozen clearly considered this dynamic in their article on online ads, writing that "antitrust lawsuits reversing key acquisitions and penalizing forms of monopoly" are one possible remedy.
Khan and Pozen also wrote about imposing interoperability requirements on tech platforms, arguing that if consumers could take their data and go to a competitor, "a platform that perennially violated users' privacy would likely lose ground to more privacy-conscious rivals."
Both Soltani and Hoofnagle said the FTC would be well-served by encouraging more coordination between the Bureau of Competition and the Bureau of Consumer Protection.
Ultimately, though, one of the biggest tools Khan will have as chair is the power to use the bully pulpit to communicate these concerns both to Congress and to industry. Slaughter used her limited time as acting chair to ask Congress for additional funding and authority for the FTC and to issue a warning to tech companies that selling or using biased AI could violate the agency's prohibition on deceptive or misleading practices. As chair, Khan could issue much the same sort of guidance on deceptive data practices and send a message about how the FTC plans to pursue such cases in the future.
"There's enforcement, which is entering new cases," Soltani said, "but there's also the soft regulatory dance that's done with industry and regulators about what industry is planning and how regulators will receive those plans."
