Some reflections on the Facebook data leakage

The Facebook problems over personal data leaks is yet another reminder that left to their own devices, businesses will always skimp on areas which are perceived as secondary concerns and socialise the externality costs. Regulation is therefore necessary. 

1. It is difficult to not believe that for Facebook, the biggest priority was to increase the value of its platform for users, content providers, and advertisers. Data protection, while important, cannot have ever been a proximate and direct commercial (bottom-line) concern. From all the news stories, it is clear that even certain basic minimum safeguards were not provided in the Application Programming Interface (API) that allowed third party content providers access to the platform and its data.

While such protection is important in the long-term for the firm's credibility, firms like individuals suffer from hyperbolic discounting and value the immediate much much more than something far later in time.  

In the absence of any strong enough regulation on data protection standards and its enforcement, what incentive did Facebook have to police it with intensity? Why would Facebook exercise self-restraint and err on the side of caution to disallow access to important platform features in the name of personal information safety to an external app which has the potential to bring in significant revenues? How many times over the past three years would the top 2-3 executives have personally reviewed data protection standards as they would have platform content, advertisement revenues etc? In fact, we need to go even further and investigate whether Facebook deliberately and with full-knowledge of the consequences (bypassing internal control cautions) decided to allow access to certain types of content and advertisers. I would not be surprised if there were instances. The stakes were simply too high.  

2. Some of the comments by the Facebook leadership were stunningly insensitive,

Mr Zuckerberg spoke about the power of Facebook to reconnect families, help couples meet, and marry and organise social movements and marches. Ms Sandberg described a taco maker in Houston who teamed up with a competitor during Hurricane Harvey last year and found hungry people to feed because they were sharing their location on Facebook.

We all know how much of these things happen and they need to be placed in their true perspective, given the costs associated - wholesale transfer of personal data to unknown parties and all the attendant risks (and benefits). Such comments are classic red herrings. They can detract attention from the central incentive compatibility challenge that exclusive data companies like Facebook and Google face. How much restraint should they exercise when faced with opportunities for commercial exploitation of the data they posses? Given the commercial stakes and returns-seeking investors involved, how much restraint can the company actually exercise? Worse still, wouldn't it be very natural for a profit maximising entity to err on the side of commercial returns and compromise on data protection and privacy concerns?  

3. The case for regulation of such market failures could not be stronger. As I blogged earlier, the entire sharing and e-commerce economy, including iconic firms, is built on a massive regulatory arbitrage, where such market failures are building up everyday and is waiting to implode one day as the Cambridge Analytics-Facebook episode. The European General Data Protection Regulation (GDPR) even with its compliance costs is well worth the trouble. 

If this is the state of data protection at Facebook, what about Google and Amazon? In the aftermath of the global financial crisis, bank balance sheets were repeatedly stress-tested by regulators. Why is nobody calling for an independent stress-test of the data protection and use standards of all the major tech firms whose business model relies exclusively on personal data? Apple's acceptance of the European GDPR is a step in the right direction. 

4. The callous disregard for the safety of personal data has strong similarities with the cavalier attitude with pollution from oil pipeline leakages and deaths from overhanging and unprotected electric lines in the early stages of development of both those technologies. The difference is critical - unlike the earlier oil, water, electricity, and so on, now we are dealing with people's personal, deeply personal, data. The need for safeguards and protections become even more compelling.

5. There were massive low hanging fruits from the initial flush of success from an emerging data economy, an opportunity which was amplified by light regulation and delayed appearance of egregious negative consequences (unlike say, smoke from a factory). The likes of Facebook, Google, Uber, and Amazon are reaping this first mover advantages just as Ford, GE, and Westinghouse reaped nearly a century earlier and other first movers in the technological cycles that followed. Two big differences that make the current technology cycle stand out is that unlike earlier this one has been much faster and on a much larger scale (given the global market place involved).  

6. The resultant successes may have papered over the concerns over several important business issues. Data safety is now being discussed. Would the markets have tolerated a regular firm where, like Zuckerberg, the founder is the Chairman, Chief Executive, and controlling shareholder? What is the difference between these firms and the routine family owned firms in developing countries? I guess only the good fortune of being at the rightpface and time in the evolution of the technology cycle!

What about competence at the executive levels, not just in terms of being smart but in being able to effectively manage large and rapidly growing organisations? How much of the expansion (I make the distinction with origination or establishment) of these firms have been the consequence of active management actions and decisions and how much that due to the market (and customer) momentum and a technology playing itself out? In simple terms, how much of the growth of the likes of Uber and Facebook have been due to the enterprise and superior skills of their glorified and even revered pioneering founders and how much due to post-emergence auto-pilot? 

They say adversity is the true test of a leader. And what does the duo of Mr Zuckerberg and Ms Sandberg do when faced with their first real test,

David Kirkpatrick, author of The Facebook Effect, says Mr Zuckerberg may have opened a can of worms by claiming connecting the world has always been more important to Facebook than advertising. Both he and his COO are resolute that one thing does not need to change: a business model built on targeted advertising that generated $16bn in net income last year. Ms Sandberg said keeping Facebook free is important for its 2bn users and that targeting enables 7m small companies to buy ads when they cannot afford traditional media such as television. She added that Facebook never worked to maximise profits.

Mr Kirkpatrick says: “For a leader of the most profitable company of its size in the history of capitalism, who has herself personally garnered over $1bn in stock gains based on the company’s success, to claim that the business side of the company, which she runs, has never worked to maximise its profits seems disingenuous to say the least.” Others were also quick to challenge Mr Zuckerberg’s claims. In an interview with Vox, he spoke of how Facebook had stopped false reports on its Messenger platform designed to incite violence in Myanmar. But those suggestions were strongly contradicted by civil society groups in the country, who said Facebook’s response has been “inadequate”.

Clumsy and ham-fisted responses to data leakages are not the exclusive preserves of governments governments and bureaucrats. One can imagine the way in which these rationalisations found its way into the responses by the two of them. In fact, by the standards of India's UIDAI, Facebook has been worse! And the leaders make millions for this type of responses!

Further, do not be fooled by the claims that for Facebook connecting the world has been more important that advertising revenues and it has never tried to maximise profits. In fact, that may well have been the case when as an insouciant Harvard dropout Zuckerberg was first developing this platform. Once the first revenues started trickling in, and especially after investors joined in, advertising and the data that pulls in advertising, were always going to have become the existential objective for Facebook. As it stands today, it cannot be any other reason for not only all its investors, but even Zuckerberg himself. Connecting people is certainly only an externality for this advertisement engine. And that's the way it will and should be. This is no blame on Facebook. So the response appears even more disturbing. 

Make no mistake, even though Facebook may be contrite now and apologising and informing that this will not be repeated, this will be repeated if not regulated firmly. It is a reality that businesses, of what ever kind, will skimp and market failures will develop. 

7. Finally, even if late, it is only good that people are waking up to the concerns about data. The concern with something like Aadhaar is not so much its immediate likely misuse or exclusion errors with welfare programs, but it is the powerful enabling tool that it can become in helping link up multiple data bases and the unimaginable ways in which it can possibly be used to manipulate the data and even human identity. In fiction at least, this can make Adolf Hitler look positively a boy scout!