Skip to main content
 

Open APIs and the Facebook Trash Fire

The New York Times report on Facebook's ongoing data sharing relationships is quite something. The gist is that even while it claimed that its data sharing relationships had been terminated in 2015 - to users and to governments around the world - many were still active into this year. Moreover, these relationships were established in such a way as to hide the extent of the data sharing from users, possibly in contravention of GDPR and its reporting responsibilities to the FTC:

“This is just giving third parties permission to harvest data without you being informed of it or giving consent to it,” said David Vladeck, who formerly ran the F.T.C.’s consumer protection bureau. “I don’t understand how this unconsented-to data harvesting can at all be justified under the consent decree.”

The company's own press release response to the reporting attempts to sugarcoat the facts, but essentially agrees that this happened. Data was shared with third parties during the period when the company declared that this wasn't happening, and often without user permission or understanding.
Back to the NYT article to make the implications clear:

The social network allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.

The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier.

In September 2007, I flew out to Silicon Valley to participate in something called the Data Sharing Summit, organized by Marc Canter. At the time, I was working on Elgg, and we believed strongly in establishing open APIs so that people wouldn't be siloed into their social networks and web services. I met people there who have remained friends for the rest of my career. And all of us wanted open access to APIs so that users could move their data around, and so that startups wouldn't have as a high a barrier to entry into the market.

That was an ongoing meme in the industry ten years ago: open data, open APIs. It's one that has clearly informed Facebook's design and influential decisions. I certainly bought into it. And to some extent I still do, although I'd now prefer to go several steps further and architect systems with no central point of control or data storage at all. But such systems - whether centralized or decentralized - need to center around giving control to the user. Even at the Data Sharing Summit, we quickly realized that data control was a more meaningful notion than data ownership. Who gets to say what can happen to my data? And who gets to see it?

Establishing behind-the-scenes reciprocal data sharing agreements with partners breaks the implicit trust contract that a service has with its users.

Facebook clued us in to how much power it held in 2011, when it introduced its timeline feature. I managed to give this fairly asinine quote to the New York Times back then:

“We’ve all been dropping status updates and photos into a void,” said Ben Werdmuller, the chief technology officer at Latakoo, a video service. “We knew we were sharing this much, of course, but it’s weird to realize they’ve been keeping this information and can serve it up for anyone to see.”

Mr. Werdmuller, who lives in Berkeley, Calif., said the experience of browsing through his social history on Facebook, complete with pictures of old flames, was emotionally evocative — not unlike unearthing an old yearbook or a shoebox filled with photographs and letters.

My point had actually not so much been about "old flames" as about relationships: it became clear that Facebook understood everyone you had a relationship with, not just the people you had added as a friend. Few pieces dove into the real implications of having all that data in one place, because at the time it seemed like the stuff of dystopian science fiction. Some of us were harping on about it, but it was so far outside of mainstream discourse that it sounded crazy. But here we are, in 2018, and we've manifested the panopticon.

In the same way that the timeline made the implications of posting on Facebook clear, this year's revelations represent another sea change in our collective understanding. Last time - and every time there has been this kind of perspective shift - the Overton window has shifted and we've collectively adjusted our expectations to incorporate it. I worry that by next election, we'll be fairly used to the idea of extensive private surveillance (as a declared fact rather than ideological speculation), and the practice will continue. And then the next set of perspective shifts will be genuinely horrifying.

Questions left unanswered: what information is Facebook sharing with Palantir, or the security services? To what extent are undeclared data-sharing relationships used to deport people, or to identify individuals who should be closely monitored? Is it used to identify subversives? And beyond the effects of data sharing, given what we know about the chilling effects surveillance has on democracy, what effect on democratic discourse has the omnipresence of the social media feed already had - and to what extent is this intentional?

I'm done assuming good faith; I'm done assuming incompetence; I'm done assuming ignorance. I hope you are too.

 

Image: Elevation, section and plan of Jeremy Bentham's Panopticon penitentiary, drawn by Willey Reveley, 1791, from Wikipedia