Matt Levine
TT

Facebook Negotiated Its Rules

Apparently Facebook Inc. will pay a $5 billion fine to the Federal Trade Commission for doing some bad privacy stuff, and will agree to take some steps to stop doing so much bad privacy stuff in the future. (There’ll be a committee.) The settlement is not official yet but has been pretty well previewed. I have always found this particular Facebook privacy scandal—it’s the Cambridge Analytica one—sort of puzzling, and the specific terms of the settlement aren’t really public yet, so I don’t propose to get into the substance of it.

But I do want to talk about this article by Tony Romm in the Washington Post, about the negotiations and back story around the settlement, because it is the most illuminating thing I have read about US regulation generally in a long time.

The basic story is that some people at the FTC wanted to push to get a lot more concessions out of Facebook as part of the settlement. “Those included fining Facebook not just $5 billion, but tens of billions of dollars, and imposing more direct liability for the company’s chief executive, Mark Zuckerberg.” They also included more structural changes in how Facebook deals with user data. But Facebook said no:

Facebook’s team of lawyers, overseen by Colin Stretch, then the company’s general counsel, steadfastly opposed placing Zuckerberg under order, including during meetings with commission negotiators starting last year. The tech giant’s internal briefing materials reflected its willingness to cease settlement talks and send the matter to court, if necessary, to protect their executive from one of the most severe penalties the FTC could levy on him directly. Commission staff at one point sought to include in their order a section that pointed out all the times that Zuckerberg had spoken or posted publicly about Facebook’s privacy commitments. Facebook vigorously battled against that, too.

Facebook leaders further sought to ward off any restrictions on the way they collect data in the first place, another long-sought stipulation by commission Democrats who felt the agency should seek injunctions to change companies’ behavior — not just monitor them for years to come. Privacy watchdog groups, including the Electronic Privacy Information Center, heavily emphasized the need for these “structural remedies” at Facebook for more than a year.

Part of what is going on here appears to be that some people at the FTC thought that Facebook had done some very bad violations of the law (and of a previous FTC consent decree) and that Zuckerberg was personally responsible, while some people at Facebook thought that it hadn’t 1 and he wasn’t. These are legal and factual disputes that I do not propose to evaluate, though I would say that the fact that Facebook was willing to go to court to argue its side, while the FTC wasn’t, suggests that Facebook had at least a decent argument.

But the more important thing that is going on here is that some people—at the FTC and elsewhere—thought that the FTC should mandate big structural changes in how Facebook works, “the way they collect data in the first place,” and Facebook did not. This is not a legal or factual dispute; it’s a policy dispute, and it has nothing to do with the questions of what Facebook did wrong or how responsible Zuckerberg was. Even if Facebook has an airtight case that everything it did with the Cambridge Analytica data was totally allowed under existing law and regulation and consent decrees, the FTC—and “privacy watchdogs,” and Congress, and you—might nonetheless want to require changes in how Facebook collects data.

The United States actually, as a country, has a mechanism to do that. It is called “passing a law.”

Some members of Congress, the body charged with writing legislation, could write a bill saying “social media companies can’t collect data in the following bad ways,” or whatever, and then the other members of Congress could debate it, and when they (and the president) agreed it would be passed and become law, and then there would be new restrictions on the way that Facebook collects data. And if Facebook violated them it would pay even bigger fines, or it would be shut down, or its executives would go to jail, or whatever the law said.

In this process, Facebook would probably have some input into the new rules. Mark Zuckerberg is a US citizen; he can write to his congressperson like anyone else. More realistically, Facebook has a lot of lawyers and lobbyists and campaign-contribution clout, and congresspeople will listen to what it has to say. Facebook also has a lot of relevant expertise, and a responsible lawmaker—even one who doesn’t like or trust Facebook much—would want to consider input from Facebook about how the rules should work. In theory, this is why Congress holds hearings.

But the process wouldn’t be a one-on-one negotiation. It’s not like Congress would say “we want to regulate your data collection practices” and Facebook would say “hmm no we’d rather you didn’t” and Congress would say “okay you have good lawyers we give up.” Facebook’s main leverage against the FTC—“we don’t think we did anything wrong and if you insist on restricting our data collection we will see you in court”—just wouldn’t work to stop Congress from making a law, because it is irrelevant. Congress can make a law about data privacy even if no one has broken any previous laws. In fact that’s the best reason to make a law! “There is a bad thing that is happening, and there is no law against it, so we should make a law against it”: That is a perfectly sensible line of reasoning!

Romm’s article hints at this, but in a little bit of an odd way:

The experience illustrates the challenges facing a 105-year-old agency hamstrung in the kinds of penalties it can pursue by the nation’s lack of a national consumer privacy law. While some lawmakers bemoan the FTC’s inability to punish Facebook, Congress has yet to advance legislation that would give the FTC a stronger hand as it confronts some of the most profitable corporations in the global economy. …

On Capitol Hill, Democrats and Republicans alike reacted to the Facebook deal with outrage, even though over the roughly 480 days that the FTC investigated Facebook, lawmakers had failed to pass a single privacy bill that might have empowered the FTC to be tougher on tech giants.

The idea of passing a law to ban bad stuff is not to give the FTC more power to negotiate stricter settlement conditions. The idea of passing a law to ban bad stuff is to ban the bad stuff. If Congress passed a law restricting social media companies’ data collection practices, then the FTC wouldn’t need to include those restrictions in a consent decree with Facebook, because those restrictions would be in the law. Facebook would be bound by them, not because it agreed to them, but because they would be the law. Twitter and Google and other yet-to-be-invented internet services would also be bound by them, even without agreeing to them, because they would be generally applicable national rules about internet privacy passed by the legislative body in the name of the people, rather than the product of negotiations with one company.

Instead Congress is writing strongly worded letters to the FTC, hoping that the FTC will be able to change the rules for Facebook by litigation or a negotiated consent decree. But Congress can change the rules! By itself! By just writing them! That is its literal and only job!

So why not just do that? I suppose there are the usual sad dumb 4 explanations: Washington gridlock, congressional dysfunction, inertia, hyper partisanship, a lack of technical expertise among legislators, no real agreement on what the rules should be, etc.

But I actually think there’s a deeper and stranger explanation here. 5 Facebook did some things that a lot of people are upset about, some of which (certain sorts of data sharing) probably violated the laws or its earlier consent decrees, and others of which (certain sorts of data collection) didn’t. We want to stop it from doing all those things again, and the most straightforward way to do that is to pass a law saying which things you can’t do. But Americans are biased toward thinking of bad things as being already illegal, always illegal, illegal by definition and by nature and in themselves. If the thing that Facebook did was so bad, then it must have been illegal, so there is no need for a new law against it. At most we need a settlement with Facebook clarifying exactly which things it did were illegal and specifying that it won’t do them again. People are angry at Facebook, and that anger takes essentially punitive rather than legislative forms; we want to regulate Facebook’s future conduct as punishment for its past conduct, not as part of a general law. It is hard to imagine that a company could have done a bad thing without also breaking the law—which makes it hard to write new laws to prevent future bad things.

Bloomberg