Meta

Kevin Bankston: How Should Facebook and Other Companies Protect Privacy While Letting People Share Their Information Between Apps and Services?

By Kevin Bankston, Director of New America’s Open Technology Institute

This post is part of a series on data portability and interoperability. 

A longer version of this essay previously appeared in New America Weekly and in Techdirt.

In the wake of the recent privacy controversy over Facebook and Cambridge Analytica, internet users and policymakers are asking a lot of questions on the topic of “data portability”: Is my social network data really mine? Can I take it with me to another platform if I’m unhappy with Facebook? What does the new European privacy law, the General Data Protection Regulation (GDPR), say about exporting data? What even counts as my data as opposed to my friends’?

There’s a growing consensus that being able to easily move your data between social platforms, and perhaps even being able to communicate between different platforms, is necessary to enable new services to emerge. But that raises some difficult technical and policy questions. First, how do you balance such portability and interoperability with your and your friends’ privacy. And second, how do you guarantee that new privacy efforts don’t have the unintended consequence of locking in current platforms’ dominance by locking down their control of your data in the name of privacy?

David Cicilline, Democratic Congressman from Rhode Island, highlighted this concern at a recent forum. He argued that just as Congress gave cellphone users the right to “number portability”— lessening the switching cost of changing your cell carrier by giving you the ability to take your phone number with you—social network users should have the right to portability of their social media data. Unless we “free the social graph,” we may find ourselves locked into the current ecosystem with no chance of meaningful competitors emerging.

Let’s take Facebook, which has offered a feature called Download Your Information (DYI) since 2010. It lets users download all the content they’ve ever posted on Facebook as a browsable HTML archive. (Twitter and Google offer similar options.) However, Facebook’s download feature was originally designed as a personal archiving tool, rather than for easy porting of data to another service. Indeed, at launch, Facebook clearly stated that the downloaded data was for an individual’s use “and not for developers or other services.” That said, in response to both the Cambridge Analytica scandal and the GDPR, Facebook recently revamped the DYI tool to be more portability-friendly: it now offers downloads in the structured JSON format, making it much easier to move the data between different services.

But here comes the irony: The one thing you can’t download from Facebook is the one thing you’d most need if you wanted to move to a competing social network—your friends’ contact information or any other unique information that would help you reconnect with them on another service. Instead, all you get is a list of their names, which isn’t very helpful for re-identifying specific individuals, considering how common many names are.

Facebook has long treated its possession of your friends’ contact information as a key competitive advantage, making it difficult for users to collect or export it. For example, when users were first able to share an email address with friends on their profile page, it was displayed as a graphic rather than text so that it couldn’t be cut and pasted. Some users may also recall when Facebook, in 2012, temporarily replaced users’ non-Facebook addresses with new “@facebook.com” addresses by default, making it harder to obtain off-Facebook contact information about your friends. And although there’s a hard-to-find setting where Facebook users can allow their friends to download their contact information, it is by default set not to allow such downloading—one of the rare Facebook settings that defaults away from, rather than toward, more sharing with friends.

Facebook has consistently justified its attempts to restrict sharing contact info as a privacy and security measure, but the alignment with its own business goals was always more than a little convenient. That’s rather ironic, considering that a huge part of Facebook’s meteoric growth was driven by importing contact information from other services.

Convenient and ironic or not, Facebook’s reticence to share contact information has only been bolstered by recent events. It was, of course, users’ ability to export data about their friends to outside apps that was at the root of the Cambridge Analytica scandal that has put Facebook in the privacy hot-seat. Meanwhile, thanks to GDPR’s privacy requirements, Facebook would now probably need to get affirmative consent from your friends before letting you export their email addresses, even if they arguably didn’t have to before.

There are no easy answers when it comes to solving the privacy versus portability conundrum. But here are a few specific steps that Facebook should do now to promote portability. It’s in Facebook’s own interest to do, as it may face unwanted regulatory action if it doesn’t.

Help Set Clear Technical Standards. Easy portability of data between services will require open standards that everyone uses. Facebook’s offering downloadable data in the JSON file format is a good start, but it and other social networks should consider using the Activity Streams 2.0 open standard, a particular JSON-based format for exporting social media posts. Facebook helped develop the standard at the World Wide Web Consortium, but right now only decentralized social network tools like Mastodon use it. On top of that, Facebook and all the other major cloud and social platforms should contribute to the open source Data Transfer Project, which aims to establish a common framework for easily moving data directly between services with just a few clicks and without having to download the data yourself. Google and Microsoft are already participating; others should, too. [Ed. note: after the publication of the original version of this article, Facebook announced that it would be participating in the Data Transfer Project.]

Solve the Graph Portability Problem. Social platforms should allow you to export your friends’ contact information—or, if they can’t due to privacy restrictions, otherwise provide unique identifiers or other information sufficient to easily re-identify your friends on another platform. Your social graph is yours; we need a standardized way to move that graph around. Facebook, for example, could ask all users to give consent for their friends to export their contact information as part of Download Your Information—or at least give friends the power to ask each other for that permission. Or, Facebook could allow users to download some other unique piece of a friend’s data, like the URL of their profile or their unique Facebook user ID number. If that raises security concerns, the data could perhaps be “hashed” to obscure it while maintaining its usefulness as a unique identifier. Facebook and others could even try petitioning the European Data Protection Board for an interpretation of the GDPR that would clearly allow such sharing for competition purposes. There are a range of possible solutions; the only certainty is that Facebook needs to start testing approaches now.

Allow Competitive Apps to Use the Facebook Platform. Data portability—letting someone download their data and transfer it elsewhere—isn’t the only way that people can leverage their Facebook data on another service. There’s also interoperability—the ability to use the Facebook Platform API to run an app that can make use of your Facebook data on an ongoing basis. The problem is that Facebook’s policy for app developers has long required that in order to make full use of the API, apps “can’t replicate core Facebook features or functionality, and must not promote [their] other apps that do so.” For example, “your app is not eligible… if it contains its own in-app chat functionality or its own user generated feed” akin to Facebook’s messaging product or Facebook’s newsfeed. If Facebook wants to shed its image as a platform monopolist, it needs to remove this anti-competitive provision and allow users to easily make use of their Facebook data on interoperable competing services.

Some of these steps would be easy for Facebook to take. Others would be more challenging. But all are worthwhile, and ultimately necessary, for ensuring an internet ecosystem that continues to be open, innovative, and competitive.

Kevin Bankston is the director of New America’s Open Technology Institute. New America receives some financial support from Facebook. All grants and gifts to New America are detailed on its Our Funding page, and are subject to the intellectual independence guarantees in its Gift Guidelines.



To help personalize content, tailor and measure ads, and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookie Policy