BY EMAIL 1 July 12, 2018 Professor Gary King Professor Nathaniel Persily Social Science One Dear Professor King and ...

 
CONTINUE READING
BY EMAIL 1 July 12, 2018 Professor Gary King Professor Nathaniel Persily Social Science One Dear Professor King and ...
BY EMAIL 1

July 12, 2018

Professor Gary King
Professor Nathaniel Persily
Social Science One

Dear Professor King and Professor Persily,

        We write to you, as co-chairs of Social Science One, to urge you to immediately suspend the
data analysis activities announced this week, 2 pending a thorough and independent investigation of
the privacy protections for Facebook users. For multiple reasons set out below, including the fact
that the program does not comply with the GDPR and violates Facebook’s 2011 consent order with
the Federal Trade Commission, we do not believe the project may go forward.

         While we respect the efforts to develop a new model for industry-academic partnerships,
frankly you could not have picked a more controversial data set to launch this initiative. The third-
party use of Facebook data has been the focus of substantial Congressional hearings, hearings in the
European Parliament, and an extensive inquiry in the UK.3 The recent report of the UK Information
Commissioner’s Office had this to say about the transfer of Facebook user data to research
institutions: "Based on evidence we have in our possession, we are concerned about the way in
which data was accessed from the Facebook platform and used for purposes it was not intended for
or that data subjects would not have reasonably expected."4 We recognize the opportunity provided
by new privacy-preserving techniques to permit research access to very large data sets,5 but again
you have chosen the most controversial data set to test these methods.

1
  It is notable that no contact information is provided for any individual at the Social Science One website, nor
is there any indication that a person has been designated by Social Science One to assess the privacy
ramifications of the project.
2
  Social Science One, Independent Research Commission Partnering with Facebook and 7 Nonprofit
Foundations to Study Role of Social Media in Elections and Democracy Reveals New Name and Announces
First Data Set is Available for Academic Research (July 11, 2018), https://socialscience.one/blog/social-
science-one-public-launch
3
  EPIC, In re Facebook (Cambridge Analytica), https://epic.org/privacy/facebook/cambridge-analytica/.
4
  Information Commissioner’s Office, Investigation Into the Use of Data Analytics In Political Campaigns,
(Jul. 10, 2018) at 22, https://ico.org.uk/media/action-weve-taken/2259371/investigation-into-data-analytics-
for-political-purposes-update.pdf.
5
  See National Academies of Sciences, Engineering, and Medicine; Division of Behavioral and Social
Sciences and Education; Committee on National Statistics; Panel on Improving Federal Statistics for Policy
and Social Science Research Using Multiple Data Sources and State-of-the-Art Estimation Methods; Harris-
Kojetin BA, Groves RM, editors. Federal Statistics, Multiple Data Sources, and Privacy Protection: Next
Steps. Washington (DC): National Academies Press (US); 2017 Oct 2. Available from:
https://www.ncbi.nlm.nih.gov/books/NBK475779/ doi: 10.17226/24893
Social Science One describes the Facebook data as “the largest and most comprehensive
information base ever used to study social media, and even some of the most extensive data ever
used to study human behavior in general.”6 It is therefore of the utmost importance that you abide by
all legal and ethical obligations related to the privacy rights of Facebook users.

    I.      Facebook Users Have Not Provided Meaningful Consent for the Collection and Use
            of Their Data

         EPIC fully supports academic research on the effects of social media on democracy and
elections. In fact, EPIC launched a project a year ago dedicated to safeguarding democratic
institutions from foreign interference.7 EPIC is presently engaged in several matters seeking
information about Russian interference in the 2016 U.S. presidential election.8 It is ironic and deeply
troubling, however, that this research project involves violating the privacy of Facebook users’ for
the purpose of learning how social media influences elections. It was this very type of massive data
collection by political firms such as Cambridge Analytica that raised alarms about the influence of
social media on elections in the first place. In fact, the data obtained by Cambridge Analytica was
originally collected for the purpose of academic research.

         That is why the lack of meaningful consent from users necessitates suspending this study.
Informed consent of human subjects is a basic ethical obligation for researchers, but one that
Facebook and Social Science One have ignored. Facebook users will have no say over whether their
personal data is used for this study. Facebook will not provide user with any mechanism to
affirmatively opt-in to the use of their data. Neither Facebook nor Social Science One have indicated
that Facebook users will even be provided with any information regarding the use of their data for
this study. There is no indication that Facebook users will have the ability to opt-out if they do not
wish to have their data used for research purposes. Facebook states that “[f]undamental to this entire
effort is ensuring that people’s information is secure and kept private.”9 But Facebook cannot claim
to be respecting the privacy of its users if it fails to give users any control over whether their
personal data is collected and used for this study.

    II.     The Transfer of Data Violates the FTC’s 2011 Consent Order with Facebook

6
  https://socialscience.one/our-facebook-partnership
7
  EPIC, DEMOCRACY AND CYBERSECURITY: PRESERVING DEMOCRATIC INSTITUTIONS,
https://www.epic.org/democracy/.
8
  See, EPIC v. FBI, https://www.epic.org/foia/fbi/russian-hacking/ (seeking records related to the FBI's
response to foreign cyber attacks on democratic institutions in the United States prior to the 2016 Presidential
Election); EPIC v. ODNI, https://www.epic.org/foia/odni/russian-hacking/ (seeking release of the Complete
ODNI Assessment of the Russian interference with 2016 U.S. Presidential Election).
9
  Elliot Schrage and David Ginsberg, Facebook Launches New Initiative to Help Scholars Assess Social
Media’s Impact on Elections, Facebook Newsroom (Apr. 9, 2018),
https://newsroom.fb.com/news/2018/04/new-elections-initiative/.

EPIC Letter to Social Science One                      2                        Use of Facebook User Data
July 12, 2018                                                                 for Research without Consent
The FTC’s 2011 Consent Order with Facebook is clear: Facebook must obtain affirmative
express consent before disclosing personal information to third parties.10 The Consent Order states
that Facebook shall, prior to disclosing any information to third parties beyond the restrictions
imposed by the user’s privacy settings:

        Clearly and prominently disclose to the user, separate and apart from any “privacy
        policy,” “data use policy,” “statement of rights and responsibilities” page, or other
        similar document: (1) the categories of nonpublic user information that will be
        disclosed to such third parties, (2) the identity or specific categories of such third
        parties, and (3) that such sharing exceeds the restrictions imposed by the privacy
        setting(s) in effect for the user; and obtain the user’s express consent.”11

As the FTC explained, this is a requirement that Facebook “obtain consumers’ affirmative express
consent before enacting changes that override their privacy preferences.”12 It is not enough for
Facebook to bury a notice in its privacy policy – in addition to obtaining a user’s affirmative consent
Facebook must provide users with a clear and prominent disclosure that includes the identity of the
third parties to whom the personal information will be transferred.

        By transferring personal information to third-party researchers without (1) providing clear
and prominent notice and (2) obtaining the affirmative express consent of users, Facebook will in
clear violation of the 2011 Consent Order with the FTC. The Wall Street Journal has reported that
outside researchers will have “the same access that employees would have” to user data.

      The 2011 Consent Order was the result of Facebook’s significant privacy violations, which
EPIC documented in detailed complaints to the FTC in 2009 and 2010.13 Chief among them was
Facebook’s practice of making non-public information available to third parties without users’
knowledge or consent.14 As we stated in 2009:

        Facebook’s changes to users’ privacy settings disclose personal information to the
        public that was previously restricted. Facebook’s changes to users’ privacy
        settings also disclose personal information to third parties that was previously not
        available.15

      Earlier this year, Facebook was found to have allowed the political data mining firm
Cambridge Analytica to obtain the personal information on 87 million users, prompting inquiries
from U.S. and international lawmakers. As EPIC told Congress, “Facebook’s admission that it

10
   Fed. Trade Comm’n., In re Facebook, Decision and Order, FTC File No. 092 3184 (Jul. 27, 2012),
https://www.ftc.gov/sites/default/files/documents/cases/2012/08/120810facebookdo.pdf.
11
   Id.
12
   Fed. Trade Comm’n, Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep
Privacy Promises, Press Release (Nov. 29, 2011), https://www.ftc.gov/news-events/press-
releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep.
13
   See, In the Matter of Facebook, Inc. (EPIC, Complaint, Request for Investigation, Injunction, and Other
Relief) before the Federal Trade Commission, Washington, D.C. (filed Dec. 17, 2009),
http://www.epic.org/privacy/inrefacebook/EPIC-FacebookComplaint.pdf.
14
   Id.
15
   Id.

EPIC Letter to Social Science One                     3                       Use of Facebook User Data
July 12, 2018                                                               for Research without Consent
disclosed data to third parties without users’ consent suggests a clear violation of the 2011 Facebook
Order.”16 The U.K. Information Commissioner’s Office recently fined Facebook the maximum
allowable fine under U.K. law as the result of this data transfer, charging Facebook with “failing to
safeguard people’s information [and] failing to be transparent about how people’s data was
harvested by others and why they might be targeted by a political party or campaign.”17 The FTC has
recently announced that it is investigating Facebook.18 As the Acting Director of the Bureau of
Consumer Protection stated:

            The FTC is firmly and fully committed to using all of its tools to protect the privacy of
            consumers. Foremost among these tools is enforcement action against companies that fail
            to honor their privacy promises, including to comply with Privacy Shield, or that engage
            in unfair acts that cause substantial injury to consumers in violation of the FTC Act.
            Companies who have settled previous FTC actions must also comply with FTC order
            provisions imposing privacy and data security requirements. Accordingly, the FTC takes
            very seriously recent press reports raising substantial concerns about the privacy practices
            of Facebook. Today, the FTC is confirming that it has an open non-public investigation
            into these practices.19

Many State Attorneys General have also announced their investigations into the matter.20

        Given Facebook’s obligations under the FTC Consent Order and its continuing violations of
user privacy, it is particularly troubling that you plan to move forward with plans to collect the data
of 2.2 billion Facebook users without their consent. This proposal not only violates the FTC Consent
Order, but the privacy rights of Facebook’s 2.2 billion users.

       The Social Science One study should be suspended pending a determination by the FTC
regarding Facebook’s compliance with the 2011 Consent Order.

     III.      Facebook’s Prior Relations with Researchers Have Raised Significant Questions

        Facebook has a sordid history of privacy violations when doing research, and Social Science
One is inadequately prepared to protect the privacy of its research subjects. Social Science One
represents that “All research projects must pass the standard peer-review protocols of academic
social science, with the addition of a special ethical review designed for the unique challenges of

16
   Letter from EPIC to S. Comm on the Judiciary, (Apr. 9, 2018), https://epic.org/testimony/congress/EPIC-
SJC-Facebook-Apr2018.pdf.
17
   Information Commissioner’s Office, Investigation Into the Use of Data Analytics In Political Campaigns,
(Jul. 10, 2018), https://ico.org.uk/media/action-weve-taken/2259371/investigation-into-data-analytics-for-
political-purposes-update.pdf.
18
   Fed. Trade Comm’n., Statement by the Acting Director of FTC’s Bureau of Consumer Protection
Regarding Reported Concerns about Facebook Privacy Practices (Mar. 26, 2018), https://www.ftc.gov/news-
events/press-releases/2018/03/statement-acting-director-ftcs-bureau-consumer- protection.
19
   Id.
20
   See, EPIC, State AGs Launch Facebook Investigation, (Mar. 26, 2018), https://epic.org/2018/03/state-ags-
launch-facebook-inve.html.

EPIC Letter to Social Science One                      4                     Use of Facebook User Data
July 12, 2018                                                              for Research without Consent
analyzing the types of questions and data.”21 As you are aware, Cambridge Analytica was able to
exploit data because Facebook gave improper access to an academic researcher. Therefore, the fact
that this research will be subject to standard peer-review protocols and Facebook’s ethical review
methods—as research using Facebook data has been subject to in the past—does not sufficiently
address the privacy risks.

       Facebook’s record with researchers indicates a disregard for user privacy and consent. In
2012, Facebook conducted an experiment that secretly manipulated user emotions by seeing if
exposing users to more positive or negative content in their News Feed would affect their posting
behaviors.22 This was done by running randomized A/B testing on Facebook’s platform, and Social
Science One has stated that it is considering using data from randomized A/B tests run on
Facebook’s platform in the future.23 Social Science One has not adequately addressed the ethical
mistakes Facebook has made in the past and indicated how it will conduct its research differently.

     IV.    Voting data are extremely sensitive

        Data on an individual’s political views and voting habits are among the most sensitive types
of personal information. Social Science One plans to combine post-election surveys (from Mexico,
Brazil, Sweden, United States, and India) with Facebook data to research the effect of social media
on elections.24 Anonymity is a fundamental aspect of voting rights in the U.S. and in many other
countries. Matching data on how people voted with their detailed Facebook profiles threaten to
undermine that fundamental right.

       The public cares deeply about the confidentiality of their voting data. Last year the
Presidential Election Commission sought to wrongfully obtain voter data from all 50 states for the
alleged purpose of investigating voter fraud. There was a public outcry, and many states refused to
turn over their voter rolls to the federal government. EPIC (and several other groups) sued the
Commission because its collection of the personal data of millions of registered voters was an
unconstitutional invasion of privacy and its failure to conduct a Privacy Impact Assessment violated
the E-Government Act.25 The Commission was disbanded following the public opposition and
lawsuits.26

     V.     Violation of GDPR

        The General Data Protection Regulation (“GDPR”) applies to the processing of personal data
that monitors the behavior of individuals within the European Union. The heightened requirements
of the GDPR will apply to the research proposed by Social Science One, even if the processing
occurs in the US.

21
   https://socialscience.one/overview
22
   EPIC, In re Facebook (Psychological Study), https://www.epic.org/privacy/internet/ftc/facebook/psycho/.
23
   https://socialscience.one/future-datasets
24
   https://socialscience.one/future-datasets.
25
   EPIC v. Commission, https://epic.org/privacy/litigation/voter/epic-v-commission/.
26
  Executive Order 13820 (Jan. 3, 2018), https://epic.org/privacy/litigation/voter/epic-v-
commission/EPIC-v-Commission-termination-exec-order-010318.pdf.

EPIC Letter to Social Science One                    5                      Use of Facebook User Data
July 12, 2018                                                             for Research without Consent
In particular, Article 9 of the GDPR stipulates that “processing of personal data revealing
racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership, and the processing of genetic data, biometric data for the purpose of uniquely
identifying a natural person, data concerning health or data concerning a natural person’s sex life or
sexual orientation shall be prohibited.” The profiles of 2.2 billion Facebook users encompass
virtually all of these sensitive data categories, which require the strictest safeguards for processing
under the GDPR, even for academic research purposes.

      The scope and purposes of the research proposed by Social Science One fail to meet the
exemption for the processing of special categories of personal data on academic research grounds.

        Article 89(1) of the GDPR requires that “processing for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes, shall be subject to
appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data
subject. Those safeguards shall ensure that technical and organisational measures are in place in
particular in order to ensure respect for the principle of data minimisation. Those measures may
include pseudonymisation provided that those purposes can be fulfilled in that manner...”

        Article 9(2)(j) of the GDPR requires that the extent of processing sensitive data for the
purposes of academic research shall only be allowed if adheres to Article 89(1) and is “proportionate
to the aim pursued, respect the essence of the right to data protection and provide for suitable and
specific measures to safeguard the fundamental rights and the interests of the data subject.”

       The emphasis lies on data minimization foremost, then strict pseudonymization. Social
Science One’s access to 2.2 billion Facebook users’ data in no way demonstrates either safeguard to
meet the requirements of the GDPR. Due to the immensity and granularity of data disclosed by
Facebook, the purposes of safeguarding the fundamental rights and interests of the data subject can
no longer be achieved by pseudonymization, or “de-identification.”

        First, the sheer extent of data available to Social Science One violates a fundamental tenet of
the GDPR—data minimization (Article 5). The research groups have not taken any active steps to
implement technical and organizational measures to limit the processing of sensitive data. By
accepting access to this massive trove of sensitive personal information, the groups have also failed
to adequately assess the risks to the rights and freedoms of individuals as per GDPR Recital 75, and
violated the rights to information about processing and access to data for individuals (Articles 13 and
15). There remain significant risks for the unauthorized reversal of pseudonymization with
catastrophic effects on the privacy of individuals. This already constitutes multiple violations of the
GDPR.

        Secondly, reports that the researchers will share access to Facebook’s proprietary user data
indicate that Social Science One has no technical or organizational measures in place to
pseudonymize data to the standard required by the GDPR. Recital 29 requires “additional
information for attributing the personal data to a specific data subject [to be] kept separately.” The
groups have not implemented this, as evidenced by today’s Wall Street Journal report: “to determine
which data sets to release, a half-dozen primary researchers will have broad access to Facebook’s
proprietary user data, said Gary King, a social science professor at Harvard University and one of the
co-chairs of the research group.”

EPIC Letter to Social Science One                  6                      Use of Facebook User Data
July 12, 2018                                                           for Research without Consent
Furthermore, Article 29 Working Party’s Opinion 05/2014 on Anonymisation Techniques
established that de-identification must be “irreversible.” This is a higher bar than simply removing
personally identifiable information such as names and birthdays from perhaps the most
comprehensive dataset ever compiled. Therefore, this proposed study violates EU data protection
laws and irresponsibly imperils the privacy rights of individuals.

Conclusion

        This research initiative violates U.S. and European law. Social Science One should suspend
its research until the FTC is able to complete a full investigation. You say that you intend to conduct
this research “according to the highest standards of data privacy”27 but there is not even a designated
privacy official to help make this determination.

        The concerns that EPIC has outlined in this letter are widely shared. We urge you to consider
carefully the consequences of the misuse of personal data that may result from this undertaking.

Sincerely,

/s/ Marc Rotenberg                                 /s/ Christine Bannan
Marc Rotenberg                                     Christine Bannan
EPIC President                                     EPIC Administrative Law and Policy Fellow

/s/ Sunny Kang                                     /s/ Sam Lester
Sunny Kang                                         Sam Lester
EPIC International Consumer Counsel                EPIC Consumer Privacy Fellow

Cc:       Commissioners of the US Federal Trade Commission
          Chair of the European Union Data Protection Board

27
     https://socialscience.one/our-facebook-partnership

EPIC Letter to Social Science One                         7                Use of Facebook User Data
July 12, 2018                                                            for Research without Consent
You can also read