Facebook and Regulation

Regulations like GDPR may curb some of Facebook’s worst practices but there is very real chance they cement Facebook’s social media monopoly.

Well before Facebook’s recent data privacy scandals really blew up, there was already an increasing wave of regulation aimed at tech companies and at Facebook in particular. The most significant such regulation is the European Union’s General Data Protection Regulation (GDPR), which mandates things like the right to be forgotten, privacy disclosures, and a form of data ownership (you can know exactly what a company knows about you), among other new requirements (GDPR explainer).

GDPR kicks into effect later this month and though it only technically applies to EU citizens, there is a large consensus that GDPR-style regulation will come to the US as well. As a result, many companies are planning on global GDPR compliance. Facebook has an announced that it will be GDPR-compliant everywhere for everyone. 

At face value, this seems like an unalloyed good. With its constant fuckery, Facebook has clearly demonstrated that it is not the best stewards of our information and so intervention is deserved and necessary. Would that it were so simple.

Regulations like GDPR may curb some of Facebook’s worst practices but there is very real chance they cement Facebook’s social media monopoly (or Facebook and Google’s digital advertising duopoly) and make the internet even more closed/centralized than it already is. GDPR is going to be expensive to comply with, meaning only big companies can afford the costs of compliance.

Ben Thompson writes:

digital advertising is growing secularly, because that is where the eyeballs are, and advertising always follows eyeballs. Google and Facebook are winning the majority of that growth because they offer a superior advertising product on an ROI basis, and their capacity is not limited by time or physical space. And, in a post-GDPR world, their product may be slightly inferior to their product today on an absolute basis, but even more superior to the alternatives on a relative basis.

So beyond the financial costs of compliance (hiring compliance officers, doing more legal work, paying for software to manage data, etc.), rules like GDPR impose compliance costs on operations, product development, and user experience. But Facebook won’t be the one bearing the costs of rules designed to inject interruptive privacy rules into user onboarding. Whereas Facebook already has your information and you trust it enough to keep handing more data over, startup companies will have a much harder time getting users to hand over data because they have no pre-existing brand or trust. In aggregate, this will inevitably make it harder to seed new networks, thereby creating an incumbency bias benefitting Facebook. 

Moreover, encouraging Facebook to close down or restrict developer access (as they temporarily did after the Cambridge Analytica story broke) just raises the walls of Facebook’s walled garden. If Facebook has any real value in the world, it is in its role as a platform, not the service of Facebook itself. As a platform, Facebook supports other businesses building products Facebook doesn't. But as a fully walled garden, those new products would only flourish on Facebook itself.

Take dating apps. Most dating apps are basically a thin application layer built on top of existing Facebook apps, data, and services. Tinder works so well because it has such wide reach/network effects (see: Metcalfe’s Law). It has such wide reach because the onboarding process is nearly seamless. The onboarding process is so good because Tinder has access to Facebook’s user data. Tinder takes your pictures, likes, demographic data, friends (social graph), and profile information from Facebook and Instagram for profile creation and matchmaking. Take away that access and Tinder collapses, leaving only Facebook itself with enough data and access and trust to effectively build those services.

This is not a thought experiment. Facebook just announced that they are creating a dating app. Obviously this new product has been in the works for a long time but the timing should nevertheless give us pause. As Facebook raises barriers to outside services, it directs more of users’ time/attention (read: revenue) towards itself. Policies enacted in the name of privacy may well crown Facebook Emperor for Life of Online. 

None of this to say we should do nothing or that Facebook should be left alone. To put it more strongly: we should do something, just not what we’re doing and seem poised to do. We need to encourage competition. If privacy is a valuable feature, then sufficient competition will create alternatives to Facebook that include more privacy. (Don’t believe me? Just look at the rise of subscription, ad-free TV; or how Snapchat was thriving until Facebook came to eat its lunch).

Mandating specific behavior is hard. Requirements become quickly outdated and impose large compliance costs that new entrants can’t meet, and enforcement is a constant game of regulatory whack-a-mole. Instead we should try to design systems such that the incentives align to encourage the practices we want.

What I want (aka the right way)

Data portability and an exportable social graph: Facebook is so powerful because you’re already there, it already has your data, and all your friends are there. If you leave, you lose everything and have to start over with a new service. In the past, Facebook users could import all of their connections into new social networks, substantially lowering the barriers for new networks to enjoy network effects. This was a key feature that allowed pre-acquisition Instagram and Twitter to thrive. Then Facebook cut off that access. 

GDPR claims to give users “ownership” over their data but doesn’t go far enough such as to make that ownership useful for anything. Users should be able to move all of their data (not just their friends/connections) onto any new service. If you could move everything (photos, likes, friends, etc.), companies would have to compete on product and quality. 

Standard of care: The claim that “if you’re not paying, you’re the product not the customer” is a bit simplistic but it contains some truth. Social media companies serve three masters: users, advertisers and shareholders. The interests of all three are often in conflict and there is little explicit/meaningful guidance ensuring Facebook acts in users’ best interests so the users obviously get screwed. 

This isn’t just about data privacy. Social media is deeply woven into our social fabric and so the operators have a moral responsibility to ensure that they aren’t making people lonelier, sadder, poorer, etc. That moral responsibility isn’t enough without a legal obligation as well. Social media companies should be directly liable for everything from a data breach to promoting addiction. Each represents a failure to be stewards of users’ trust. This is not without precedent. Just like lawyers, doctors, and financial advisors, Facebook should be required to endeavor to act in the best interests of their users.

Anti-trust: Facebook is able to squash competition by either buying or building (cloning) anything that challenges it. The result is that even if users abandon Facebook dot com, they will be leaving it for some other Facebook-owned property. Instagram was able to beat Snapchat, in part, because Facebook owns it. I’d like to see Instagram stand up on its own without Facebook’s ads team and without access to Facebook’s data. Moreover, Facebook’s acquisition strategy is powered by spyware that it uses to scout any emerging threat before buying it or copying it. 

The government should pursue anti-trust action against Facebook that breaks it into its constituent pieces (Facebook, Instagram, WhatsApp) or at bear minimum forces it to shut down that spyware-powered business intelligence unit.

Centralization is dangerous. Increasingly, the entire internet appears engineered for the benefit of the biggest companies and Facebook in particular. Facebook controls the users and the data. In parts of the world, it is the internet. As currently constituted, no matter who loses, Facebook wins. There are things we can and should do about this. But European-styled regulation, which comes from a place of antagonism towards US big tech rather than empathy for users, either misses the point or stop shorts of making a difference on nearly every important issue.

This is not a matter of “pro” or “anti” regulation. We just better regulation and smarter ideas, designed with purpose and implemented with care. Those ideas are out there.