From every angle, social media is anathema to privacy. The very founding concept of paleolithic AOL chatrooms and Usenet newsgroups, and later Facebook, MySpace, and the earliest blogging sites was to provide a forum for people to share with each other. People shared ideas, humor, emotions, preferences, prejudices, priorities, and often misguided attempts at profundity. Newer sites simply broadened and deepened the sharing – Twitter users share commute times and coffee temperatures, Tumblers share memes galore, and Instagramites share a wealth of doctored photographs.
We learned things about the people in our world, and they about us. Thanks to social media, we now know that if our nearest coworker were a tree, she would be a willow, and the celebrity she believes that she most resembles is Angelina Jolie. We also know that Shirley’s kids are honor students and that Tom’s brother was just released from prison (early, for good behavior), that Jeffrey lives and dies with his Eagles and that Sandra is so, so, so sad at the plight of shelter animals. Importantly, we know when people are leaving town and how long they will be gone. We know if they come into money. We learn about their families and their vulnerabilities. We learn about drinking and drug use, sexual promiscuity, and even crimes like DWI or hit and run. We see pictures of their kids, their cars, their vacations, and their homes.
All of this sharing may help create communities, but it also destroys privacy. The bikini-clad body that is perfectly appropriate on the beach at St. John or Captiva may undermine the respect an employee has worked hard to earn from superiors, subordinates, and peers at the office who may view the vacation pictures on Facebook. The same may be true for pictures of a drinking party among friends. Too much published information can and will present obstacles when circumstances change and a spouse sues for divorce, or a rival is seeking an edge for a promotion at work. We all know that kids can be the cruel, and your insistence on wearing mouse ears at a Disney theme park may reach the attention of your children’s classmates, and their parents. Criminals trawl social media constantly, looking for vulnerabilities and vacations, pinpointing easy targets.
Operators of various social media outlets are well aware that their profits may increase as we expand our willingness to share personal information about ourselves, and much of the business model development for social media sites is designed to coerce, cajole, trick, taunt, or tease us into revealing more information about our lives and our thoughts and opinions. Who are your friends? What discounts interest you? You “liked” the last Vin Diesel movie, will you like the next one? What is your relationship status? Who do you write to? Who do you poke? Won’t you download the mobile app so we can see where you are when you access our site? Your friends have downloaded our app. Why won’t you? We will ask you again in two hours.
Every bit of information we disclose is another databite to be mined and measured, sorted and sold. Online transactions provide even more opportunities, because a purchase through a social media site hits the trifecta for the site owner. With a purchase, the site registers our activity, our expenditure, our degree of interest in a good or service and an entire category of goods or services (opening our wallet demonstrates significant interest), our bank, our credit card information, our shipping address, our online ID, and our passwords. In addition, the social media site may trumpet the sale to our friends attempting to induce additional transactions. And beyond this extraordinary information bounty, the social media site likely received a financial kickback from a sale made from its platform. Moreover, the data mining industry attempts to review every transaction and every posting in which we engage in order to be able to maximize the profit potential of every piece of information disclosed by that transaction or posting.
For this reason, social media is not simply a collection of online places that allow private information to escape, but social media sites are organized to draw as much participation and information out of us as possible. Like casinos built without sunlight or clocks so as to encourage your further play, the social media sites and data mining industry study online behavior and build manipulation machines designed to entice you to remain engaged and to divulge information. A search engine site may not care whether you own a particular make or model of car or that you baked cookies last night, but it cares that you told them about your car and your cookies. They make money from aggregating car owners and cookie bakers and selling information to companies who can exploit that information.
Until recently, there has been very little counterbalance to the siren’s call of revealing everything on social media or to the tricks and manipulations that the online media companies employ to make sharing easy, satisfying, and seemingly so necessary. Certainly there are authors writing jeremiads both in and out of the mainstream media who will despair about the morality of kids today, or about the solipsistic adults who believe that each workout or restaurant meal is worth recording for posterity and circulating to wide circle of “friends.” There seems to be an absence of concerted opposition to this kind of activity. Schools and workplaces do not appear to actively discourage sharing in social media, except to prevent a student from bullying another, or to caution workers not to release company trade secrets. Governmental restrictions are spotty at best, except for the intelligence services, judiciary, and some government agencies.
In short, prior to 2013, legislatures and regulators in the United States appeared to be more concerned about the data they could glean from social media than protecting privacy of the average citizen in the online world. Much of the rest of the industrialized world has a very different viewpoint about personal information than that we experience in the United States. In Europe, Canada, and other countries across the world, protection of each citizen’s private information is considered to be a human right, secured by statute and enforced by government and private causes of action. In the United States, by contrast, only certain classes of information are protected under federal law – financial transactions, health care transactions, and information regarding children under the age of 13 – while nearly all other data is considered to be fair game for any business or government agency that chooses to collect, store, and use the information.
The Federal Trade Commission (FTC) and state attorneys general have been the traditional protectors of online privacy for lightly-regulated industries like social media. But through much of the development of social media and socially-oriented Internet sites, these enforcement agencies have tended only to enforce the privacy policies that a site chose to publicize. If a social media site had claimed not to gather certain information, but it indeed gathered that information, then the FTC would assert claims upon that site. However, if the social media site had a vague privacy policy that never clearly disclosed all of the information it gathered, or if the site gathered and sold massive amounts of personal data from its users, and the site revealed its behavior in its privacy policy, then no enforcement action would be initiated because the site was not breaking any known laws. (The exception to this rule seemed to be the 2006 ruling against Choicepoint, costing the company $10 million in civil penalties for providing personal information to identity thieves.) In other words, for most personal data about people, their activities, and their transactions, it seems that a social media site would not be regulated for use or abuse of this data, only for misrepresenting what data was collected and how such data was used. Deep intrusions of privacy may be allowed, as long as the site doesn’t directly misrepresent what it is doing.
The FTC has moved beyond this position during the past three years by using its powers to enforce privacy policies on social media sites to sue transgressors, and then to force the transgressive sites into settlements that include a long-term consent order permitting the FTC to have a tighter grip on the site’s policies. For example, in November 2011, the FTC claimed that Facebook had lied to consumers by repeatedly stating that personal information would be kept private, while repeatedly allowing that personal information to be shared and made public. In settling this claim, Facebook agreed to a 20-year consent order protecting its member’s privacy in more specific ways. That agreement mandates that Facebook receive explicit consent of its users before disclosing private information. Following up on this, in September 2013, the FTC announced an inquiry into whether Facebook’s proposed new privacy policies, disclosed in August 2013, violated the 20-year consent agreement. In its proposed new policies, Facebook was planning to use its members’ names and pictures in advertising products the members had “liked” or for which they had given a favorable comment, and the new policy provided that Facebook automatically assumed that the parents of teenage Facebook users had granted permission for their children’s names to be used in advertising. The original FTC claim relating to an allegedly misleading privacy policy has thereby enabled the FTC to exercise much greater influence into Facebook’s future treatment of consumer data. The FTC also has obtained similar 20-year consent orders in place with Twitter, MySpace, and Google.