Facebook scandal could drive greater protections for consumer health data
Fueled by Facebook’s failure to safeguard the data of users of its social media platform, lawmakers in Congress are looking to protect the online privacy of Americans through wide-ranging legislation that could have significant effects on the handling of health information.
The Balancing the Rights of Web Surfers Equally and Responsibly (BROWSER) Act would require both Internet service providers (ISPs) and “edge service” vendors—such as Facebook—to give consumers opt-in or opt-out rights for sharing certain sensitive data, including health information, with third parties.
Introduced last year by Rep. Marsha Blackburn (R-Tenn.), chair of the House Communication and Technology Subcommittee, the BROWSER Act defines edge service as one provided over the Internet for which the provider requires the user to subscribe or establish an account in order to use the service— including social media.
According to Blackburn, Federal Communications Commission privacy and data security rules have unfairly focused on ISPs even though edge service providers such as Facebook collect just as much consumer data—if not more. However, the BROWSER Act would designate the Federal Trade Commission as the nation’s sole online privacy enforcer and effectively treat ISPs and edge providers equally.
“This bill creates a level and fair privacy playing field by bringing all entities that collect and sell the personal data of individuals under the same rules,” said Blackburn. “What this would do is have one regulator (FTC), one set of rules for the entire ecosystem.”
In November 2011, the FTC announced that Facebook and the agency had reached an agreement on a consent order relating to charges that the vendor had “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” But, some members of Congress contend that the company violated that agreement.
On Wednesday, Facebook CEO Mark Zuckerberg was again in the congressional crosshairs answering pointed questions during a House hearing on the transparency and use of consumer data related to the Cambridge Analytics scandal and Russia’s interference in the 2016 U.S. election.
“The incident involving Cambridge Analytica and the compromised personal information of approximately 87 million users, mostly Americans, is deeply disturbing to this committee,” said Rep. Greg Walden (R-Ore.), chairman of the House Energy and Commerce Committee. “There are critical, unanswered questions surrounding Facebook’s business model and the entire digital ecosystem regarding online privacy and consumer protection.”
In particular, members of the House Committee on Energy and Commerce took Zuckerberg to task in Wednesday’s hearing for Facebook’s role in allowing the data of its social media users—which include more than 2 billion people worldwide—to be exploited by third parties apps.
Rep. Kathy Castor (D-Fla.) charged that a “devil’s bargain has been struck” by consumers who use Facebook. “Americans do not like to be manipulated—they do not like to be spied on,” Castor told Zuckerberg. “Facebook now has evolved to a place where you are tracking everyone. You are collecting data on just about everybody.”
According to Castor, the social media company is collecting personal information—including health data—even outside of Facebook. “You’re tracking everyone’s online activities—their searches, you can track what people buy, correct? You’re collecting that data—what people purchase online,” she claimed. “You’re collecting medical data, correct, on people that are on the Internet—whether they’re Facebook users or not.”
CNBC reported last week that Facebook was in talks with top hospitals and other medical groups as recently as last month about a proposal to share data about the social networks of their most vulnerable patients. However, according to the report, the proposal never went past the planning phases and has been put on hold after the Cambridge Analytica data leak scandal.
“The idea that Facebook embarked on a secret mission to explore collecting patient data from hospitals to map to Facebook profile data is troubling,” said Kurt Long, founder and CEO of data protection vendor FairWarning, in a written statement. “This is an escalation of how user data is being monetized by data giants like Facebook without the knowledge of end-users and patients and without even the most essential safeguards to privacy and security.”
Wednesday's House hearing, like the Senate hearing on Tuesday, focused on a now-defunct policy that allowed app developers to access not only the data of Facebook users who use that app but also their friends. Facebook says they changed that policy in 2014 so that when users sign onto a Facebook app, that app gets access to that person’s data only.
In his testimony, Zuckerberg acknowledged that “there’s more we can do here to limit the information developers can access and put more safeguards in place to prevent abuse.”
However, Congresswoman Blackburn and other lawmakers do not believe that Facebook’s self-policing is enough to ensure that consumer data—such as health information—is sufficiently protected.
“A constituent of mine who’s a benefits manager brought up a great question,” Blackburn told Zuckerberg. “She said in healthcare you’ve got HIPAA, you’ve got Gramm-Leach-Bliley, you’ve got the Fair Credit Reporting Act—these are all compliance documents for privacy for other sectors of the industry. She was stunned that there are no privacy documents that apply to you all.”
Legislation such as the BROWSER Act is the answer, according to Blackburn. “Will you commit to working with us to pass privacy legislation?” she asked Zuckerberg, who said he was not familiar with the bill. “The BROWSER Act is 13 pages, so you can easily become familiar with it. And we would appreciate your help.”
Likewise, Leonard Lance (R-N.J.) urged Zuckerberg to support the BROWSER Act. “I’m a co-sponsor,” Lance told the Facebook CEO. “I commend it to your attention—to the attention of your company. It is for the entire ecosystem. It is for ISPs and edge providers. It is not just for one or the other.”
Lance asked Facebook to review the legislation. “We will review it and get back to you,” replied Zuckerberg.
Nonetheless, Rep. Chris Collins (R-N.Y.), a member of the House Energy and Commerce Committee’s Health Subcommittee, said there is currently no need for additional legislation and federal regulations that would govern how Facebook handles consumer data.
Collins argued that Facebook is currently operating under a 2011 FTC consent order which is enough. “That’s a real thing and it goes for 20 years,” he observed. “The consent decree does what it does. There’d be significant financial penalties were Facebook to ignore that consent decree.”
But, Chairman Walden insisted that the American people are concerned about how Facebook protects and profits from its users’ data.
“People are willing to share quite a bit about their lives online based on the belief that they can easily navigate and control privacy settings and trust that their personal information is in good hands,” concluded Walden. “If a company fails to keep its promises about how personal data are being used, that breach of trust must have consequences.”
Rep. Mike Doyle (D-Penn.) added that the only way to close the trust gap between vendors such as Facebook and consumers is “through legislation that creates and empowers a sufficiently resourced expert oversight agency with rulemaking authority to protect the digital privacy and ensure that companies protect our users’ data.”