Personal Information, Government, and the Not-So-Private Sector

March 28, 2018 Topic: Intelligence Privacy Elections Region: United States Blog Brand: Paul Pillar

Personal Information, Government, and the Not-So-Private Sector

The sudden attention to the exploitation, including for political purposes, of information on millions of Facebook users in ways that ought to make those users uncomfortable—and to how Facebook does not seem to have cared about such abuses—has been tardy and myopic even though the attention is fully justified.  It took the story about Cambridge Analytica’s mining of Facebook data to get that attention, even though the probability of such unwelcome exploitation of personal information has existed since the dawn of social media. 

Almost no discussion of the current issue involving Facebook has put that issue in a broader context, which would provide perspective to similar questions of privacy and big data that have aroused controversy in the past.  Specifically, commentary and reporting on the Facebook matter have made almost no reference to what was a headline item not long ago: collection of information on Americans as a by-product of foreign intelligence collection by governmental organizations such as the National Security Agency.  This collection has involved bulk “metadata” on telephone calls that include the timing of calls and the phone numbers of participants but not the content of conversations.  A related matter has been the intercepting of conversations that, although the target is a foreigner, involve a U.S. person on the other end of the line.

Similarly, when news stories and congressional hearings focused on these NSA activities just a couple of years ago, almost none of the coverage and commentary provided the perspective that would have come from comparing these activities with commercial collection of data on Americans.  Only a few lonely voices like myself pointed out that Americans have more to fear from commercial enterprises exploiting personal information about them than from anything a government agency might do in this regard.

The government activity is subject to numerous checks and controls, whereas the commercial activity is subject to almost none.  What NSA does with either metadata or intercepted content—besides being an object of congressional oversight—takes place under extremely strict controls internal to the agency or the executive branch that limit the officials who have access to such data in addition to limiting the use that can be made of it, even inside the intelligence community.  Contrast that with the telecommunications companies; they have direct access to everything NSA could ever hope to acquire about the telephone calls of Americans, but Americans aren’t even given the faintest idea how the companies handle the data or who inside the companies has access to it.  With the burgeoning of social media, the personal data at stake goes far beyond telephone calls.

Another difference involves the very raison d’être of the organizations involved.  The intelligence agencies exist to perform a foreign intelligence mission.  They are judged to be successes or failures according to how well they perform that mission.  Tightly controlling and keeping secret the material they handle is important to accomplishing that mission.


In contrast, the commercial enterprises exist to make a profit.  Their incentives regarding handling of the data they collect run in the opposite direction from the intelligence agencies’ incentives.  Facebook’s business model centers on making personal information about its users available to advertisers and others willing to pay to exploit the data.  (Remember, if you think you are using a product for free, then you are the product.)  “There's a sort of intrinsic problem with having for-profit entities with this business model in this position of so much public trust,” observes Tim Wu, formerly with the Federal Trade Commission and now a law professor at Columbia.  “They're always at the edge because their profitability depends on it.”

The customary arguments that there is more basis for worry about government collection of data than commercial collection have always been weak.  The government is fundamentally different, we are told.  “The phone company can’t arrest you.”  Well, neither can NSA.  Government involves an element of compulsion, we are told, that does not exist in the private sector.  But if you want telephone service, you necessarily have to surrender all of the information about all of your phone conversations to the company that provides that service.

With regard to social media, there is an element of addiction, as reflected in apt comments today about how difficult it will be for many heavy users of Facebook to give it up even if they are upset about the privacy issue.  This should place social media in some of the same conversations about government regulation as tobacco or opiates.  As for commercial services requiring permission from their users before making use of their data, this is a joke not only because almost all users click the “accept” box without wading through the legalese in the terms of service.  As Wu points out, Facebook’s privacy settings have been in large part a sham that do not prevent the sort of exploitation of data that is now an issue.